Re: chkrootkit infected ports 2881

To: debian-user@lists.debian.org
Subject: Re: chkrootkit infected ports 2881
From: Thomas Preud'homme <thomas.preudhomme@celest.fr>
Date: Mon, 4 Aug 2008 12:48:15 +0200
Message-id: <[🔎] 200808041248.20098.thomas.preudhomme@celest.fr>
Reply-to: thomas.preudhomme@celest.fr
In-reply-to: <[🔎] 4896D6DC.2070105@cyberspaceroad.com>
References: <[🔎] 4895AF02.20701@cyberspaceroad.com> <[🔎] 4896D6DC.2070105@cyberspaceroad.com>

Le lundi 4 août 2008, Adam Hardy a écrit :
> Adam Hardy on 03/08/08 14:13, wrote:
> > My webserver system is actually a UML slice of a system at
> > memset.co.uk and all it does is run Apache Tomcat and sshd and the
> > stuff from memset - I thought it was pretty safe until I came back
> > today and found my nightly email report from chkrootkit said:
> >
> > The following suspicious files and directories were found:
> > /lib/init/rw/.ramfs
> >
> > INFECTED (PORTS:  2881)
> >
> > The .ramfs started appearing when I upgraded chkrootkit, so I never
> > worried about it, but Friday night's INFECTED alert was a slap in
> > the face with a wet fish. Saturday night's report went back to
> > normal - no mention of the port.
> >
> > I scanned it from grc.com/x/portprobe and it came back as closed.
> >
> > The only mention I can find in the logs is:
> >
> > root@hardyaa1:~# grep 2881 /var/log/*
> > /var/log/setuid.today:
> >     2881   660   1 root       disk               0 Wed Apr 30
> > 11:32:37 2008 /dev/rd/c1d30
> > r
> >
> > and that's a PID, not a port, right?
> >
> > So how bad does this look? Should I clean the system? If it is
> > rooted, how can I tell what the security flaw was? My password at
> > that point (since changed) was CE0dff2*£ so if it was a brute force
> > attack, then wow, they did well.
>
> I talked to the support at the hosting company and they looked at the
> system and said they couldn't see anything wrong with it - but they
> can re-image it for me which normally costs a fee.
>
> Is it worth re-imaging my system and re-installing everything?
>
> I still have no idea what chkrootkit means when it says a port is
> infected.
>
>
> Adam

I don't think it's that important. chkrootkit seems a little hazardous 
since there was a bug about chkrootkit killing a random process (in 
fact one of its test was sending a signal to process 12345, this bug 
has been corrected).

I think a good anti-rootkit should be launched from another system to be 
sure it's not deactivated by a smart rootkit.

Regards,

Thomas Preud'homme

-- 
Why Debian : http://www.debian.org/intro/why_debian

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: chkrootkit infected ports 2881
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>
- Re: chkrootkit infected ports 2881
  - From: Joey Hess <joeyh@debian.org>

References:
- chkrootkit infected ports 2881
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>
- Re: chkrootkit infected ports 2881
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>

Prev by Date: Re:how to make a boot disk and ...
Next by Date: Re: SOLVED: DMA is turned off on my HDD
Previous by thread: Re: chkrootkit infected ports 2881
Next by thread: Re: chkrootkit infected ports 2881
Index(es):
- Date
- Thread