Re: My server catched a rootkit?
On Fri, 26 Nov 2010 18:53:05 +0000, James Brown wrote:
> I have a VDS under Debian Lenny,
> ~# uname -a
> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
> GNU/Linux
>
> I have received the next messages from crondaemon:
> /etc/cron.daily/rkhunter:
> Internal error!
> Internal error!
> .................................
>
> and from rkhunter that my server have problems which you can see in the
> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
(...)
JFYI, there was a recent exploit for ProFtpd:
http://www.exploit-db.com/exploits/15449/
Also followed here:
proftpd: IAC remote root exploit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769
Not sure if lenny is also affected :-?
(...)
> Found HIDDEN PID: 1431
> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:47525)
>
> Found HIDDEN PID: 1759
> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625)
Check your "/var/log/auth.log" and "history" but your logs doesn't sound
very good :-(
Greetings,
--
Camaleón
Reply to: