Re: My server catched a rootkit?

To: debian-user@lists.debian.org
Subject: Re: My server catched a rootkit?
From: Camaleón <noelamac@gmail.com>
Date: Fri, 26 Nov 2010 19:21:50 +0000 (UTC)
Message-id: <[🔎] pan.2010.11.26.19.21.49@gmail.com>
References: <[🔎] 4CF00211.6090201@gmail.com>

On Fri, 26 Nov 2010 18:53:05 +0000, James Brown wrote:

> I have a VDS under Debian Lenny,
> ~# uname -a
> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
> GNU/Linux
> 
> I have received the next messages from crondaemon:
> /etc/cron.daily/rkhunter:
> Internal error!
> Internal error!
> .................................
> 
> and from rkhunter that my server have problems which you can see in the
> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit

(...)

JFYI, there was a recent exploit for ProFtpd:

http://www.exploit-db.com/exploits/15449/

Also followed here:

proftpd: IAC remote root exploit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769

Not sure if lenny is also affected :-?

(...)

> Found HIDDEN PID: 1431
> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:47525)
> 
> Found HIDDEN PID: 1759
> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625)

Check your "/var/log/auth.log" and "history" but your logs doesn't sound 
very good :-(

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: My server catched a rootkit?
  - From: James Brown <jbrownfirst@gmail.com>

References:
- My server catched a rootkit?
  - From: James Brown <jbrownfirst@gmail.com>

Prev by Date: My server catched a rootkit?
Next by Date: Re: My server catched a rootkit?
Previous by thread: My server catched a rootkit?
Next by thread: Re: My server catched a rootkit?
Index(es):
- Date
- Thread