Re: My server catched a rootkit?
Jochen Schulz wrote:
> James Brown:
>> I have a VDS under Debian Lenny,
>> ~# uname -a
>> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
>> GNU/Linux
>
> Is the rest of the software as ancient as the kernel? Lenny uses 2.6.26.
> You should probably ask for a more recent kernel.
>
>> Is it a rootkit or other error?
>
> I would suspect it's a rootkit. Does the system have any open ports you
> don't expect?
>
It seems that not. But I am not sure.
>> What I need to do - remove infected
>> files, reinstall the above
>> packeges or give an order to my vds-provider for reinstalling my server
>> at all?!
>
> Reinstall. There's no other way to make sure you really got rif of the
> rootkit. And then make sure to close the hole that allowed the
> attacker to hijack your system. It's probably either a well-known, but
> unpatched piece of software or a homegrown, easily exploitable
> application (custom CMS or something like that).
>
> J.
Thanks.
It seems me that it was "proftpd" but it is possible that the
web-control panel too (see my messages above)
Reply to: