Re: My server catched a rootkit?

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: My server catched a rootkit?
From: James Brown <jbrownfirst@gmail.com>
Date: Fri, 26 Nov 2010 22:58:00 +0000
Message-id: <[🔎] 4CF03B78.8010705@gmail.com>
In-reply-to: <[🔎] 20101126194224.GX23719@wasteland.homelinux.net>
References: <[🔎] 4CF00211.6090201@gmail.com> <[🔎] 20101126194224.GX23719@wasteland.homelinux.net>

Jochen Schulz wrote:
> James Brown:
>> I have a VDS under Debian Lenny,
>> ~# uname -a
>> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
>> GNU/Linux
> 
> Is the rest of the software as ancient as the kernel? Lenny uses 2.6.26.
> You should probably ask for a more recent kernel.
> 
>> Is it a rootkit or other error?
> 
> I would suspect it's a rootkit. Does the system have any open ports you
> don't expect?
> 
It seems that not. But I am not sure.

>> What I need to do - remove infected
>> files, reinstall the above
>> packeges or give an order to my vds-provider for reinstalling my server
>> at all?!
> 
> Reinstall. There's no other way to make sure you really got rif of the
> rootkit. And then make sure to close the hole that allowed the
> attacker to hijack your system. It's probably either a well-known, but
> unpatched piece of software or a homegrown, easily exploitable
> application (custom CMS or something like that).
> 
> J.

Thanks.
It seems me that it was "proftpd" but it is possible that the
web-control panel too (see my messages above)

Reply to:

References:
- My server catched a rootkit?
  - From: James Brown <jbrownfirst@gmail.com>
- Re: My server catched a rootkit?
  - From: Jochen Schulz <ml@well-adjusted.de>

Prev by Date: Re: My server catched a rootkit?
Next by Date: Re: My server catched a rootkit?
Previous by thread: Re: My server catched a rootkit?
Next by thread: Re: My server catched a rootkit?
Index(es):
- Date
- Thread