rudu <rudu@cegetel.net> wrote:
All I could gather via phone call during the problem with a top and
netstat command on the server is that a "xddlvqhhrd" command is
consuming 25% of CPU and that a connection is established with a
remote IP by a program named "grep "A""
Sounds like a rootkit to me.
Definitely.
Some action/documentation to help to get rid of this ?
The only sure way to clean the server is to backup the data, then wipe
the system and reinstall it.
Every other way or attempt to save or clean the system by doing checks
with things like "debsums -c" will likely not catch everything and thus
leaves the system hacked and vulnerable.
Even if "rkhunter" or "chkrootkit" or "debsums -c" don't find anything
suspicious you cannot be sure there really is nothing going on behind
your back.
For example: One of my servers got hacked some time ago and the attacker
installed a kernel based rootkit and backdoor which was untracable in
the running system. Only by booting from an external device (like a USB
key or DVD) allowed me to find the changed /sbin/init and the hidden
/dev/.w0rm directory. The kernel code redirected every read (and write)
to /sbin/init to the saved original file, so "debsums -c" did not
provide any help. And the directory in /dev was also hidden by the
kernel code the same way.
Also just reinstalling the system is not enough, you need to identify
the intrusion point and fix that too, or the attacker will be back soon.
Maybe you are lucky and only the process you see running has been
injected, but can you really be sure?
My advise if you want to sleep in peace: Flatten and rebuild. It is
painful but it will get rid of the attacker.
Grüße,
Sven.