|
Hi, I am running a server inside
of my LAN which is protected by a firewall (my dsl router). Ports for dns,ftp
ssh,http and https are forwarded to my debian machine. Yesterday I found a script
distwatch in cron.daily which was a script to put the rootkit back if an admin
has removed it (or so the text at the beginning of the script tells me). I also
saw the word “suckit” in this script which is a rootkit I think. I
was wrong when I said chkrootkit found nothing, it found 2 processes hidden for
ps, keventd and kflushd (I’m not sure because I shutdown my server to
figure out how to deal with this problem). In total there were two
daemons which had no man pages Killd (with googling I saw
something abount denial of service attacks, but I’m not sure) Distwatchd (which I could
find nothing about googling) My question now is how to
disinfect my system, how do I locate keventd and kflushd and how do I know for
sure my system is clean ? Thanks for responding
everyone J Greets, Ben |
- Re: Is my system compromised Tony Godshall
- Interpreting output of tiger scripts (WAS... Marc Shapiro
- Re: Interpreting output of tiger scri... Mark Crean
- Re: Interpreting output of tiger scri... Todd Weaver
- Re: Interpreting output of tiger ... Marc Shapiro
- Re: Is my system compromised BTP
- Re: Is my system compromised Gene Heskett
- Re: Is my system compromised Tony Godshall
- Re: Is my system compromised Sergio Cuéllar Valdés
- Re: Is my system compromised cmetzler
- Re: Re: Is my system compromised Ben Meijering
- Re: Re: Is my system compromised Carl Fink
- Re: Re: Is my system compromised Alvin Oga
- Re: Re: Is my system compromised Carl Fink
- Re: Re: Is my system compromised grey
- Re: Is my system compromised Gene Heskett
- Re: Re: Is my system compromised Alvin Oga
- Re: Re: Is my system compromised grey
- Re: Is my system compromised John Hasler
- fud - Re: Is my system compr... Alvin Oga
- Re: fud - Re: Is my syst... Steve Lamb
