On Wed, Jan 10, 2007 at 11:53:42AM -0600, Fran wrote: > I've been told by my ISP that my sarge webserver (only port 80 open, all > software up to date) is spewing traffic they're calling IRC_nick, which > is apparantly some sort of IRC bot. > > I'm unable to locate the file/files that are infected. Additionally, I > can't see the process/processes for the bot when it's running. > > chkproc -v does reveal some hidden procs, but before I can kill them, > they seem to go away. > > chkrootkit/rkhunter don't seem to see anything either. > > Any other suggestions?
if you rooted, take the box down, take it off the net, reboot with a live-cd and run chkrootkit from there. Probably though, you're stuck rebuilding the box from scratch -- as in nuke it from orbit. A
signature.asc
Description: Digital signature
