[Cialug] rootkit

Josh More cialug@cialug.org
Thu, 10 Mar 2005 08:59:51 -0600


First, disconnect the box from the net.

You can confirm the possible presence with rkhunter:
http://www.rootkit.nl/

Then, look at the source for rkhunter and chkrootkit
to determine what signature they are looking at.  Manually
confirm that the rootkit is there.  Do *not* edit anything.

Once you know for a fact that one is running, you need to
make a decision on whether or not to prosecute.  If you
choose to proceed with legal measures, contact the police
and leave the box alone.

If you do not, conventional wisdom is to wipe the box and
reinstall.

That said, I have found that there is a lot to be learned from
analyzing the rootkit before the wipe and reinstall.

-- 
-Josh More, RHCE, CISSP
 morej@alliancetechnologies.net
 515-245-7701


On Thu, 2005-03-10 at 09:02 -0600, admin wrote:
> just ran chkrootkit on my server and found out there may be a damn rootkit
> installed. what to do what to do?
> 
> any help here would be hot.
> 
> 
> -------------------------
> want an email address ending in @c0wzftp.com?
> send an email on over to admin@c0wzftp.com
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug