zk rootkit
Sam Barnett-Cormack
s.barnett-cormack at lancaster.ac.uk
Sat Nov 22 01:39:54 UTC 2003
On Fri, 21 Nov 2003, Ben Stringer wrote:
> On Fri, 2003-11-21 at 23:18, Grosswiler Roger wrote:
> > hy guys,
> >
> > letting chkrootkit on my server lets me know, that i have a 'possible
> > installation of the zk rootkit on my server. does anybody know, how i can
> > find out about this rootkit, where the files are and what i can do against
> > it?
>
> To find the files, look at the source (it's a shell script) of
> chkrootkit and search for the bit where it reports it found zk.
>
> >>From (bitter) memory, it is something like /usr/lib/.zk
>
> What you should do against it is remove the server from the net, backup
> any data (avoiding executables) and reinstall. Then have everyone who
> ever used a password on the server change their passwords. Rootkits tend
> to install a backdoor for access (Eg. second sshd) and to replace common
> binaries (ls, ps) to hide their presence. chkrootkit can only find
> rootkits that have been sloppily constructed.
Actually, chkrootkit will probably be able to find all but the best, as
long as the author keeps it up to date. It detects the common
modifications to binaries as well.
--
Sam Barnett-Cormack
Software Developer | Student of Physics & Maths
UK Mirror Service (http://www.mirror.ac.uk) | Lancaster University
More information about the fedora-list
mailing list