chkrootkit: possible trojan
Stuart
fedora at bluewise.co.za
Sat Sep 11 14:30:54 UTC 2004
Thanks Paul.
I still have (partial?) root access. Logs show china9988 at 21cn.com trying
to relay through smtp port, which leads me to think that it's either a
diversion, or I rehashed aliases.db before that part of the compromise
was complete (highly unlikely, invisible shell access should be able to
overcome that). NMap shows ports open for WMS and RTSP, which I've yet
to figure out how to close.
You mentioned making it more difficult?
Any insight is appreciated.
Stu@
On Sat, 2004-09-11 at 15:48, Paul wrote:
> Hi,
>
> > I haven't been able to lsmod, init 6, etc... which leads me to think
> > that it's a true positive.
>
> Do you still have root access? If so, you can fix things to make life
> harder, but I would still not entirely trust the server
>
> Really, if you've been r00ted, the only way to get rid of it is to trash
> the drive, reinstall, secure, check, resecure and make live.
>
> TTFN
>
> Paul
More information about the fedora-list
mailing list