[lug] R00tKIT!! Raah!

Michael Belanger mrb at ciclops.org
Tue Jun 14 17:16:00 MDT 2005


Greetings.
I feel very violated.

I found two suspect files on our public webserver.
/tmp/dc.pl
/var/tmp/r0nin

The latter is confirmed as a rootkit.

Now, here is a question, can the 'apache' user install a rootkit if they are not 
root?

I think somehow it did.  The network host reported an excessive amount of web 
traffic coming from our server about the same day the rootkit file is dated.. I 
take this to mean that it has been compromised.

I fear I may need to travel out there to rebuild the server... Anyone know if it 
is possible to 'clean' the system?

-M
-- 
Michael Belanger
CICLOPS, Space Science Institute

phone. 720-974-5853   Jabber: mrb at jabber.ciclops.org
fax.   720-974-5860

DISCLAIMER:
The Sender and Cassini Imaging Central Laboratory for Operations
accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in
writing. If you are not the intended recipient you are notified
that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.



More information about the LUG mailing list