[lug] R00tKIT!! Raah!
Michael Belanger
mrb at ciclops.org
Tue Jun 14 17:16:00 MDT 2005
Greetings.
I feel very violated.
I found two suspect files on our public webserver.
/tmp/dc.pl
/var/tmp/r0nin
The latter is confirmed as a rootkit.
Now, here is a question, can the 'apache' user install a rootkit if they are not
root?
I think somehow it did. The network host reported an excessive amount of web
traffic coming from our server about the same day the rootkit file is dated.. I
take this to mean that it has been compromised.
I fear I may need to travel out there to rebuild the server... Anyone know if it
is possible to 'clean' the system?
-M
--
Michael Belanger
CICLOPS, Space Science Institute
phone. 720-974-5853 Jabber: mrb at jabber.ciclops.org
fax. 720-974-5860
DISCLAIMER:
The Sender and Cassini Imaging Central Laboratory for Operations
accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in
writing. If you are not the intended recipient you are notified
that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.
More information about the LUG
mailing list