[lug] R00tKIT!! Raah!
Jeff Schroeder
jeff at neobox.net
Tue Jun 14 17:23:10 MDT 2005
Michael asked:
> Now, here is a question, can the 'apache' user install a rootkit if
> they are not root?
It seems unlikely. Perhaps there was a different path used to
compromise the system... maybe an SSH exploit? Are you running other
services that might not have the latest security patches? Telnet, FTP,
Sendmail, etc.?
> I fear I may need to travel out there to rebuild the server... Anyone
> know if it is possible to 'clean' the system?
The general rule of thumb is you *always* rebuild a compromised system.
It's extremely difficult to know all of the things that were changed,
and a clevor cracker would doubtless install lots of tools all over the
place. I wouldn't take the risk of thinking you cleaned it, only to
discover next week that it's been compromised again. :-(
$0.02,
Jeff
More information about the LUG
mailing list