LinkBack URL
About LinkBacksThanks for the reply. That's very possible and eases my mind a bit.Originally Posted by dragon2611
I'm still being cautious.
Thanks for the reply. That's very possible and eases my mind a bit.
I'm still being cautious.
I've had false warnings from it before..
I've also had the Random JS rootkit before, Not seen it around lately though either the creators are laying low or someone found out how it was getting onto all these servers and patched the hole.
I found some discussion about false alarms here:
http://forum.configserver.com/showthread.php?t=1052
I'm thinking the only real test is to restart the servers and then check for signs that the exploit is installed.
I did those test and also the tcpdump test and everything seems ok, but I'm wondering if the server needs to restart before the thing becomes live.
Steve,
Don't take this warning lightly. It has all the signs of a rootkit we've been seeing that affects those specific files. Try the following tests on your system to see what happens:
If you see the above results, it's almost certain your server has been compromisedCode:[root\@cpanel ~]# mkdir 1 mkdir: cannot create directory `1': No such file or directory [root\@cpanel ~]# touch 2 touch: cannot touch `2': No such file or directory
If you believe your server has been compromised, then you should contact your datacenter or NOC to have
them properly clean the server. You will also need to change all account passwords on the system to
prevent your server from being re-compromised.
You can always look at the MD5 sums for those files from your distributions download mirror or open up the files in a test editor to make sure they haven't been replaced with a perl script.
I'd grep through the index files in your home partition to see if any have been injected with iframes as well.
Side note:
If you think you may be compromised, definitely do not restart the box. A lot of compromises will alter binaries and such on restart.
I had the same warnings. They are false positives from LFD due to last night's cpanel update. I also did cpaneldave's test on the server and it came back fine. In other words I was able to create the directories.
Brian
It's likely that the rootkit publishers have seen our test and modified the rootkit to report success. I'd still inspect the files just to make sure. Here's a good presentation from our June conference about how in-depth and organized these types of threats are:
http://www.cpanel.net/conference/08/...zedThreats.pdf
A lot of the false positives on CentOS are related to the fact that CentOS 4.7 was released, therefore a huge amount of rpms were replaced.
Reply With Quote