Server Compromised

**iisnet** · 12-26-2004 10:20 PM

It appears that a RHEL3 server that I have got compromised a few hours ago - rkhunter returned the following:

/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/dmesg [ BAD ]
/sbin/depmod [ BAD ]
/sbin/ifconfig [ BAD ]

......

However, rkhunter and chkrootkit were unable to detect any rootkits on the server. Would it be safe to just replace these files with clean ones, or would it be better to do a complete reinstall?

Any suggestions would be appreciated.

**dezignguy** · 12-27-2004 10:00 AM

Obviously you haven't been paying much attention to what's going on with your server... the reason that rkhunter is returning "BAD" for those programs is because the MD5 hashes have been changed (so the file has been changed), but the highly likely reason that the file has been changed is because up2date installed new versions from Redhat. RHEL3 is now at Taroon Update 4. So check that out first, there should be logs for up2date.

**iisnet** · 12-27-2004 10:47 AM

Meh, guess I haven't been paying attention indeed

I updated rkhunter, but I guess their MD5 hashes haven't been updated either?

Thanks.

**haze** · 12-27-2004 10:59 AM

You can keep trying to run rkhunter --update 2 maybe 3 times a day. I think the developer is probably busy with the holiday season and he's stated on the rkhunter web site it'll be a slow period at the moment.

rkhunter is a great tool but it should not be the only tool you have to check this sort of stuff. When you first set up your server its a good idea to have a tool such as AIDE or perhaps Tripwire installed ( my pref = AIDE ). Installing these later on is somewhat useless, but if your certain your server is clean of any issues, it probably still a good idea.

Best thing to do would be to consult an expert in this area to ensure you are as safe as possible.

**brianc** · 12-27-2004 11:17 AM

Originally Posted by iisnet

It appears that a RHEL3 server that I have got compromised a few hours ago - rkhunter returned the following:

/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/dmesg [ BAD ]
/sbin/depmod [ BAD ]
/sbin/ifconfig [ BAD ]

......

However, rkhunter and chkrootkit were unable to detect any rootkits on the server. Would it be safe to just replace these files with clean ones, or would it be better to do a complete reinstall?

Any suggestions would be appreciated.

What is important is the whether these files are reported as clean when using rkhunter. The "bad" messages are due to these scripts being upgraded by up2date. You should have been notified of this via your /scripts/upcp report that you receive via e-mail.

Brian

LinkBack

Thread Tools

Server Compromised

Server Compromised?

Server compromised or what?

Compromised Server

Our server was compromised

My server is compromised?