The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hidden process : hacked???

Discussion in 'General Discussion' started by visiondream3, Jul 6, 2003.

  1. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    I detect an lkm trojan while running chkrootkit, with a hidden process detected.

    I searched in the proc directory to find this,

    [/proc]# for i in `seq 1 25000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done
    init [3]--init1
    2
    3
    4
    5
    6
    8

    Why is the init invoked like this....

    I found this on couple of servers as well...all running 2.4.20

    Any idea...if that is kernel specific, but then why is it hidden....

    Also, is it time to go for 2.4.21 on cpanel servers.....

    PLEASE HELP......this is really serious....

    cPanel.net Support Ticket Number:
     
  2. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    ok, infact i managed to throw him off.
    It was in directory /dev/drg/sk hidden.
    the init was also corrupted.
    I replaced it, including the consolehelper
    /sbin/init u (uninstalled it for me)
    and /sbin/init v (made the hidden one visible)
    infact it was the same version...
    rebooted, and now it looks okay.

    cPanel.net Support Ticket Number:
     
  3. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Visiondream, need your expertise...

    I am getting this now:

    You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    Warning: Possible LKM Trojan installed

    What should I do now?
     
  4. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Reformat. and restore from backups is the only guaranteed method of getting rid of a hacker that I know of....
     
  5. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Keep in mind chkrootkit will output false positives in regards to LKMs.

    Mike
     
  6. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    compunet2:
    I can't just reformat and restore from backup due to the many business sites on the server. Is there any other way?

    Sash:
    What about the 4 process hidden for readdir and ps commands? Are they false as well?
     
  7. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Do you get the same hidden processes(in number and type) each time you run chkrootkit or do they change?

    How busy is the server? What is the average load?

    Mike
     
  8. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    It will have to be until tomorrow before chkrootkit runs again. Why do you ask? Is there a relation if the detection repeats? The server load is 0.30 average.
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Doc,

    I am not sure why you can't run chkrootkit constantly over and over until you determine if you have been rooted or not. As well as a mess load of other things you NEED to be checking. Why would you wait even 1 minute to inspect as much as possible? If you do find you have been rooted then the only way to fix it is to clean, grab what you need and re-format. If you have been rooted and a hacker is mean as hell then you won't have any business sites left to worry about if you don't fully inspect that box asap!!! They wil leven delete your backups if you let them.
     
  10. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    there are a number of things wrong with chkrootkit, but if you can't tell you've been hacked by simply running chkroot, well, you need the services of an admin.

    Check around, play with the scripts that chkrootkit gave you, you've got a number of them.

    Is reformatting the only option? Sometimes, yes, but it all depends on the size of the hack really. I mean, if just one (or two) files were hacked, naah, there's no need for a reformat. If you can't tell which files were hacked, then you need to reformat.

    Verify all directories, files and the like. It's a painstaking processs, but it can be done.

    The other solutions is a reformat. If you don't have data to lose, then by all means, reformat :)
     
  11. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for all your answers! I know now what I should do.
     
Loading...

Share This Page