The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rootkit SHV4 - Server Compromised

Discussion in 'General Discussion' started by minotauro, Aug 29, 2004.

  1. minotauro

    minotauro Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Yesterday, my server is hacked and system compromised. When i run a rkhunter, find it:

    /bin/ls [ BAD ]
    /bin/netstat [ BAD ]
    /bin/ps [ BAD ]
    /sbin/ifconfig [ BAD ]
    /usr/bin/find [ BAD ]
    /usr/bin/pstree [ BAD ]

    p.s: i list only commands compromised.

    Rootkit 'SHV4'... [ Warning! ]

    --------------------------------------------------------------------------------
    Found parts of this rootkit/trojan by checking the default files and directories
    Please inspect the available files, by running this check with the parameter
    --createlogfile and check the log file (current file: /dev/null).
    --------------------------------------------------------------------------------

    - GnuPG 1.2.1 [ Vulnerable ]
    - OpenSSL 0.9.7a [ Vulnerable ]
    - PHP 4.3.5 [ Vulnerable ]
    - PHP 4.3.5 [ Vulnerable ]
    - OpenSSH 3.6.1p2 [ Vulnerable ]

    How i switch this command? I try ony copy ont file but receive a error:

    root@monster [~]# cp ls /bin/ls
    cp: overwrite `/bin/ls'? y
    cp: cannot create regular file `/bin/ls': Operation not permitted
    root@monster [~]# ls -la ls
    /bin/ls: unrecognized prefix: do
    /bin/ls: unparsable value for LS_COLORS environment variable
    -rwxr-xr-x 1 root root 68660 Aug 12 2003 ls*
    root@monster [~]# ls -la /bin/ls
    /bin/ls: unrecognized prefix: do
    /bin/ls: unparsable value for LS_COLORS environment variable
    -rwxr-xr-x 1 root root 39696 Aug 12 2003 /bin/ls*
    root@monster [~]#

    Any information to help me remove this SHV4 rootkit or restore my system?

    Regards,
    Minotauro.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only realistic thing that you can do after a root compromise is to backup your user data and then perform an OS install (i.e. format the system disk and install a clean operating system) then restore your cPanel configuration data. If you try and clean it you will never know if the server is still compromised and someone has free access to your root account.

    Once your new OS has been installed, make sure that you update every application on it to its latest secure release (if a RedHat server, use up2date until it runs clean) and make sure you are using the latest kernel for your OS release. Then either yourself, or get someone who knows what they're doing, to secure your server properly.
     
  3. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    It is possible to clean it but i recommend getting an os restore, it is the only way you know it wont happen again. Next time they might do something more drastic like delete your users content now that wouldnt be very good would it?
     

Share This Page