The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Compromised

Discussion in 'General Discussion' started by iisnet, Dec 26, 2004.

  1. iisnet

    iisnet Active Member

    Joined:
    Oct 6, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    It appears that a RHEL3 server that I have got compromised a few hours ago - rkhunter returned the following:

    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/dmesg [ BAD ]
    /sbin/depmod [ BAD ]
    /sbin/ifconfig [ BAD ]

    ......

    However, rkhunter and chkrootkit were unable to detect any rootkits on the server. Would it be safe to just replace these files with clean ones, or would it be better to do a complete reinstall?

    Any suggestions would be appreciated.
     
  2. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Obviously you haven't been paying much attention to what's going on with your server... the reason that rkhunter is returning "BAD" for those programs is because the MD5 hashes have been changed (so the file has been changed), but the highly likely reason that the file has been changed is because up2date installed new versions from Redhat. RHEL3 is now at Taroon Update 4. So check that out first, there should be logs for up2date.
     
  3. iisnet

    iisnet Active Member

    Joined:
    Oct 6, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Meh, guess I haven't been paying attention indeed :rolleyes:
    I updated rkhunter, but I guess their MD5 hashes haven't been updated either?

    Thanks.
     
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You can keep trying to run rkhunter --update 2 maybe 3 times a day. I think the developer is probably busy with the holiday season and he's stated on the rkhunter web site it'll be a slow period at the moment.

    rkhunter is a great tool but it should not be the only tool you have to check this sort of stuff. When you first set up your server its a good idea to have a tool such as AIDE or perhaps Tripwire installed ( my pref = AIDE ). Installing these later on is somewhat useless, but if your certain your server is clean of any issues, it probably still a good idea.

    Best thing to do would be to consult an expert in this area to ensure you are as safe as possible.
     
  5. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    What is important is the whether these files are reported as clean when using rkhunter. The "bad" messages are due to these scripts being upgraded by up2date. You should have been notified of this via your /scripts/upcp report that you receive via e-mail.

    Brian
     
Loading...

Share This Page