Hacked Rootkits!

One of my servers have been compromised by rootkits. I need some help to clean the system.

Here is the relevant log entries from chkrootkit...

Thanks in advance for any help!

 

Steven from Rack911. torn rk means your server was not very secure, they are easy to prevent afaik.

 

The info is appreciated but any help in fixing the issue at hand would be more helpful! Although I do understand where you are coming from.

 

The best course of action is going to be to back up all of your data and reinstall the server and make sure it is completely up to date. Then restore all your data and change your passwords and hire someone to secure your server and keep it up to date.

Even if you remove the rootkits it found, unless you are a security expert, it is going to be tough to find other backdoors that chkrootkit doesn't find, and the safest way to deal with it will be to reinstall and restore.

 

I concur with WiredTree's assesment

 

I also agree with you... the safest, easiest, and best way to do it is just restore it. Hopefully you have backups and all!

 

Keep in mind about false positives with programs like that. It's always best to use at least two rootkit checks so chkrootkit and maybe rhkhunter

 

Also, if you do a restore and the system's integrity is restored I would recommend installing tripwire. It is an easy solution that monitors system files on a daily basis to make sure the md5 sums remain the same.

 

Contact the guys at www.serveprogress.com.

They do some ad hoc security work for me when I am too busy to do stuff myself.

 

tripwire doesn't monitor daily, it monitors all the time....?

e.g

I get your root pass via brute, i change your binaries before tripwire reports. I clean & patch tripwire... A very clean hack without you knowing that your binaries got exchanged...

That was only an example to see an issue - Tripwire needs to know the binaries md5 hash all the time. So it checks every few minutes, just like LSM, LFD/CFD.

* Sorry had to bring it up, just a daily check of binaries bugs the hell out of me.

 

You are owned. Your only option is a complete reinstall. I would remove that drive completely asap. Install a new drive and reinstall your OS and files from scratch. Then attach the old drive and see what you can recover. Do so manually. Do not overwrite system files.

Whatever you do don't try to patch up that old drive...it's owned and until you do a complete format on it with zero level...you can't use it.

 

Hire a professional company to do it or you will get nowhere, this will cost upwards of $50. Otherwise, reformat.

 

These guys are pretty good if your server is unix.

http://www.platinumservermanagement.com/