Actually I pretty much wiped out t0rn v8. Still getting a positive (possible) on showtree rootkit. I did it by analysing chkrootkit and see what they check for and replaced/deleted those binaries/libraries and so on.
Update: I think our firewall cramp the trojan's style. Whoever ran it didn't even run any services. the files are there. That's about it. Not as bad as it seems now. On top of that, it's a server that we used to store offsite backups.
Probably should write a script for auto t0rn v8 removal. Or anyone want to save me the trouble
If you knew what you were doing, you wouldnt have gotten rooted
scary stuff... you can get rid/reverse the actions of the rootkit maybe, but you never know if something else was modified or changed, or what sensitive information has been collected that could be used against you or your customers in the future. damn cyber-terrorists haha.
Originally posted by HP-Kevin If you knew what you were doing, you wouldnt have gotten rooted
How many times do i have to go around and say it.
You cannot gain 100% security, you can however gain increased security. Only way to gain 100% security is to remove the internet, and lock it up in a safe where no one can get to it. But even then its not secure because someone could crack the safe.
Besides this was a hole taken advantage of CPanels buggy code, nothing you could have done to help that. Someone is always ahead of you.
you guy's don't need to jump on me, look at my post I had a smile face I was joking around, hoy s*** this is WHT you're not impressing anybody, this is just discussion.
Back to my point, you cannot be sure you have a machine back to being secure after its been rooted, I really don't think an exploited box can be trusted anymore... sure you can reverse the root kit like i said, but you don't know how elaborate the hacker got, and maybe he downloaded all your users passwords... cracking them, most people use weak *** passwords, its a scary situation, removing the kit isnt the solution, thats all I was saying.
I agree there is no such thing as 100% security, I didn't say there was such a thing, but I think people don't take updates as serious as they should. Most of these "hackers" are just using the same info avalible to you,the sysadmin. the guy gets an email from cpanel or securityfocus or whereever saying exploit found, he was just faster at exploiting you then you were at protecting against the exploit.
be proactive not reactive thats all I'm saying, no need to light me on fire, thank you.