Results 1 to 10 of 10

Thread: rootkits! Help!

  1. #1

    rootkits! Help!

    Need some help removing rootkits if anyone knows how or where some pages are that give instructions. I have googled it and cant seem to find em.

    flea rootkit
    shv4
    shv5
    sunos rootkit
    torn v8

    One of my customers got rooted. I would like to avoid a re-install if possible but if thats what has to happen then so be it.

  2. #2
    Join Date
    Aug 2003
    Location
    Calgary, Canada
    Posts
    13
    That's what has to happen... especially if you think you have 5 of them.

  3. #3
    Join Date
    Feb 2002
    Location
    Vestal, NY
    Posts
    1,378
    That's what has to happen unless you can take the risk that it will keep happening again and again. You may not even be safe after a re-install unless you first find out what allowed the rootkits to be installed.
    H4Y Technologies LLC Check out our new website!
    "Smarter, Cheaper, Faster" - SMB, Reseller, VDS, Dedicated, Colo hosting done right.

    ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
    **http://h4y.us**
    Voice: (866)435-5642. *** Email: askus at host4yourself d0t com

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Following instructions for removing rootkits is the worst idea in the world. You can attempt to remove them but you will never know if its fully removed. Your best bet is to do the os reinstall.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,622
    Then for next time... install a program (ie tripwire) which makes a checksum of all the core OS files on your server... so you can just do a quick check to see which has actually changed.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Even if you have tripwire, its still not a good idea to just "clean" up the box.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Im pretty sure I know what it was. The user that rents that box has repeatedly run game servers under the 'root' user acct.

    ::pulls hair out::

    Thats about the only thing that I can think of.

  8. #8
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    I would exercise your right as the hosting provider and say "You need a restore". Honestly, after a total restore, you should be operational within 6 hours or less anyways.
    Dan Sheppard ~ Freelance whatever

  9. #9
    Join Date
    Jan 2004
    Location
    /home/dislexik
    Posts
    820
    Originally posted by Sheps
    I would exercise your right as the hosting provider and say "You need a restore". Honestly, after a total restore, you should be operational within 6 hours or less anyways.
    And you will have peace of mind knowing you have got rid of anything relating to any rootkit that has been on your server, effectively.
    "You donít learn to hack, you hack to learn"

  10. #10
    I have a similar experience of GotGameServers, being rooted.

    So, I put the old drive as secondary and ordered a new drive for OS reload.

    I did not do any backup cron all this while. So, I can't restore from cpanel.

    How do I check for illegal files in home directory of all domains (so that I don't transfer to the primary hard drive)?

    Is it really to safe to connect is as secondary? (I don't think I have choice not to do this )

    How do I systematically restore the domains?

    Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •