HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Debian Lenny hacked - SHV4 Rootkit, SHV5 Rootkit installed, root password exploited (http://www.howtoforge.com/forums/showthread.php?t=41635)

denbert 8th December 2009 08:12

Debian Lenny hacked - SHV4 Rootkit, SHV5 Rootkit installed, root password exploited
 
Hi,

I have a remote server at a hosting center. Unfortunately I've been slappy with the updates due to the fact that I've been using a wordpress theme, which couldn't work with future wordpress updates.

I was contacted by mail with this subject: Fraudulent site - please shut down! [BP 9675.43-44] IP:xx.xxx.xxx.xx

Dear Sirs:

RSA, an anti-fraud and security company, is engaged in contract to assist Poste Italiane S.p.A. and its related entities (Gruppo PosteItaliane) in preventing or terminating online activities that target or may potentially target Poste Italiane/Gruppo Poste Italiane clients as potential fraud victims.

Poste Italiane S.p.A. is one of the largest Italian companies and operates mainly in the postal and banking/financial sectors. Poste Italiane official sites (www.posteitaliane.it and www.poste.it) are among the most famous Italian sites and are registered by the competent Italian authority on Italian top-level domain (.it).... snip


I've installed rkhunter and ran it, and bingo:

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 2
Rootkit names : SHV4 Rootkit, SHV5 Rootkit

When I logged in the the server, I've noticed the fact that last login from root was done from another address than mine!

Therefore the root password has been exploited!

I removed MySql, Lighttpd, Webmin and has changed SSH port to 222, furtheremore I've disabled rootlogin in the sshd config file.

I would really like to avoid a reinstall as this will give me further costs, due to the fact that the server is at a hosting center.

Anyone who can recommend a solution/guide?

topdog 8th December 2009 09:05

There must be backdoors left on the system to allow the hacker back in, am sure most of the binaries you use for checking such have been modified by the attacker. If you can run the binaries from removable media then you may be able to cleanup the machine. (The binaries in question would be things like lsmod, ps, w, who netstat, lsof)

denbert 8th December 2009 09:34

Quote:

Originally Posted by topdog (Post 212927)
There must be backdoors left on the system to allow the hacker back in, am sure most of the binaries you use for checking such have been modified by the attacker. If you can run the binaries from removable media then you may be able to cleanup the machine. (The binaries in question would be things like lsmod, ps, w, who netstat, lsof)

Yep - I realize that I'm in a "bad-standing" and therefore I will shutdown the server now and prepare a clean install later.

The worst is that I'm the only one to blame :mad:


All times are GMT +2. The time now is 14:27.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.