HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   General question about rootkits (http://www.howtoforge.com/forums/showthread.php?t=55271)

vmos 6th December 2011 16:56

General question about rootkits
 
Hello, we had a client server (Debian lenny, apache, mysql) infected with a rootkit (one of the sha ones) we pretty much abandoned the server and put the websites onto a new one rather than try and fix it. I've tried clearing rootkits before with limited success.

On this particular server there was a bash script that ran by a cron and dumped the databases into tar files on the server but outside of the webroot.

Now looking at the timestamps and such, I'm fairly sure that these files weren't accessed. But I was wondering if the attacker had the capability to access them?

A number of system files were changed (for example, the LS command was rewritten) Does that mean the attacker had our root password? Could they have nosed about the rest of the filesystem?


All times are GMT +2. The time now is 18:39.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.