View Single Post
  #1  
Old 6th December 2011, 16:56
vmos vmos is offline
Member
 
Join Date: Nov 2008
Posts: 57
Thanks: 1
Thanked 0 Times in 0 Posts
Default General question about rootkits

Hello, we had a client server (Debian lenny, apache, mysql) infected with a rootkit (one of the sha ones) we pretty much abandoned the server and put the websites onto a new one rather than try and fix it. I've tried clearing rootkits before with limited success.

On this particular server there was a bash script that ran by a cron and dumped the databases into tar files on the server but outside of the webroot.

Now looking at the timestamps and such, I'm fairly sure that these files weren't accessed. But I was wondering if the attacker had the capability to access them?

A number of system files were changed (for example, the LS command was rewritten) Does that mean the attacker had our root password? Could they have nosed about the rest of the filesystem?
Reply With Quote
Sponsored Links