Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 8th December 2009, 08:12
denbert denbert is offline
Member
 
Join Date: May 2008
Location: Copenhagen
Posts: 46
Thanks: 4
Thanked 3 Times in 3 Posts
Angry Debian Lenny hacked - SHV4 Rootkit, SHV5 Rootkit installed, root password exploited

Hi,

I have a remote server at a hosting center. Unfortunately I've been slappy with the updates due to the fact that I've been using a wordpress theme, which couldn't work with future wordpress updates.

I was contacted by mail with this subject: Fraudulent site - please shut down! [BP 9675.43-44] IP:xx.xxx.xxx.xx

Dear Sirs:

RSA, an anti-fraud and security company, is engaged in contract to assist Poste Italiane S.p.A. and its related entities “(Gruppo PosteItaliane)” in preventing or terminating online activities that target or may potentially target Poste Italiane/Gruppo Poste Italiane clients as potential fraud victims.

Poste Italiane S.p.A. is one of the largest Italian companies and operates mainly in the postal and banking/financial sectors. Poste Italiane official sites (www.posteitaliane.it and www.poste.it) are among the most famous Italian sites and are registered by the competent Italian authority on Italian top-level domain (.it).... snip


I've installed rkhunter and ran it, and bingo:

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 2
Rootkit names : SHV4 Rootkit, SHV5 Rootkit

When I logged in the the server, I've noticed the fact that last login from root was done from another address than mine!

Therefore the root password has been exploited!

I removed MySql, Lighttpd, Webmin and has changed SSH port to 222, furtheremore I've disabled rootlogin in the sshd config file.

I would really like to avoid a reinstall as this will give me further costs, due to the fact that the server is at a hosting center.

Anyone who can recommend a solution/guide?
__________________
/ Denbert
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
debian lenny, rkhunter, shv4 rootkit, shv5 rootkit

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Mana ikkem HOWTO-Related Questions 33 8th June 2012 19:27
automatic webmail link admins Installation/Configuration 16 22nd June 2009 17:42
shared IP with third level domain stefan Installation/Configuration 15 13th June 2007 23:55
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 23:40
cannot connect to ispconfig guidovanh Installation/Configuration 22 3rd March 2006 20:52


All times are GMT +2. The time now is 00:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.