General question about rootkits
Hello, we had a client server (Debian lenny, apache, mysql) infected with a rootkit (one of the sha ones) we pretty much abandoned the server and put the websites onto a new one rather than try and fix it. I've tried clearing rootkits before with limited success.
On this particular server there was a bash script that ran by a cron and dumped the databases into tar files on the server but outside of the webroot.
Now looking at the timestamps and such, I'm fairly sure that these files weren't accessed. But I was wondering if the attacker had the capability to access them?
A number of system files were changed (for example, the LS command was rewritten) Does that mean the attacker had our root password? Could they have nosed about the rest of the filesystem?