General question about rootkits
Hello, we had a client server (Debian lenny, apache, mysql) infected with a rootkit (one of the sha ones) we pretty much abandoned the server and put the websites onto a new one rather than try and fix it. I've tried clearing rootkits before with limited success.
On this particular server there was a bash script that ran by a cron and dumped the databases into tar files on the server but outside of the webroot.
Now looking at the timestamps and such, I'm fairly sure that these files weren't accessed. But I was wondering if the attacker had the capability to access them?
A number of system files were changed (for example, the LS command was rewritten) Does that mean the attacker had our root password? Could they have nosed about the rest of the filesystem?
|
English | 
Deutsch
Threaded Mode
Recent comments
14 hours 48 min ago
21 hours 29 min ago
1 day 1 hour ago
1 day 2 hours ago
1 day 11 hours ago
1 day 20 hours ago
1 day 21 hours ago
2 days 1 hour ago
2 days 5 hours ago
2 days 6 hours ago