General question about rootkits
Hello, we had a client server (Debian lenny, apache, mysql) infected with a rootkit (one of the sha ones) we pretty much abandoned the server and put the websites onto a new one rather than try and fix it. I've tried clearing rootkits before with limited success.
On this particular server there was a bash script that ran by a cron and dumped the databases into tar files on the server but outside of the webroot.
Now looking at the timestamps and such, I'm fairly sure that these files weren't accessed. But I was wondering if the attacker had the capability to access them?
A number of system files were changed (for example, the LS command was rewritten) Does that mean the attacker had our root password? Could they have nosed about the rest of the filesystem?
|
English | 
Deutsch
Linear Mode
Recent comments
17 hours 23 min ago
17 hours 28 min ago
22 hours 27 min ago
1 day 5 hours ago
1 day 5 hours ago
1 day 7 hours ago
1 day 11 hours ago
1 day 18 hours ago
1 day 22 hours ago
1 day 23 hours ago