Questions tagged [rootkit]
The rootkit tag has no summary.
44 questions
0 votes
0 answers
344 views
chkrootkit awk not found
I am using chkrootkit 0.53 on my ubuntu dekstop 18.04 When I was doing scan with ` ./chkrootkit -p /folder it give me error chkrootkit: can't find 'awk' . Could anyone help? Thank you
- 16
0 votes
1 answer
245 views
Unknown device: detected open ports on server that should not exist?
While running a network scan I found open tcp ports reported for a linux machine (port 22-Openssh debian; ports 5124/5127/7582/8282 - Tunnel is OpenSSL) but we only have one linux box and this was not ...
- 111
1 vote
3 answers
212 views
Recognize rootkit-taken server
First, I'm not looking for software for detection of rootkits planted into server, as this may and may not work, especially on live system. I'm curious to find out what would be the signs of rootkit ...
- 722
-1 votes
2 answers
226 views
How trustworthy are Arch's official repositories? [closed]
I have a server with Arch Linux installed and for some reason, it gets infected after a period of inactivity. I reinstall, remain inactive for some time and it gets infected again. Every time I ...
- 1
1 vote
1 answer
2k views
Are rkhunter and chrootkit still effective linux rootkit scanners?
AFAICT neither have had much activity since the first half of 2014. Are there any other open source linux root scanners out there or reasonable commercial alternatives?
- 111
3 votes
1 answer
2k views
How to detect Bios Rootkits on a server mainboard?
I recently read about a talk by Corey Kallenberg and Xeno Kovah given at the CanSecWest-conference which describes how the firmware of a server mainboard can be reprogrammed to include malicious ...
- 739
1 vote
1 answer
652 views
Find a script which writes in /var/tmp [duplicate]
I discover that one of my partition was full. rootfs 20G 1,8G 17G 10% / /dev/root 20G 1,8G 17G 10% / devtmpfs 7,8G 184K 7,8G 1% /dev none ...
- 143
0 votes
0 answers
545 views
rkhunter reports suspicious activity /bin/usr/wget and killall permissions changed
Sorry about the long post but please bear with me. I'm wondering if my system has been compromised. I've had issues in the past on this VM server with a Linux.BackDoor.Gates.5 Trojan that was DDoSing ...
- 379
2 votes
1 answer
3k views
What to do if rkhunter finds a possible rootkit?
ran rkhunter tonight, and I got this for the results: [04:17:34] System checks summary [04:17:34] ===================== [04:17:34] [04:17:34] File properties checks... [04:17:34] Files checked: 133 [...
- 353
0 votes
1 answer
148 views
Strange ports on default install of W7
I have a base new install of windows 7, and when I went to look for something else I saw the attached netstat output. What concerns me is that this is Windows + Truecrypt + drivers, nothing else ...
- 495
2 votes
1 answer
2k views
Check all debian binaries against the checksum of the original
I would like to check all binaries on my server against dpkg -e <path_to_deb_package> <destination> (for example rkhunter could do this check against the originals when doing probupdate) ...
- 2,537
2 votes
1 answer
3k views
Suspicious file types found in /dev ASCII text
rkhunter complains about this: Warning: Suspicious file types found in /dev: /dev/.udev/queue.bin: data /dev/.udev/data/c13:66: ASCII text /dev/.udev/data/c13:64: ASCII ...
- 2,537
2 votes
1 answer
467 views
RKHunter reports change in file properties, but different hash length
RKHunter reports change in file properties, but the strange thing is that the hash length is different in the current hash an in the stored hash. [11:47:13] Warning: The file properties have changed: ...
- 2,179
0 votes
1 answer
1k views
How can I remove SHV4 / SHV5 rootkits? [duplicate]
I've seen that my system has a two kind of rootkits: SHV4 / SHV5. (I'm going to add a log here) I tried to remove it but I could not. Can anybody recommend me any way to do it? [ Rootkit Hunter ...
- 361
8 votes
2 answers
6k views
Rootkit Revealer is failing to run, why? [duplicate]
On a user's laptop (Windows 7 x64), terrible performance led me to suspect a rootkit after ruling almost everything else out. I checked boot entries with Autoruns and ran a full scan with Malwarebytes,...
- 2,883
1 vote
1 answer
6k views
Rkhunter triggered last night warning for a possible infection. What next?
Last night rkhunter triggered with the following warnings: [04:10:23] Warning: Network TCP port 32982 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: Solaris Wanuk ...
- 167
2 votes
1 answer
4k views
remove shared library from sshd [duplicate]
mv /lib64/libkeyutils.so.1.9 /root service sshd restart Stopping sshd: [ OK ] Starting sshd: /usr/sbin/sshd: error while loading shared libraries: ...
- 6,761
1 vote
2 answers
762 views
Squid showed up on port 8080. Possible Rootkit?
I recently attempted to connect to my EC2 server on 8080 and had some strange issues that weren't occurring earlier. NGinx (though setup for :81) captures any requests on port 8080. If I stop nginx, ...
- 153
3 votes
2 answers
194 views
How to keep track of the serverconfiguration: keep entire "/etc" in git
I want to keep my whole /etc folder in a git repository to track unauthorised changes by intruders and find out mistakes I could have done myself. What would be the right way to achieve this?
- 2,537
0 votes
2 answers
772 views
Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?
I just cleaned up my hacked CentOS server (due to not updating since versino 5.3). But still, "chkrootkit" says this: Possible t0rn v8 \(or variation\) rootkit installed /usr/lib/.libfipscheck.so.1....
- 265
-1 votes
3 answers
794 views
Entries in `/etc/inittab` below last line - possible hack? [duplicate]
Possible Duplicate: My server's been hacked EMERGENCY My Linux machine has been hacked lately. There are a few entires in /etc/inittab below the #end of /etc/inittab Something like: #...
- 265
0 votes
2 answers
522 views
How to replace infected `/lib/libsh.so` and `/etc/sh.conf` files? [duplicate]
Possible Duplicate: My server’s been hacked EMERGENCY Which package does the file /lib/libsh.so belong to? I need to replace it since it was infected. Same for /etc/sh.conf. For now I have ...
- 265
0 votes
1 answer
3k views
Hacked CentOS 5 server - possible rootkit installed? [duplicate]
Possible Duplicate: How do I know if my Linux server has been hacked? My server's been hacked EMERGENCY I am running CentOS 5.3 and here is the result of "chkrootkit": Possible t0rn v8 \(...
- 265
-3 votes
2 answers
1k views
Rootkit scanning
Are there any good services or ways to scan for rootkits and backdoors? I know there are rkhunter and chkrootkit but are they even ideal anymore? They never seem updated and look more like they were ...
- 6,761
-3 votes
1 answer
262 views
How do I remove a rootkit without an anti-rootkit program? [duplicate]
Possible Duplicate: My server's been hacked EMERGENCY Windows 2000 Server. I believe I have a rootkit. But, nothing will remove it. I've tried everything. Even tools that are merely for ...
- 2,418
1 vote
2 answers
5k views
running a high CPU consuming process, but top/htop show ALL process cpu 0%?
all. I have these weird servers can not explained as follow: htop 1 [||||||||||||||| 28.5%] Tasks: 53 total, 1 running 2 [|||||||||||||||| ...
- 131
0 votes
1 answer
410 views
Scripted install of Debian backdoor/rootkit [closed]
We have a number of servers (100+) that we need to increase a certain type of security on. (sortof internal, sorry NDA). We have thought about using a rootkit of some sort that would be able to keep ...
- 438
1 vote
1 answer
1k views
What is "ndptsp.tsp"?
Sophos Anti-Rootkit tells me that on one of our web servers, there is an "unknown hidden file" ndptsp.tsp: Area: Local hard drives Description: Unknown hidden file Location: C:\Windows\...
- 2,500
22 votes
6 answers
6k views
Putting a whole linux server under source control (git)
I am thinking about putting my whole linux server under version control using git. The reason behind it being that that might be the easiest way to detect malicious modifications/rootkits. All I would ...
- 369
2 votes
4 answers
10k views
My computer is sending ICMP packets to arbitrary destinations
My computer is sending ICMP packets to arbitrary destinations. I can't understand the reason. Dump of one of the packet is : Internet Control Message Protocol Type: 3 (Destination unreachable) ...
- 518
12 votes
10 answers
1k views
Pull network or power? (for contianing a rooted server)
When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to ...
5 votes
3 answers
1k views
Weird set of shell commands in root's .bash_history
I have probably just detected that a user on a server of mine has rooted my server, but that's not what I'm asking. Has anyone ever seen command like these: echo _EoT_0.249348813417008_; id; echo ...
- 593
8 votes
5 answers
4k views
Pain removing a perl rootkit
So, we host a geoservice webserver thing at the office. Someone apparently broke into this box (probably via ftp or ssh), and put some kind of irc-managed rootkit thing. Now I'm trying to clean the ...
- 201
1 vote
1 answer
258 views
HOw to view all Logs in OSSSEC system ubuntu
I have installed OSSEC It is working and sometime sending me alert email as well. But i want to see what can i type so that i can get view all the logs of what OSSEC has found in my system
John
0 votes
1 answer
801 views
rootkit exploit on centos server
I have recenrly found a file in my folder called wunderbar_emporium its details is here What is that , how it came here and what should i check to make sure what arong has been done to system
John
5 votes
2 answers
5k views
ifconfig showing wrong RX/TX byte count
ifconfig tells for eth0 some RX = 2,8GB, TX = 1,3GB value that cannot be real, since I recently transmitted many 10GB+ files over eth0. I would like to know if that's just some ordinary integer ...
nils
9 votes
8 answers
28k views
How to check if a Linux server is clean from rootkits/backdoors/botnets etc.?
In case a Linux server was exposed to the internet with extreme low security policy (r/w anonymous Samba folders, Firebird database server with default admin password, no firewall, etc.) for a week, ...
- 3,452
6 votes
2 answers
17k views
RtKit on my ubuntu?
Hi I just updated my ubuntu karmic Koala to Lucid Lynx and found sth strange on my file /etc/passwd. rtkit:x:120:130:RealtimeKit,,,:/proc:/bin/false Can someone tell me what it is?
- 181
6 votes
6 answers
8k views
Check integrity of Debian system after possible rootkit?
I have a system that was possibly rootkited (the IRC bot was installed and +ai attributes were set on /usr/bin, /usr/sbin, /bin, /sbin). The IRC bots were deleted and system was upgraded to 5.0.4 from ...
- 309
1 vote
1 answer
2k views
How to prevent wunderbar_emporium rootkit
I just learned about the wunderbar_emporium rootkit, and it sounds pretty nasty. I tested it on a few linux servers I have access to, and while it failed on two of them, it was successful on one with ...
- 9,408
5 votes
8 answers
959 views
Identifying changed files on *nix webserver
Looking for some (*nix) software which will build an index of "interesting" files on a server and notify when certain of those files contents are modified, or new files appear. Similar to rkhunter et ...
- 165
12 votes
5 answers
107k views
how to find out what created a file?
I have some virus files being randomly created on root of a c: disk of one of my servers. How can I find out what created it? Some 3rd party software maybe?
- 163
8 votes
8 answers
9k views
A list of Windows rootkit detection and removal tools
A list of rootkit detection and/or removal tools from publicly trusted sources: Name, Vendor, Latest release RootkitRevealer, Sysinternals, November 1 2006 Rootkit Unhooker, ep_x0ff (now working at ...
5 votes
6 answers
2k views
Anti-Rootkit programs
What program do you use for detecting Rootkits? How do you know what to trust?
- 1,073