On Fri, 2004-01-02 at 12:34, Daniel McAferty wrote: > I'm starting to get really nervous now. > I downloaded the chkrootkit program you suggested earlier, > and it looks like I may have some problems with infected > files and "possible rootkits" installed. > > When I ran "chkrootkit -q" I got the following: > Checking `ifconfig'... INFECTED > Checking `login'... INFECTED > Checking `pstree'... INFECTED > /etc/ld.so.hash > Possible t0rn v8 \(or variation\) rootkit installed > > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/NKF/.packlist > /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock > /usr/lib/openoffice/share/gnome/net/.directory > /usr/lib/openoffice/share/gnome/net/.order > /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory > /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order > > Warning: Possible Showtee Rootkit installed > /usr/include/file.h /usr/include/proc.h > Possible ShKit rootkit installed > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed > eth0: PF_PACKET(/usr/sbin/arpwatch) > > > ----------------- end of chkrootkit results----------- > Now what do I do to fix or verify? > > This could explain another problem I have been having with > telnet. (Can't get a login prompt) ---- time to take it down (offline) and torch it don't know what you are doing with the system and cannot tell you how it got rooted but it sure looks like it's been rooted. Probably the easiest way to handle it is to disconnect it from all networks, buy a new hard drive, connect it to the primary master and install Linux on it. After install, connect the original hard drive to first controller slave / or on the second controller (slave or master - I would presume the Cd is on this controller) Then you can create mount locations for the old hard drive and mount the old hard drive and copy data only (configs are probably ok if you check them first). For example... old hard drive df looks something like this... /dev/sda8 2063504 238104 1720580 13% / /dev/sda3 8254272 460952 7374024 6% /var /dev/sda9 46829928 201708 44249400 1% /home so my root partition was on /dev/sda8 and so I would then... mkdir /old mkdir /home/old mkdir /var/old mount -t ext3 /dev/sda8 /old mount -t ext3 /dev/sd3 /var/old mount -t ext3 /dev/sd9 /home/old so I could copy off the old data (from /home/old), mail (from /var/old/spool/mail) and configs (from /old/etc/) After you get what you want off your old hard drive, you should umount the mounts and torch it (remove all the partitions) - there is way too much on that drive that you simply cannot trust. Of course, unless you change what you are doing, you are likely to get rooted again. Either you weren't keeping things up to date, exposing services that shouldn't be exposed or have no consistent plan to set up and maintain firewall. Since your question posed a problem with telnet getting a login prompt, that would be the first thing to go - telnet server isn't installed by default on any Red Hat system for years because it is insecure and sshd is included, installed by default and the only thing to use. Good luck, Craig