# Probably rootkitted need help with diag & repair

## WxY

Hey. I think my web facing router machine has been compromised. Anyways, I haven't removed any viruses/rootkits from a gentoo machine before so excuse me if I sound stupid.

What I found out so far:

The machine seems to be downloading a lot and only leaves 2 KiB +/- 0.5KiB for all of its clients. Funny enough though, my up link can do 2MiB/s but it only seems to drain 60KiB/s based on what I can read from watch --interval=1 ifconfig.

I made an educated guess with how best to approach the problem. I booted into runlevel 2, rebuilt my kernel & modules, remerged world but that didn't do the trick. So I'm guessing its probably a rogue kernel module that's biting me.

I'm trying to get rkhunter a go but its a bit difficult to get it when the machine that needs it can't really download anything and I don't really have a usb stick to transfer the tar balls over.

Any advise would be appreciated

----------

## Bones McCracker

You'll probably get better advice, but this is what I'd do.  By the time you get done screwing around with other approaches, this will probably have been less work.

First of all, make sure it's actually your router that's compromised and not one of your clients (see if the excess traffic is going through the input chain or the forward chain).  A router, properly configured, ought to be the hardest machine on your network to compromise.

If it's indeed the router, unplug everything, pop in system rescue CD, obliterate the contents of the disk, including MBR, with dd, repartition, re-flash the BIOS, reinstall your software, and go.

You can safely back up all your config files (text) to speed re-installation.

Hopefully you'll get better advice.  I'm not very smart.  But that's what I'd actually do, and I'm not afraid to admit it.  :lol:

----------

## tomk

Moved from Gentoo Chat to Networking & Security as it's a support question rather than something about Gentoo itself.

I'd agree with BoneKracker, the best thing to do with a rooted box is wipe it and start again.

----------

## phajdan.jr

Yup, don't try to be smart, you can never be sure if you've removed everything. Once it's rooted, game over.

Just make sure it's really the router, and ideally capture a forensic image of the HDD (unfortunately your re-emerged could have overwritten something interesting or triggered some covering of tracks).

It's also a good idea to change all passwords and keys in the network for obvious reasons.

----------

## WxY

ugh, is it really a complete necessity to reimage? I have a software raid + LVM rootfs config that is really hard to migrate. Though I've partitioned system and data separately.. Could I get away with just nuking system partitions?

----------

## Hu

You can preserve some content if you are willing to risk preserving the infection.  In my opinion, no matter how much trouble it is to recreate the existing layout, you will be better off wiping and reinstalling from scratch.

----------

## WxY

Ok I packed and scanned most of my data files, nuked the disks with full drive dd's.

i just Audited my configs. Turns out one of the users in wheel had a weak password ND had SSH rights. That prolly did the trick.

MOst of my local services are restored and the box can talk to the net again. This time i aint letting will do daily penetration testing against passwds for all remote capable users... 

Though a new problem came up. for some reason it won't forward packets anymore o_O. So I had to post this on my phone. Thus the awful typing. Any recommendations?

Edit: Nevermind. I forgot about the classic MTU problem. Building a tcpmss capable kernel now :]

----------

