# A server have been hacked - what to save?

## Karim

One of my servers has been hacked.

Suddenly /var/log/messages showed:

```
Nov 13 19:01:01 kuroo cron[3737]: (root) RELOAD (crontabs/root)

Nov 13 19:01:02 kuroo crontab[16419]: (root) BEGIN EDIT (root)

Nov 13 19:01:09 kuroo crontab[16419]: (root) REPLACE (root)

Nov 13 19:01:09 kuroo crontab[16419]: (root) END EDIT (root)

Nov 13 19:01:42 kuroo syslog-ng[2717]: STATS: dropped 0

Nov 13 19:02:01 kuroo cron[3737]: (root) RELOAD (crontabs/root)

Nov 13 19:02:01 kuroo cron[16442]: (root) CMD (/usr/local/games/ /update >/dev/null 2>&1)
```

Then doing ls gave:

```
kuroo ~ # ls -la

ls: unrecognized prefix: do

ls: unparsable value for LS_COLORS environment variable

total 1900328

....

```

Googling gave me hits on rootkits. So I tried to install chkrootkit but in vain. /usr/sbin was untouchable,

Installed the rkhunter which found 'Dreams Rootkit':

```
[16:09:39] *** Start scan Dreams Rootkit ***

[16:09:39]   - File /dev/ttyoa... OK. Not found.

[16:09:39]   - File /dev/ttyof... OK. Not found.

[16:09:39]   - File /dev/ttyop... OK. Not found.

[16:09:39]   - File /usr/bin/sense... WARNING! Exists.

[16:09:39]   - File /usr/bin/sl2... WARNING! Exists.

[16:09:39]   - File /usr/bin/logclear... WARNING! Exists.

[16:09:39]   - File /usr/bin/(swapd)... WARNING! Exists.

[16:09:39]   - File /usr/bin/snfs... OK. Not found.

[16:09:39]   - File /usr/lib/libsss... WARNING! Exists.

[16:09:39]   - Directory /dev/ida/.hpd... OK. Not found.

[16:10:14] Checking /usr/lib/libice.log... [ WARNING! ] Possible sniffer log found.

```

So now on to clean up the drive and reinstall from scratch. Though I have two questions:

1. Is /dev/hda4 = /home safe to keep?

2. How in earth did they get in? 

My server was quite uptodate except for kernel:

```
kuroo ~ # uname -a

Linux kuroo 2.6.17-gentoo-r4 #2 Fri Jul 28 12:46:02 GMT 2006 i686 Celeron (Mendocino) GenuineIntel GNU/Linux

kuroo ~ # emerge -uDpv world

These are the packages that would be merged, in order:

Calculating world dependencies... done!

[ebuild     U ] sys-apps/portage-2.1.3.19 [2.1.3.16] USE="-build -doc -epydoc (-selinux)" LINGUAS="-pl" 0 kB

*** Portage will stop merging at this point and reload itself,

    then resume the merge.

[ebuild     U ] dev-db/sqlite-3.4.1 [3.3.12] USE="-debug -doc -nothreadsafe -soundex% -tcl" 2,186 kB

[ebuild     U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 232 kB

[ebuild     U ] app-misc/pax-utils-0.1.16 [0.1.15] USE="-caps" 64 kB

[ebuild     U ] app-arch/cpio-2.9-r1 [2.9] USE="nls" 0 kB

[ebuild     U ] sys-libs/timezone-data-2007g [2007f] USE="nls" 344 kB

[ebuild     U ] app-misc/mime-types-7 [5] 7 kB

[ebuild     U ] dev-libs/libmcrypt-2.5.8 [2.5.7] 1,304 kB

[ebuild     U ] sys-process/cronbase-0.3.2-r1 [0.3.2] 0 kB

[ebuild     U ] app-arch/bzip2-1.0.4-r1 [1.0.4] USE="-static" 0 kB

[ebuild     U ] dev-libs/libpcre-7.3-r1 [6.6] USE="unicode%* -doc" 747 kB

[ebuild     U ] net-nds/portmap-6.0 [5b-r9] USE="tcpd (-selinux)" 22 kB

[ebuild     U ] media-libs/libpng-1.2.22 [1.2.18] USE="(-doc%)" 601 kB

[ebuild     U ] sys-apps/ed-0.8 [0.5] 67 kB

[ebuild     U ] app-arch/tar-1.19 [1.18-r2] USE="nls -static" 1,839 kB

[ebuild     U ] sys-kernel/genkernel-3.4.9_pre6 [3.4.8] USE="-bash-completion (-ibm) (-selinux)" 2,904 kB

[ebuild  NS   ] sys-libs/db-4.5.20_p2  USE="-bootstrap -doc -java -nocxx -tcl -test" 9,068 kB

[ebuild     U ] sys-apps/man-pages-2.66 [2.65] USE="nls" 1,809 kB

[ebuild     U ] sys-apps/debianutils-2.25 [2.23.1] USE="-static" 133 kB

[ebuild  NS   ] sys-kernel/gentoo-sources-2.6.22-r9  USE="-build -symlink" 143 kB

[ebuild     U ] dev-lang/perl-5.8.8-r3 [5.8.8-r2] USE="berkdb -build -debug -doc -gdbm -ithreads -perlsuid" 0 kB

[ebuild     U ] dev-perl/XML-Generator-1.0 [0.99] USE="(-minimal%) (-perl%*)" 24 kB

[ebuild     U ] dev-libs/apr-1.2.11 [1.2.8] USE="urandom* -debug -doc% -ipv6*" 1,088 kB

[ebuild     U ] net-libs/libnfsidmap-0.19 [0.17] USE="-ldap" 319 kB

[ebuild     U ] media-libs/gd-2.0.35 [2.0.33] USE="-fontconfig -jpeg* -png* -truetype* -xpm" 1,185 kB

[ebuild     U ] net-fs/nfs-utils-1.1.0-r1 [1.0.6-r6] USE="tcpd -kerberos% -nonfsv4%" 0 kB

[ebuild     U ] app-admin/webalizer-2.01.10-r15 [2.01.10-r12] USE="apache2 nls vhosts -geoip -xtended (-search%)" 0 kB

[ebuild     U ] dev-libs/openssl-0.9.8g [0.9.8d] USE="zlib -bindist -emacs -gmp% -kerberos% -sse2 -test" 3,277 kB

[ebuild     U ] dev-db/mysql-5.0.44-r1 [5.0.44] USE="berkdb ssl -big-tables -cluster -debug -embedded -extraengine -latin1 -max-idx-128 -minimal -perl (-selinux) -static" 0 kB

[ebuild     U ] net-misc/ntp-4.2.4_p4 [4.2.0.20040617-r3] USE="ssl -caps -debug -ipv6* -openntpd -parse-clocks (-selinux) -zeroconf% (-logrotate%)" 3,404 kB

[ebuild     U ] dev-libs/apr-util-1.2.10 [1.2.8] USE="berkdb mysql%* -doc% -gdbm -ldap -postgres -sqlite -sqlite3" 687 kB

[ebuild     U ] dev-lang/python-2.4.4-r6 [2.4.4-r5] USE="berkdb readline ssl -bootstrap -build -doc -examples -gdbm -ipv6 -ncurses -nocxx -nothreads -tk -ucs2" 10 kB

[ebuild     U ] sys-libs/cracklib-2.8.10 [2.8.9-r1] USE="nls python" 565 kB

[ebuild     U ] dev-python/docutils-0.4-r2 [0.4-r1] USE="-emacs -glep" 0 kB

[ebuild     U ] dev-python/pysqlite-2.3.5 [2.3.1] USE="-examples%" 84 kB

[ebuild  N    ] dev-python/setuptools-0.6_rc7-r1  244 kB

[ebuild     U ] app-portage/gentoolkit-0.2.3-r1 [0.2.2] 91 kB

[ebuild     U ] sys-libs/pam-0.99.8.1-r1 [0.78-r5] USE="cracklib%* nls%* -audit% (-selinux) -test% -vim-syntax% (-berkdb%*) (-nis%) (-pam_chroot%) (-pam_console%) (-pam_timestamp%) (-pwdb%)" 886 kB

[ebuild     U ] dev-python/mysql-python-1.2.2 [1.2.1_p2] USE="(-doc%)" 86 kB

[ebuild     U ] net-misc/neon-0.26.3 [0.26.1] USE="nls ssl zlib -expat -socks5 (-gnutls%)" 771 kB

[ebuild     U ] dev-util/subversion-1.4.5 [1.3.2-r4] USE="apache2 berkdb nls python -bash-completion -debug% -doc% -emacs -extras% -java -nowebdav -perl -ruby -svnserve% -vim-syntax% (-zlib%*)" 4,612 kB

[ebuild     U ] net-libs/c-client-2004g [2004a-r1] USE="pam ssl" 2,195 kB

[ebuild     U ] app-misc/screen-4.0.3 [4.0.2-r5] USE="pam -debug -multiuser -nethack (-selinux)" 821 kB

[ebuild     U ] app-admin/webmin-1.350 [1.250] USE="apache2 pam%* ssl -postgres -webmin-minimal" 12,902 kB

[ebuild     U ] dev-lang/php-5.2.5 [5.2.4_p20070914-r2] USE="apache2 berkdb crypt ctype curl ftp iconv imap mysql nls pcre pic readline session ssl unicode xml zlib -adabas -bcmath -birdstep -bzip2 -calendar -cdb -cgi -cjk -cli -concurrentmodphp -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -gd -gd-external -gdbm -gmp -hash -inifile -interbase -iodbc -ipv6 -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -ncurses -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -posix -postgres -qdbm -recode -reflection -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid -spell -spl -sqlite -suhosin -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external" 7,600 kB

[ebuild  NS   ] dev-db/phpmyadmin-2.11.1.2  USE="vhosts" 2,176 kB

Total: 46 packages (42 upgrades, 1 new, 3 in new slots), Size of downloads: 64,476 kB

```

----------

## GNUtoo

do you know glsa-check from gentoolkit?

----------

## Karim

 *GNUtoo wrote:*   

> do you know glsa-check from gentoolkit?

 

Haven't used it lately  :Embarassed:  , and gives (for the record) this:

```
(chroot) livecd / # glsa-check  -p affected

Checking GLSA 200711-16

The following updates will be performed for this GLSA:

     net-print/cups-1.2.12-r2 (1.1.23-r8)

Checking GLSA 200709-12

The following updates will be performed for this GLSA:

     app-text/poppler-0.5.4-r2 (0.5.3)

Checking GLSA 200703-28

The following updates will be performed for this GLSA:

     net-print/cups-1.2.10-r1 (1.1.23-r8)

Checking GLSA 200709-01

The following updates will be performed for this GLSA:

     app-crypt/mit-krb5-1.5.3-r1 (1.5.3)

Checking GLSA 200710-06

The following updates will be performed for this GLSA:

     dev-libs/openssl-0.9.8e-r3 (0.9.8d)

Checking GLSA 200711-08

The following updates will be performed for this GLSA:

     media-libs/libpng-1.2.21-r3 (1.2.18)

Checking GLSA 200608-11

The following updates will be performed for this GLSA:

     app-admin/webmin-1.350 (1.250)

Checking GLSA 200707-05

The following updates will be performed for this GLSA:

     app-admin/webmin-1.350 (1.250)

Checking GLSA 200710-30

The following updates will be performed for this GLSA:

     dev-libs/openssl-0.9.8f (0.9.8d)

Checking GLSA 200708-05

The following updates will be performed for this GLSA:

     media-libs/gd-2.0.35 (2.0.33)

Checking GLSA 200611-01

The following updates will be performed for this GLSA:

     app-misc/screen-4.0.3 (4.0.2-r5)

Checking GLSA 200710-12

The following updates will be performed for this GLSA:

     media-libs/t1lib-5.0.2-r1 (5.0.2)

Checking GLSA 200711-07

The following updates will be performed for this GLSA:

     dev-lang/python-2.4.4-r6 (2.4.4-r5)

```

----------

## upengan78

can u run chrootkit ?

----------

## Karim

 *upengan78 wrote:*   

> can u run chrootkit ?

 

For some reason I cant install anything into /usr/sbin:

```

livecd usr # emerge chkrootkit

>>> cfg-update-1.8.2-r1: Creating checksum index...

...

>>> Merging app-forensics/chkrootkit-0.47 to /

--- /usr/

--- /usr/share/

--- /usr/share/doc/

--- /usr/share/doc/chkrootkit-0.47/

>>> /usr/share/doc/chkrootkit-0.47/README.chkwtmp.bz2

>>> /usr/share/doc/chkrootkit-0.47/ACKNOWLEDGMENTS.bz2

>>> /usr/share/doc/chkrootkit-0.47/README.chklastlog.bz2

>>> /usr/share/doc/chkrootkit-0.47/README.bz2

!!! Cannot write to '/usr/sbin'.

!!! Please check permissions and directories for broken symlinks.

!!! You may start the merge process again by using ebuild:

!!! ebuild /usr/portage/app-forensics/chkrootkit/chkrootkit-0.47.ebuild merge

!!! And finish by running this: env-update

```

Any idea how come?

Anyway the output from chkrootkit is this:

```

livecd usr # ./chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... ./chkrootkit: line 1692: /usr/sbin/strings-static: No such file or directory

not infected

Checking `biff'... not found

Checking `chfn'... ./chkrootkit: line 1201: /usr/sbin/strings-static: No such file or directory

not infected

Checking `chsh'... ./chkrootkit: line 1231: /usr/sbin/strings-static: No such file or directory

not infected

Checking `cron'... ./chkrootkit: line 2237: /usr/sbin/strings-static: No such file or directory

not infected

Checking `crontab'... not infected

Checking `date'... ./chkrootkit: line 1793: /usr/sbin/strings-static: No such file or directory

not infected

Checking `du'... ./chkrootkit: line 1474: /usr/sbin/strings-static: No such file or directory

not infected

Checking `dirname'... ./chkrootkit: line 1716: /usr/sbin/strings-static: No such file or directory

not infected

Checking `echo'... ./chkrootkit: line 1815: /usr/sbin/strings-static: No such file or directory

not infected

Checking `egrep'... ./chkrootkit: line 2096: /usr/sbin/strings-static: No such file or directory

not infected

Checking `env'... ./chkrootkit: line 1836: /usr/sbin/strings-static: No such file or directory

not infected

Checking `find'... ./chkrootkit: line 2140: /usr/sbin/strings-static: No such file or directory

not infected

Checking `fingerd'... not found

Checking `gpm'... ./chkrootkit: line 1395: /usr/sbin/strings-static: No such file or directory

not infected

Checking `grep'... ./chkrootkit: line 2114: /usr/sbin/strings-static: No such file or directory

not infected

Checking `hdparm'... ./chkrootkit: line 1373: /usr/sbin/strings-static: No such file or directory

not infected

Checking `su'... ./chkrootkit: line 2370: /usr/sbin/strings-static: No such file or directory

not infected

Checking `ifconfig'... ./chkrootkit: line 2258: /usr/sbin/strings-static: No such file or directory

./chkrootkit: line 2263: /usr/sbin/strings-static: No such file or directory

INFECTED

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... ./chkrootkit: line 1899: /usr/sbin/strings-static: No such file or directory

not infected

Checking `killall'... ./chkrootkit: line 1649: /usr/sbin/strings-static: No such file or directory

not infected

Checking `ldsopreload'... can't exec /usr/sbin/strings-static, not tested

Checking `login'... ./chkrootkit: line 1271: /usr/sbin/strings-static: No such file or directory

./chkrootkit: line 1283: /usr/sbin/strings-static: No such file or directory

not infected

Checking `ls'... ./chkrootkit: line 1457: /usr/sbin/strings-static: No such file or directory

not infected

Checking `lsof'... ./chkrootkit: line 2179: /usr/sbin/strings-static: No such file or directory

not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... ./chkrootkit: line 1516: /usr/sbin/strings-static: No such file or directory

not infected

Checking `named'... not found

Checking `passwd'... ./chkrootkit: line 1307: /usr/sbin/strings-static: No such file or directory

not infected

Checking `pidof'... ./chkrootkit: line 1627: /usr/sbin/strings-static: No such file or directory

not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... ./chkrootkit: line 1535: /usr/sbin/strings-static: No such file or directory

not infected

Checking `pstree'... ./chkrootkit: line 1557: /usr/sbin/strings-static: No such file or directory

not infected

Checking `rpcinfo'... ./chkrootkit: line 1763: /usr/sbin/strings-static: No such file or directory

not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... ./chkrootkit: line 2215: /usr/sbin/strings-static: No such file or directory

not infected

Checking `sendmail'... ./chkrootkit: line 1439: /usr/sbin/strings-static: No such file or directory

not infected

Checking `sshd'... ./chkrootkit: line 2349: /usr/sbin/strings-static: No such file or directory

not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... ./chkrootkit: line 2328: /usr/sbin/strings-static: No such file or directory

not infected

Checking `tcpdump'... not infected

Checking `top'... ./chkrootkit: line 1605: /usr/sbin/strings-static: No such file or directory

not infected

Checking `telnetd'... ./chkrootkit: line 2446: /usr/sbin/strings-static: No such file or directory

not infected

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... ./chkrootkit: line 1993: /usr/sbin/strings-static: No such file or directory

not infected

Checking `w'... ./chkrootkit: line 1973: /usr/sbin/strings-static: No such file or directory

not infected

Checking `write'... ./chkrootkit: line 1952: /usr/sbin/strings-static: No such file or directory

not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/cfg-update/.bashrc /usr/lib/locale/.keep_sys-libs_glibc-2.2 /usr/lib/samba/idmap/.keep_net-fs_samba-0 /usr/lib/samba/auth/.keep_net-fs_samba-0 /usr/lib/samba/rpc/.keep_net-fs_samba-0 /usr/lib/nfs/sm.bak/.keep /usr/lib/nfs/sm/.keep /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/Generator/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Authen/PAM/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Sys/Syslog/.packlist /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/ClearSilver/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/DBI/.packlist /usr/lib/perl5/5.8.8/i686-linux/.packlist /usr/lib/dbus-1.0/services/.keep_sys-apps_dbus-0 /usr/lib/.keep /usr/lib/openldap/openldap/.keep_net-nds_openldap-0 /lib/dev-state/.keep /lib/rcscripts/awk/.keep /lib/rcscripts/net/.keep /lib/udev/state/.keep_sys-fs_udev-0 /lib/udev/devices/.keep_sys-fs_udev-0

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... Checking `rexedcs'... not found

Checking `sniffer'... not tested: can't exec /usr/sbin/ifpromisc

Checking `w55808'... not infected

Checking `wted'... not tested: can't exec /usr/sbin/chkwtmp

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... not tested: can't exec /usr/sbin/chklastlog

Checking `chkutmp'... not tested: can't exec /usr/sbin/chkutmp

```

----------

## Carlo

Hope you feel guilty.  :Twisted Evil:  Nothing can be kept - unless you are sure to have sane hash values for the data on external data media. Even a pdf could hold malicious data, exposing you to a local vulnerability of your pdf-viewer, that isn't widely known - maybe even only to the black hat behind the breach. There is no way to clean an infected box, as you never can be sure to have found all data modified by the attacker. The only clean way is to wipe the system and set up a fresh one.

----------

## upengan78

Just Curious,

Is there a place where he/she can file a legal complaint  :Rolling Eyes:  for this sort of an issue

----------

## Karim

Well, it's not that important server anyway, mostly used for testing and for ftp.

But, I can't figure out why root now have less privileges: rm can't remove some files fex.

----------

## eccerr0r

 *upengan78 wrote:*   

> Just Curious,
> 
> Is there a place where he/she can file a legal complaint  for this sort of an issue

 

Legal complaint? for what?

Can always go to the police like usual, but there's no way you can find the perpetrator and likely you're just SOL in finding someone financially responsible for the trouble...

Have to protect your own boxes, not much can be done about it.

As for root not being able to remove files, it's usually due to disk corruption (fsck it) or possibly they set the immutable flag on some files (see chattr).

----------

## upengan78

Legal complaint for hacking in to someone's machine and damaging it. No matter if security was high or no.

Police is the way  :Smile: 

----------

## Karim

 *eccerr0r wrote:*   

> ,..
> 
> it's usually due to disk corruption (fsck it) or possibly they set the immutable flag on some files (see chattr).

 

Yes, that was it:

```
livecd bin # lsattr sense

suS-iadAc----- sense

livecd bin # chattr -AacdisSu sense

livecd bin # lsattr sense

-------------- sense

livecd bin # rm sense
```

----------

## Karim

Actually chkrootkit give this output:

```

livecd usr # ./chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... INFECTED

Checking `lsof'... not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... INFECTED

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... INFECTED

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... INFECTED

Checking `telnetd'... not infected

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/cfg-update/.bashrc /usr/lib/locale/.keep_sys-libs_glibc-2.2 /usr/lib/samba/idmap/.keep_net-fs_samba-0 /usr/lib/samba/auth/.keep_net-fs_samba-0 /usr/lib/samba/rpc/.keep_net-fs_samba-0 /usr/lib/nfs/sm.bak/.keep /usr/lib/nfs/sm/.keep /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/XML/Generator/.packlist /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Authen/PAM/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Sys/Syslog/.packlist /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/ClearSilver/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/DBI/.packlist /usr/lib/perl5/5.8.8/i686-linux/.packlist /usr/lib/dbus-1.0/services/.keep_sys-apps_dbus-0 /usr/lib/.keep /usr/lib/openldap/openldap/.keep_net-nds_openldap-0 /lib/dev-state/.keep /lib/rcscripts/awk/.keep /lib/rcscripts/net/.keep /lib/udev/state/.keep_sys-fs_udev-0 /lib/udev/devices/.keep_sys-fs_udev-0

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... chkproc: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... eth0: PF_PACKET(/mnt/livecd/sbin/dhcpcd)

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'... the name `ty,pid,ruser,args' is not a tty

chkutmp: nothing deleted

```

But googling says the INFECTED may be false positives.

----------

## beatryder

You already know that is not the case, since ls has been replaced with a script that doesn't work. Next time, install tripwire...

----------

## GNUtoo

do you know you can EASELY use glsa-check:

use  *Quote:*   

> glsa-check --fix affected

 and it will automaticaly install all the updates

use that to fix a bug:

https://forums.gentoo.org/viewtopic-p-4505225.html

of course you need to sync your tree before...

so there is also a solution for that...

use a rss reader that points to:

http://www.gentoo.org/rdf/en/glsa-index.rdf

personaly i use akregator for KDE...it displays the alert nearly in real time...

----------

## Carnildo

 *Carlo wrote:*   

> Hope you feel guilty.  Nothing can be kept - unless you are sure to have sane hash values for the data on external data media.

 

Not quite.  Any data file you manually inspect for damage can be kept -- source code, text files, even executables like Perl and Bash scripts.

----------

