Hi, I am running a server inside
of my LAN which is protected by a firewall (my dsl router). Ports for dns,ftp
ssh,http and https are forwarded to my debian machine. Yesterday I found a script
distwatch in cron.daily which was a script to put the rootkit back if an admin
has removed it (or so the text at the beginning of the script tells me). I also
saw the word “suckit” in this script which is a rootkit I think. I
was wrong when I said chkrootkit found nothing, it found 2 processes hidden for
ps, keventd and kflushd (I’m not sure because I shutdown my server to
figure out how to deal with this problem). In total there were two
daemons which had no man pages Killd (with googling I saw
something abount denial of service attacks, but I’m not sure) Distwatchd (which I could
find nothing about googling) My question now is how to
disinfect my system, how do I locate keventd and kflushd and how do I know for
sure my system is clean ? Thanks for responding
everyone J Greets, Ben |