[lug] R00tKIT!! Raah!

Jeff Schroeder jeff at neobox.net
Tue Jun 14 17:23:10 MDT 2005

Michael asked:

> Now, here is a question, can the 'apache' user install a rootkit if
> they are not root?

It seems unlikely.  Perhaps there was a different path used to 
compromise the system... maybe an SSH exploit?  Are you running other 
services that might not have the latest security patches?  Telnet, FTP, 
Sendmail, etc.?

> I fear I may need to travel out there to rebuild the server... Anyone
> know if it is possible to 'clean' the system?

The general rule of thumb is you *always* rebuild a compromised system.  
It's extremely difficult to know all of the things that were changed, 
and a clevor cracker would doubtless install lots of tools all over the 
place.  I wouldn't take the risk of thinking you cleaned it, only to 
discover next week that it's been compromised again. :-(


More information about the LUG mailing list