zk rootkit
Ben Stringer
ben at burbong.com
Fri Nov 21 12:51:07 UTC 2003
On Fri, 2003-11-21 at 23:18, Grosswiler Roger wrote:
> hy guys,
>
> letting chkrootkit on my server lets me know, that i have a 'possible
> installation of the zk rootkit on my server. does anybody know, how i can
> find out about this rootkit, where the files are and what i can do against
> it?
To find the files, look at the source (it's a shell script) of
chkrootkit and search for the bit where it reports it found zk.
>From (bitter) memory, it is something like /usr/lib/.zk
What you should do against it is remove the server from the net, backup
any data (avoiding executables) and reinstall. Then have everyone who
ever used a password on the server change their passwords. Rootkits tend
to install a backdoor for access (Eg. second sshd) and to replace common
binaries (ls, ps) to hide their presence. chkrootkit can only find
rootkits that have been sloppily constructed.
You also need to work out how it got there and remove whatever weakness
allowed it in. This can be complex.
Cheers, Ben
More information about the fedora-list
mailing list