On Fri, 2003-11-21 at 23:18, Grosswiler Roger wrote: > hy guys, > > letting chkrootkit on my server lets me know, that i have a 'possible > installation of the zk rootkit on my server. does anybody know, how i can > find out about this rootkit, where the files are and what i can do against > it? To find the files, look at the source (it's a shell script) of chkrootkit and search for the bit where it reports it found zk. >From (bitter) memory, it is something like /usr/lib/.zk What you should do against it is remove the server from the net, backup any data (avoiding executables) and reinstall. Then have everyone who ever used a password on the server change their passwords. Rootkits tend to install a backdoor for access (Eg. second sshd) and to replace common binaries (ls, ps) to hide their presence. chkrootkit can only find rootkits that have been sloppily constructed. You also need to work out how it got there and remove whatever weakness allowed it in. This can be complex. Cheers, Ben
