Re: zk rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 21 Nov 2003, Ben Stringer wrote:

> On Fri, 2003-11-21 at 23:18, Grosswiler Roger wrote:
> > hy guys,
> >
> > letting chkrootkit on my server lets me know, that i have a 'possible
> > installation of the zk rootkit on my server. does anybody know, how i can
> > find out about this rootkit, where the files are and what i can do against
> > it?
>
> To find the files, look at the source (it's a shell script) of
> chkrootkit and search for the bit where it reports it found zk.
>
> >>From (bitter) memory, it is something like /usr/lib/.zk
>
> What you should do against it is remove the server from the net, backup
> any data (avoiding executables) and reinstall. Then have everyone who
> ever used a password on the server change their passwords. Rootkits tend
> to install a backdoor for access (Eg. second sshd) and to replace common
> binaries (ls, ps) to hide their presence. chkrootkit can only find
> rootkits that have been sloppily constructed.

Actually, chkrootkit will probably be able to find all but the best, as
long as the author keeps it up to date. It detects the common
modifications to binaries as well.

-- 

Sam Barnett-Cormack
Software Developer                           |  Student of Physics & Maths
UK Mirror Service (http://www.mirror.ac.uk)  |  Lancaster University




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux