[Nottingham] Has my server been intruded or am I paranoid?

Danny King dannyking at gmail.com
Sun Nov 16 17:57:19 UTC 2008


I ran rkhunter (rootkit checker found in the Ubuntu repos) and it's
warning me that the following binaries have been possibly altered:

ip, kill, ps, sudo, top, vmstat, w, watch, w.procps, ip, sysctl,
unhide, unhide-linux26

It reports no trojans or rootkits found and everything else it reports
as fine except a warning for hidden files & directories.

Now, could it be that those are false positives? The binaries it warns
against are pretty scary! Could anyone advise me on the best steps I
could take (baring in mind I haven't got physical access to the
server). I have had the usual brute force attacks for about a month
now but I've been watching my logs carefully and until just now I
didn't see anything indicating anyone had been given access: I have
just found that four days of logging is missing from auth.log (logging
ended on the 12th and abruptly starts again today)

Should I shut the server down and wait 'till December to do a fresh install?

Thanks guys.

- Danny King

Are you a web standards developer that uses open source software? Say
hello, send me a mail! I'm looking for more like us.

More information about the Nottingham mailing list