[Nottingham] Has my server been intruded or am I paranoid?
Danny King
dannyking at gmail.com
Sun Nov 16 18:04:24 UTC 2008
Just found out that there was a power cut at the house with the server
so that would explain the four day logging gap (It was forgotten to
turn it on again). Still, should I be worried about the rkhunter
report?
Thanks!
2008/11/16 Danny King <dannyking at gmail.com>:
> Hello,
>
> I ran rkhunter (rootkit checker found in the Ubuntu repos) and it's
> warning me that the following binaries have been possibly altered:
>
> ip, kill, ps, sudo, top, vmstat, w, watch, w.procps, ip, sysctl,
> unhide, unhide-linux26
>
> It reports no trojans or rootkits found and everything else it reports
> as fine except a warning for hidden files & directories.
>
> Now, could it be that those are false positives? The binaries it warns
> against are pretty scary! Could anyone advise me on the best steps I
> could take (baring in mind I haven't got physical access to the
> server). I have had the usual brute force attacks for about a month
> now but I've been watching my logs carefully and until just now I
> didn't see anything indicating anyone had been given access: I have
> just found that four days of logging is missing from auth.log (logging
> ended on the 12th and abruptly starts again today)
>
> Should I shut the server down and wait 'till December to do a fresh install?
>
> Thanks guys.
>
> --
> - Danny King
>
> Are you a web standards developer that uses open source software? Say
> hello, send me a mail! I'm looking for more like us.
>
--
- Danny King
Are you a web standards developer that uses open source software? Say
hello, send me a mail! I'm looking for more like us.
More information about the Nottingham
mailing list