kameleon25
January 20th, 2008, 04:45 PM
The other day I noticed when I ran "ls" on my Ubuntu 7.10 server I got this:ls
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
So I started digging and found a few places that stated this could be due to a rootkit being installed. This is my web server running ISPConfig and only the bare minimum ports have ever been open to let it run. So once I heard/read it could have been a rootkit I immediately installed chkrootkit and rkhunter. Here is the part of the rkhunter output that bothers me (I cut the OK parts):
/bin/ls [ Warning ]
/bin/netstat [ Warning ]
/bin/ps [ Warning ]
/usr/bin/find [ Warning ]
/usr/bin/md5sum [ Warning ]
/usr/bin/pstree [ Warning ]
/usr/bin/top [ Warning ]
/sbin/ifconfig [ Warning ]
SHV4 Rootkit [ Warning ]
SHV5 Rootkit [ Warning ]
Checking for hidden files and directories [ Warning ]
System checks summary
=====================
File properties checks...
Files checked: 123
Suspect files: 8
Rootkit checks...
Rootkits checked : 110
Possible rootkits: 2
Rootkit names : SHV4 Rootkit, SHV5 Rootkit
Applications checks...
Applications checked: 8
Suspect applications: 0
Any ideas on what to check specifically to see if i have been rooted? Everywhere I find when I search google just says format and reinstall. But I don't want to do that unless I have been infected.
Thanks in advance for any and all help.
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
So I started digging and found a few places that stated this could be due to a rootkit being installed. This is my web server running ISPConfig and only the bare minimum ports have ever been open to let it run. So once I heard/read it could have been a rootkit I immediately installed chkrootkit and rkhunter. Here is the part of the rkhunter output that bothers me (I cut the OK parts):
/bin/ls [ Warning ]
/bin/netstat [ Warning ]
/bin/ps [ Warning ]
/usr/bin/find [ Warning ]
/usr/bin/md5sum [ Warning ]
/usr/bin/pstree [ Warning ]
/usr/bin/top [ Warning ]
/sbin/ifconfig [ Warning ]
SHV4 Rootkit [ Warning ]
SHV5 Rootkit [ Warning ]
Checking for hidden files and directories [ Warning ]
System checks summary
=====================
File properties checks...
Files checked: 123
Suspect files: 8
Rootkit checks...
Rootkits checked : 110
Possible rootkits: 2
Rootkit names : SHV4 Rootkit, SHV5 Rootkit
Applications checks...
Applications checked: 8
Suspect applications: 0
Any ideas on what to check specifically to see if i have been rooted? Everywhere I find when I search google just says format and reinstall. But I don't want to do that unless I have been infected.
Thanks in advance for any and all help.