Hi, You could try to both into single user mode, and copy ps from another linux machine to check and verify the same output. Dont have the new ps in the same path as the old ps. Or execute the command directly(./ps). You could also use the check-ps, as another alternative, to check and verify the running processes(http://www.la-samhna.de/misc/)
Next step is to check and verify if all data backups are intact, you would need it especially if its a production server :) You may eventually need to re-install the server, as you may not know totally, what other malicious code, is in that machine, if you dont employ HIDS to verify the filesystem integrity. Linux kernel Rootkits are tricky in that they can change the IDT of the running linux machine in realtime, or even if you try to run debugging tools, you will never know, if the actual memory dump you see is of the system. More detailed info are here, on how to handle these incidents: http://www.securityfocus.com/infocus/1738 You can check phrack69, on how this technology is done. Detecting kernel level rootkits: http://la-samhna.de/library/rootkits/detect.html Hope this helps dude.. keep backups in the future :) Xander On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote: > Hi guys, > > I'm using CentOS 4.3 as my email server, postfix as MTA, and > open-xchange as webmail. > I installed chkrootkit and rkhunter. The configuration is rkhunter > and chkrootkit will execute evry 3am and email its result to the > administrator account. > > I found this report with chkrootkit and also was surprised that and > email account was > created. I think that the system is compramized. > > How do I deal with this issue? > > A help is well appreciated. > > Thanks, > > Sandeil > > Here is the output of chkrootkit: > --------- > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 2 process hidden for readdir command > > You have 2 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... eth0: > PF_PACKET(/usr/sbin/snort-plain) > Checking `w55808'... not infected > > Checking `wted'... chkwtmp: nothing deleted > Checking `scalper'... not infected > Checking `slapper'... not infected > Checking `z2'... chklastlog: nothing deleted > Checking `chkutmp'... chkutmp: nothing deleted > > > > > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > > -- -- Xander R. Solis ----------------------- xrsolis.blogspot.com "Don't part with your illusions. When they are gone you may still exist, but you have ceased to live." GNUPG Key: 1024D/5257774A _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
