Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable rootkit

Posted on 2006-07-17
12
Medium Priority
?
874 Views
Last Modified: 2012-05-05
I have installed rootkit on my server, it runs at midnight!

now like to disbale this for now, i will turn it on later. I need some help (tips and command) to disable and enable this.


Thanks in advance.
0
Comment
Question by:str_kani
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 16

Expert Comment

by:xDamox
ID: 17124027
Hi,

A rootkit!?! Could you be mistaken a rootkit is used by a cracker to regain access to your server, you cant just
turn a rootkit off it requires a reinstall of the distrobution as alot of files are overwritten.

Can you give me more information about your so called rootkit? also alittle about your server?
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 400 total points
ID: 17124157
Lunatic! - looks like you've got a problem. Most rootkits are not designed to be removeable - other than with a clean install of the operating system. As a result of your root kit install commands such as ps, ls etc cannot be relied on to give you the correct response. (All part of the ability of a rootkit to try and hide itself).

chkrootkit is one of the more common programs for detecting whether there is traces of a rootkit on your system:

http://www.webhostgear.com/25.html

However, the only way to *really* guarantee that you've removed it is to re-install the system from scratch! The reason for this is that many rootkits are 'trojanised' so that 'script kiddies' who don't know what they are doing infect the system not only with the root kit, but also with other trojans as well.

Realistically, you are not going to be able to guarantee removal of the root kit, unless you can look at all the code that has been installed *AND* understand it. Best bet is clean reinstall and recover from backup.

(   (()
(`-' _\
 ''  ''
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17124178
Just in case we do have the terminology wrong here, rootkit:

http://en.wikipedia.org/wiki/Rootkit

(   (()
(`-' _\
 ''  ''

0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 12

Author Comment

by:str_kani
ID: 17124366
Ok, to be more clear.

I have a VPS and it hangs and my site is not accessble during particular time (midnight  - 2 AM)

I asked my host about this they said it's because of a rootkit running on your server. I thought it may be a antivirus or something for protect myself... from your comments i think i am in trouble!?

Please help!
0
 
LVL 16

Assisted Solution

by:xDamox
xDamox earned 800 total points
ID: 17124476
Hi,

I would strongly recommend you reformat your server because its not going to be fixable :( rootkits replace
alot of binarys such as ps, netstat etc. I would also strongly recommend you go through your websites checking
for malicious code.

Also have a look with rkhunter (http://www.rootkit.nl/) this will help identify the rootkit. Also have a look at: chrootkit and
have a look at this URL:

http://www.howtoforge.com/faq/1_38_en.html
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17124595
Another useful link to read about how to deal with rootkits is:

http://www.antirootkit.com/

>I asked my host about this they said it's because of a rootkit running on your server

I'd ask your ISP to clarify this. Is this on your VPS?......or on the server that is hosting your VPS? Either way, you need to 'start again'....but it's pointless starting again if the rootkit is on the server hostign your VPS.

(   (()
(`-' _\
 ''  ''

0
 
LVL 12

Author Comment

by:str_kani
ID: 17124755
OH, you meant to say someone hacked my server and i need to start again?

In short.... what is this rootkit? can be called a virus?
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 17124833
Virused tend to be able to spread by themselves. Rootkits don't normally spread - they stay where they are, providing someone else with access to your server to do what they want.

>OH, you meant to say someone hacked my server and i need to start again?

Probably the best bet I'm afraid.

(   (()
(`-' _\
 ''  ''



0
 
LVL 40

Assisted Solution

by:noci
noci earned 400 total points
ID: 17125198
It compares quite good to 'spyware' on the windows environment.
With the ability to hide it's tracks very well.
0
 
LVL 16

Assisted Solution

by:xDamox
xDamox earned 800 total points
ID: 17125469
Hi str_kani,

I would suggest you have a little look around see if you can see how the cracker go into your system and make sure they
dont gain access again the same way.
0
 
LVL 4

Assisted Solution

by:yurisk
yurisk earned 400 total points
ID: 17128141
There's a program (a script mostly) that is designed to check for rootkits' existence on
Linux-like systems. It is well known and most comprehensive,download it , compile
and run (see ReadMe inside for exact installation steps, or if you have any problems post them here)
www.chkrootkit.org

But most productive would be to first obtain maximum information from the host
 - How do they know you have a rootkit ?
 - What are the files/programs that  they think belong to rootkit?
 - Google (or ask here) for any filenames/daemons names they will give
 - What logs do they have to help you identify the culprit (when did the compromise happen?
   etc. )?

Most close 'relative' in the Windows world to the rootkit is trojan.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 400 total points
ID: 17128256
This article might be of interest to you...

http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question