On Sun, 04 Oct 2009 15:28:55 +0200 Thomas Krichel <kric...@openlib.org> wrote: >I have a rootkit installed on a bunch of machines that rkhunter > does not find.
Maybe a stupid question, but did you install it yourself or did you find "evidence" of somebody having installed it? Just to be clear about things. >This appears after infection with SHV4 / SHV5, which rkhunter found. Could you please attach details (rkhunter.log)? > Here it works to allow a non-root user to become root Who/where did you get these instructions from? Just curious. > Does anybody here know how to delete this kit? If another user installed binaries and or a LKM in directories writable by only root then you have a most serious compromise on your hands. It is imperative you follow proper Incident Response procedure and not try to "restore" the machine. That would be similar to treating *only symptoms* and not the *cause*! If you need instructions on how to deal with this please let us know. Besides I'm interested in more information and evidence. Please feel free to contact me off list to discuss sharing details. Best regards, unSpawn --- ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
