A
A
Alex Bugz2016-01-19 14:51:38
*nix-like systems
Alex Bugz, 2016-01-19 14:51:38

How to find a rootkit on a server if chrootkit, rkhunter and LMD don't help?

Hello!
Such a misfortune happened - on the VDS server there is some malicious code that slips iframe site templates into html (and hides it in an invisible area), which Kaspersky swears at. This code rewrites the template as scheduled, at the same time. If you rename the template file, or include another one, then it saves for a while, but then the iframe finds a new, plug-in template. This behavior suggests that someone is specifying a specific file for manually scheduled overwriting. So there is a rootkit on the server?
Tried to search using rkhunter, chrootkit, Linux Malware Detect, monitor logs, disable ssh users, reconfigure ports, disable root - useless. You can't just take and rearrange the system. Are there any other ways to get out of the situation? Debian squeeze system.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
V
Vladimir Martyanov, 2016-01-19
@vilgeforce

There is no rootkit, since you see infected files. Now, if they were, but they were not visible - a rootkit. Manual analysis of files and logs to help.

V
Vlad Zhivotnev, 2016-01-19
@inkvizitor68sl

proftpd what version?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question