Using Kubuntu 8.04.
Out website was hacked and html files modified to display porn and other links. ISP support cleaned the infected files. Most of them were re-infected.
Klamav scan shows modified kernel versions (on a separate disk and partition). rkhunter scan found no major anomalies.
But noted:
[09:09:07] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[09:09:07] /bin/fgrep [ OK ]
[09:09:07] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
09:09:09] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[09:09:10] Info: Found file '/usr/bin/groups': it is whitelisted for the 'script replacement' check
[09:09:11] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
. . . to name a few.
There are several test options disabled on 'users request'. I have not requested anything and don't know where and how to disable checks!!
Here is the section on which I need urgent assistance:
[09:09:56] Checking for hidden files and directories [ Warning ]
[09:09:56] Warning: Hidden directory found: /etc/.java
[09:09:56] Warning: Hidden directory found: /dev/.static
[09:09:56] Warning: Hidden directory found: /dev/.udev
[09:09:56] Warning: Hidden directory found: /dev/.initramfs
Can anyone please explain to me whether these hidden directories are normally there or whether they could be the result of some manipulation to control the local computer or to get info from it.
Some of the above directories and/or files appear to be empty.
I have changed passwords on local level and on the remote host. But it appeared that another manipulation took place.
We know the IP address of the perpetrator and his hosting company. Any suggestions?
Thanks.
Out website was hacked and html files modified to display porn and other links. ISP support cleaned the infected files. Most of them were re-infected.
Klamav scan shows modified kernel versions (on a separate disk and partition). rkhunter scan found no major anomalies.
But noted:
[09:09:07] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[09:09:07] /bin/fgrep [ OK ]
[09:09:07] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
09:09:09] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[09:09:10] Info: Found file '/usr/bin/groups': it is whitelisted for the 'script replacement' check
[09:09:11] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
. . . to name a few.
There are several test options disabled on 'users request'. I have not requested anything and don't know where and how to disable checks!!
Here is the section on which I need urgent assistance:
[09:09:56] Checking for hidden files and directories [ Warning ]
[09:09:56] Warning: Hidden directory found: /etc/.java
[09:09:56] Warning: Hidden directory found: /dev/.static
[09:09:56] Warning: Hidden directory found: /dev/.udev
[09:09:56] Warning: Hidden directory found: /dev/.initramfs
Can anyone please explain to me whether these hidden directories are normally there or whether they could be the result of some manipulation to control the local computer or to get info from it.
Some of the above directories and/or files appear to be empty.
I have changed passwords on local level and on the remote host. But it appeared that another manipulation took place.
We know the IP address of the perpetrator and his hosting company. Any suggestions?
Thanks.
Comment