Rootkit found on my Centos server

Need help with your Linux distro? All questions are good - not all answers are -but we try

Moderator: jkerr82508

User avatar
viking60
Über-Berserk
Posts: 9320
Joined: 14 Mar 2010, 16:34

Rootkit found on my Centos server

Postby viking60 » 19 Aug 2016, 14:33

I did a scan with Rkunter on my Centos server and it came up with a possible rootkit find:

Code: Select all

Rootkit checks...
Rootkits checked : 368
Possible rootkits: 1
 Rootkit names    : Lite5-r Rootkit

Image
So I checked the logs:

Code: Select all

cat /var/log/rkhunter/rkhunter.log |grep 'Lite5-r Rootkit'


And it came up with

Code: Select all

Found file '/tmp/.bash_history'. Possible rootkit: Lite5-r Rootkit


I cannot find that this is a false positive on the net.
The file /tmp/.bash_history contains :

Code: Select all

passwd
exit


Help!
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
viking60
Über-Berserk
Posts: 9320
Joined: 14 Mar 2010, 16:34

Re: Rootkit found on my Centos server

Postby viking60 » 19 Aug 2016, 14:58

Well I simply deleted the file -Berserk style

Code: Select all

rm /tmp/.bash_history


And checked again with rkhunter this time it did not find anything. I guess that kind of solves the issue (But rootkit issues often mean reinstalling the OS).
The history seems to work just fine.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
R_Head
Berserk
Posts: 2706
Joined: 17 Mar 2010, 15:40

Re: Rootkit found on my Centos server

Postby R_Head » 19 Aug 2016, 18:22

Interesting... I believe that I can use the same commands on my Mageia 5 PC?

User avatar
viking60
Über-Berserk
Posts: 9320
Joined: 14 Mar 2010, 16:34

Re: Rootkit found on my Centos server

Postby viking60 » 20 Aug 2016, 06:40

Sure! if you have installed Rkhunter.
The command would be:

Code: Select all

sudo rkhunter -c

to scan your box for nasty stuff.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

rupertmurdock
Posts: 1
Joined: 05 Dec 2020, 15:06
Contact:

Re: Rootkit found on my Centos server

Postby rupertmurdock » 06 Dec 2020, 18:52

viking60 wrote:I did a scan with Rkunter on my Centos server and it came up with a possible rootkit find:

Code: Select all

Rootkit checks...
Rootkits checked : 368
Possible rootkits: 1
 Rootkit names    : Lite5-r Rootkit

Image
So I checked the logs:

Code: Select all

cat /var/log/rkhunter/rkhunter.log |grep 'Lite5-r Rootkit'


And it came up with

Code: Select all

Found file '/tmp/.bash_history'. Possible rootkit: Lite5-r Rootkit


I cannot find that this is a false positive on the net.
The file /tmp/.bash_history contains :

Code: Select all

passwd
exit


Help!


When you think about video chat services, Skype is the gray-haired grandfather that still manages to hang on. https://ifacetime.me/ First released in 2003, the system shared a back end with music-sharing system Kazaa (remember music-sharing systems?). It grew steadily until 2011, when it was acquired by Microsoft to replace Windows Live Messenger. Obviously, that makes it the default messaging client for Windows phones, but the Android versions are quite solid.

Blackcrack
Posts: 247
Joined: 02 Apr 2013, 08:31

Re: Rootkit found on my Centos server

Postby Blackcrack » 07 Dec 2020, 06:13

Hi,

interesting how long the rootkit list today is..
Image

i have test this proggy on my Fedora 33 server today too..
nice so far.. there should creating an runtime-service and a Plasma/Gnome systrayplugin for..
could be a nice thing.., and if found a rootkit, could be become a Popupmessage like:
"[IcoXicO] We have found a %Rootkit%, there is the log : %Log-Link% readable for all"
to make able for copy and send via mail or so to inform Armin or Serverowner

an plugin for own/nextcloud could be also a nice thing :)

best

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 138
Suspect files: 4

Rootkit checks...
Rootkits checked : 502
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 11 minutes and 45 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)


Return to “Help”