3

I checked my linux server with rkhunter, I got following warning messages,

...

[00:35:35] Found file '/usr/include/gpm2.h'. Possible rootkit: Trojaned SSH daemon

[00:35:35] Found file '/etc/rpm/sshdOLD'. Possible rootkit: Trojaned SSH daemon (original sshd binary)

[00:35:35] Found file '/etc/rpm/sshOLD'. Possible rootkit: Trojaned SSH daemon (original ssh binary)

...

[00:35:57] Found string '/usr/include/gpm2.h' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

[00:35:57] Found string '/usr/include/gpm2.h' in file '/usr/bin/ssh'. Possible rootkit: Trojaned SSH daemon

...

After I Googled these details, I understood that these all are SSH rootkits. I need to know how to remove these things from server and make it secure (CentOS with SSH remote access).

Adi
  • 43,808
  • 16
  • 135
  • 167
Kumar
  • 161
  • 1
  • 7
  • 3
    The easiest way is probably the triple-R: reformat, reinstall from known good media and restore (quite possibly selectively) from a known good backup. Also known as "nuke from orbit". Make sure you install all available updates, particularly security-related updates, and preferably do the reinstall from behind a tightly configured firewall (no remote access until everything is up to date!). – user Jul 12 '13 at 08:19
  • This question is possibly too localized, but the most common recommendation is indeed to "nuke it from orbit", as it's said in the industry. For more information, you can [refer to one of my previous answers](http://security.stackexchange.com/a/37115/20074) to a somewhat similar question, but with much the same recommendations. It lists recommended steps you should take to get rid of the rootkit and also prevent it infecting your server in the future. Hope it helps. ;) – TildalWave Jul 12 '13 at 15:01
  • This question appears to be off-topic because it is too localized and unlikely to help future visitors. The standard recommendation in case of such infections is much discussed throughout our Q&A, and has many answers on similar questions. – TildalWave Jul 12 '13 at 15:03
  • See [How do you explain the necessity of "nuke it from orbit" to management and users?](http://security.stackexchange.com/q/24195) – Martin Schröder Jul 12 '13 at 16:39

1 Answers1

12

Removal? Forget about it. There is unauthorised root access to your server; anything could have been installed by now and you would have no reliable way to detect it.

Even for a forensic expert with local access, it would take a long time to completely audit a system to ensure no trace of extant malware.

The only reasonable and responsible course is to wipe the disc and reinstall/reimage the OS from a trusted source.

bobince
  • 12,494
  • 1
  • 26
  • 42