-1

Possible Duplicate:
My server's been hacked EMERGENCY

My Linux machine has been hacked lately.

There are a few entires in /etc/inittab below the 

#end of /etc/inittab

Something like:

#Loading standard ttys
0:2345:once:/usr/sbin/ttyload

I also have serveral of the following lines:

2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
.
.
.

I know that my /usr/sbin/ttyload has been hacked, and I have removed it, but I don't know if I need this is inittab, nor whether I had ttyload before. Is this file common?

Should I remove this line?

Community
  • 1
Danijel
  • 256
  • 5
  • 18
  • As stated below, it's hard to find out how many backdoors ae left on your system. You should perform a clean system reinstall. – ott-- Oct 06 '12 at 19:06

3 Answers3

2

That's there to reinfect the system on boot... Another part of rootkit extraction is that you're not safe until you've determined what backdoors or triggers exist to reinfect your system.

The rpm verify command I gave in your previous question also checks configuration files to show you what's changed from the package defaults.

rpm -vVa | grep 'S\.5\.\.\.\.\T' will output changed binaries and configuration files (denoted by a "c")

For example:

S.5....T  c /etc/httpd/conf/httpd.conf
S.5....T  c /etc/snmp/snmpd.conf

The "c" means that the config file changed. rpm -qf /path/to/file will show you the package that contains the file. You can either wipe or move the file and reinstall the rpm package to overwrite it.

Community
  • 1
ewwhite
  • 194,921
  • 91
  • 434
  • 799
1

The lines with mingetty should stay there. In simple words, there are the number of console that you can access with ctrl+alt+f{1-6}. Usually the 7th is your graphical environment.

About ttyload, since it's not in your system you don't need that line.

Nikolaidis Fotis
  • 1,994
  • 11
  • 13
0

Yes, this line needs to be remove. It's a hacker's script that calls two infected files, etc...

More here.

Danijel
  • 256
  • 5
  • 18