0

Possible Duplicate:
How do I deal with a compromised server?

I did a scan on my entire vps finding the folder above with a good amount of viruses. Can I safely delete this folder? Can I through ssh or is there a way I need to do it through the command line?

Specific Results:

/tmp/.xzibit/new64: UNIX.Exploit.CVE_2010_3301-2 FOUND
/tmp/.xzibit/c/robert_you_suck.c: UNIX.Exploit.CVE_2010_3301-1 FOUND
/tmp/.xzibit/ab: UNIX.Exploit.CVE_2010_3301-1 FOUND
/tmp/.xzibit/3/ptrace: Linux.RST.B-1 FOUND
/tmp/.xzibit/3/ptrace24: Linux.Rst.A FOUND
/tmp/.xzibit/3/elf: Exploit.Linux.Race.C FOUND
/tmp/.xzibit/3/brk: Linux.Brk.B FOUND
/tmp/.xzibit/3/90: Linux.Osf.3974 FOUND
/tmp/.xzibit/3/ex: Linux.RST.B-1 FOUND
/tmp/.xzibit/3/x: Linux.RST.B-1 FOUND
/tmp/.xzibit/3/ee: Linux.RST.B-1 FOUND
/tmp/.xzibit/3/nc: Linux.Rst.A FOUND
/tmp/.xzibit/3/e2: Linux.RST.B-1 FOUND
/tmp/.xzibit/3/uselib24: Exploit.Linux.Race.C FOUND
/tmp/.xzibit/1/32/therebel/exploit.c: Exploit.Linux-2 FOUND
/tmp/.xzibit/01: UNIX.Exploit.CVE_2010_3301-2 FOUND

Addl info: I've noticed the websites on this compromised in the past, scanned and cleaned. This was the first time i decided to scan everything, rather than just the web directory. This is the only thing coming up, which would lead me to believe it is leftover junk that I missed before and came from one of the sites (since it is still only stuck in the tmp dir). Would this be accurate to assume?

Community
  • 1
kilrizzy
  • 121
  • 4

1 Answers1

2

NOTE: You should immediately consult a Linux system security professional regarding your question as your system may be compromised.

This looks like your system is likely compromised in some way.

The folder described is presenting itself as a Linux "dot file". "Dot files" are usually used to store configuration data for programs, however, as you see in your results, several C programs have been located in this folder, which is also not a good sign.

You might try Rootkit Hunter (http://rkhunter.sourceforge.net/) to see if any rootkits are present.

If your VPS is on a shared server/hosting service, you should probably contact your hosting provider.

If it does turn out to be a virus/rootkit/backdoor, and you can rid it from your system, you may also want to consider changing passwords if you are unsure about the security of your system.

You can likely delete the files, but this may not fix the problem if they have successfully exploited your system.

Regarding /tmp/, use the following as a guideline for deciding whether or not to delete the files:

"This directory contains mostly files that are required temporarily. Many programs use this to create lock files and for temporary storage of data. Do not remove files from this directory unless you know exactly what you are doing! Many of these files are important for currently running programs and deleting them may result in a system crash. Usually it won't contain more than a few KB anyway. On most systems, this directory is cleared out at boot or at shutdown by the local system. The basis for this was historical precedent and common practice. However, it was not made a requirement because system administration is not within the scope of the FSSTND. For this reason people and programs must not assume that any files or directories in /tmp are preserved between invocations of the program. The reasoning behind this is for compliance with IEEE standard P1003.2 (POSIX, part 2)."

Source: http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/tmp.html

To delete all files/folders in that directory rm -rf /tmp/.xzibit

Just keep in mind, your system may still be compromised in ways you do not have tools to detect.

EDIT: See Michael Hampton's comment response to your question for recommendations about further courses of action.

sixdim
  • 116
  • 3