[thelist] Stupid linux/router problem

Brent Eades beades at almonte.com
Fri Jul 6 08:13:00 CDT 2007


Eduardo Kienetz wrote:

> Run as root: ifconfig eth0
> It will show something like: inet addr:X.Y.Z.W
> That is the IP you got and the one you should use in httpd.conf
> Now, some other software/instance might be using that port already, so run:
> netstat -anp | grep LISTEN | grep ":80"
> That should show you the process binding to port 80.

> P.S.: It would have been interesting if you had ran chkrootkit in that
> server before formating/reinstalling (www.chkrootkit.org).
> Also, reviewing logs would have probably shown how they got in, where
> they are from, etc.

Thanks to you, Anthony, Jon and der wert. Between your various
suggestions I got this straightened out, and Apache is now a happy puppy
again :)

As for the rootkit: I did run chkrootkit, and it located the very evil
SHV5 variant. I also did figure out who did it (their IP, at least, in
Israel) and how they got in, and have forwarded the relevant logs to to
RSA and their ISP.

I googled extensively on the topic of removing that particular rootkit.
I found many discussions of it, but not a single example of how to
successfully remove it. The advice given, repeatedly, was "reformat,
reinstall." So I did.

(I think it was this quote from Wikipedia that convinced me: "Removing
rootkits: There is a body of opinion that holds this to be forbiddingly
impractical. Even if the nature and composition of a rootkit is known,
the time and effort of a system administrator with the necessary skills
or experience would be better spent re-installing the operating system
from scratch...")

All for the best in the end, I suppose. I now have a much more current
Linux distro (latest PHP, mySQL, SSH, SElinux, etc), and the assurance
that I now have a 'clean machine'. I will also be implementing some
hardening I should have done ages ago.

P.S. And yes, I did have my years' worth of web files properly backed up
offsite. Phew :)

-- 
Brent Eades	
Almonte, Ontario
http://almonte.com




More information about the thelist mailing list