Linux.RST.B advice securty compromised?

I was first aleated to the fact there was a problem when whm emailed me informing me it had killed off an eggdrop in a users home directory.

I prompty suspended the account and procceded to clamscan the server.

i did find (and remove) some entrys saying Linux.RST.B in /tmp

but chrootkit and rkhunter seem to come back ok.

(chrootkit said there was a bindshell on port 465 but after googleing it im pretty sure its a false positive and its actally exim listening on the port)

apart from /attachment.MYD: Trojan.Keylogger.BP-2 FOUND (i think that was a dogey attachment on somones vb forum which the forum admin has found and removed)

ive not found any other viruses yet (still scanning) so did i get lucky with this linux.RST.B in the sence that although it got into /tmp it was unable to execute?

im a bit at a loss as to how someone managed to execute the eggdrop though as ive looked in the logs and cant see anyone getting ssh access apart from myself and the user whos account i found the eggdrop on doesnt have ssh access.

 

 

 

 

Top