0

I am new in my company and since a week I discovered that the company linux server contains a virus..tying to figure out what is the cause of the virus infection I noticed that the server is not up to date since a long time!! and I think but not sure this is the cause why the virus hacked the system.

Via terminal the lsb_release -a command displays the following:

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 5.0.10 (lenny)
Release:    5.0.10
Codename:   lenny

I know, this too old (lenny!!) and I have to upgrade the system to Debian 7.0 Wheezy.The questions are:

  • What risks could happen after the update procedure?
  • Have to reinstall all the system files from scratch?
  • Have I after that to update php and mysql versions too to be compatible with the new Debian version?

I am hesitating since the versions is too old and my knowledge in linux server is very limited.

Flup
  • 8,398
amani
  • 9

2 Answers2

1

If you have a rootkit on the machine (the most damaging virus), it will most likely have inserted code into your kernel modules (so it can hide itself when using normal detection tools like md5sum or netstat), and to libraries (so that other tools installed other than normal detective ones will similarly be nobbled).

There are a number of tools which are worth having, compiled with all libraries insernally, sash, ps, netstat and md5sum being the main ones.

If you don't know what you're doing, then identifying the extent of a rootkit can be neigh on impossible. When I've been hit in the past, as soon as I've identified behaviour which I'm absolutely sure, shows a malicious invader, I shut down the machine, buy new disks, do a fresh install, update and lock down the new box, and only then get access to the old disks to recover data.

If you're running a very old version of linux (I still have one server running 8.04LTS), then ensure you only run the bare minimum of internet facing services, and monitor the server regularly. If anything changes unexpectedly, then you need to get on in fast, as a bot hacker can go from exploiting something minor, to adding user level scripts, in hours. If possible keep the syslog on a different machine.

If you're not an experienced sysadmin, then seriously, heed the advice given by others, you need to keep it up to date, or you're taking a huge risk.

sibaz
  • 371
0

This should be a comment but it's a bit long.

"company linux server contains a virus"

This immediately sets my alarm bells ringing. Viruses on Linux are exceedingly rare. There are lots of other malware (worms, trojans, rootkits). If it's a fileserver then it may just be storing the virus that another computer wrote there. Upgrading the OS won't help. It will help with most of the other types of malware - but the existence of these implies a vulnerability which may have been in the OS, but it may have been in the config or in code running on the server which is not part of the OS (e.g. a web based content management system) which will not be fixed by upgrading the OS.

Sure upgrade the OS if you want to be seen to be doing something. But if you tell us as much asyou know about the incident then there's a possibility that we might be able to help you make the machine a bit more secure.

symcbean
  • 23,767
  • 2
  • 38
  • 58