We have few servers infected and after a lot of hard work and research we have got few solutions.Before that let me list the

distros affected most

1) Centos - 3 /4

2) Fc 3 -4 -5

3) RHEL -4

4) CPANEL

In most cases if you upgrade your kernel to latest one which your distro provides in its tree it will sort out the problem. UPgrade to your cpanel as well up to CURRENT tree

For all of the distros above

yum check-update

yum upgrade

will work fine.

In some cases however it is advisable to get your backups and transfer the data to some other server.As i am not sure but this exploit might be providing root access and thats how they patch the kernel and once that is done you have no choice then to move everything to a new place.

Just a small warning it may happen that you reboot the infected server and it will never comes up so take ALL the backups before you reboot the infected server.

One way to check if the server is compromised further is try to

mkdir 123

if you get an error you are compromised backup your data and put it up on a new server.

Hope this information helps other if you need any help from me then please do email me at lap_64 (at) mail (dot) org [email concealed]

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11501/34954#34954