How to replace infected `/lib/libsh.so` and `/etc/sh.conf` files?

Question

Possible Duplicate:
My server’s been hacked EMERGENCY

Which package does the file /lib/libsh.so belong to?

I need to replace it since it was infected. Same for /etc/sh.conf.

For now I have moved it to /temp/libsh.so.infected. Can I just delete it?

Edit 1:

I just found out that libsh.so isn't a file but a directory with following files: bash shdcf shhk shhk.pub shrs

Once a server's been compromised, you don't play around with the files here and there. You wipe it and re-install and restore your data files from backup. — Magellan, Oct 11 '12 at 17:15

score 1 · Accepted Answer · answered Oct 08 '12 at 21:51

1

Those aren't files I've ever heard of. Googling for libsh.so brings up results related to the SHV4/5 rootkit. Here's a blog post detailing symptoms and removal

answered Oct 08 '12 at 21:51

darkcontrast

Yes, the files belong to rootkit, REMOVED immediately! – Danijel Oct 08 '12 at 21:53

score 0 · Answer 2 · answered Oct 05 '12 at 12:22

0

What distribution do you have ? Matching file to package totally depends on package manager -> {and thus to distribution}.

In any case, for rpms (Fedora, Redhat, Centos ...) you can do it with rpm -qf /lib/libsh.so

answered Oct 05 '12 at 12:22

Nikolaidis Fotis

2 Answers2