How can I remove SHV4 / SHV5 rootkits?

Question

I've seen that my system has a two kind of rootkits: SHV4 / SHV5. (I'm going to add a log here) I tried to remove it but I could not.

Can anybody recommend me any way to do it?

[ Rootkit Hunter version 1.3.8 ]
Checking system commands...
/usr/bin/md5sum                                          [ Warning ]
/usr/bin/pstree                                          [ Warning ]
/usr/bin/top                                             [ Warning ]
/usr/bin/unhide.rb                                       [ Warning ]
/sbin/ifconfig                                           [ Warning ]
/bin/ls                                                  [ Warning ]
/bin/ps                                                  [ Warning ]
/bin/netstat                                             [ Warning ]

Checking for rootkits...

cb Rootkit                                               [ Warning ]
SHV4 Rootkit                                             [ Warning ]
SHV5 Rootkit                                             [ Warning ]
Checking for possible rootkit strings                    [ Warning ]

Checking the local host...

Checking for root equivalent (UID 0) accounts            [ Warning ]
Checking for passwd file changes                         [ Warning ]
Checking for group file changes                          [ Warning ]
Checking if SSH root access is allowed                   [ Warning ]
Checking for running syslog daemon                       [ Warning ]

Checking the local host...

Checking for root equivalent (UID 0) accounts            [ Warning ]
Checking for passwd file changes                         [ Warning ]
Checking for group file changes                          [ Warning ]
Checking if SSH root access is allowed                   [ Warning ]
Checking for running syslog daemon                       [ Warning ]

Do you need other kind of log file?

Thanks in advance

score 5 · Answer 1 · answered Jul 19 '13 at 12:09

5

Your system is compromised now. Nuke it from orbit and restore from a trusted state (backup).

enter image description here

If your system was compromised there is no safe way to delete the rootkits apart from restoring a last known good back up and patching the vulnerability which the attackers exploited to get into your system in the first place.

answered Jul 19 '13 at 12:09

Lucas Kauffman

16,880
9
58
93

As a side note, I'd even provision a new host and only restore *data*, not the system, not its configuration, just *data*. – dawud Jul 19 '13 at 12:14
Have you forgotten we have a close dupe target for this ? – user9517 Jul 19 '13 at 12:18

How can I remove SHV4 / SHV5 rootkits?

1 Answers1