Parallels knowledgebase (KB) http://kb.parallels.com/ Parallels knowledgebase (KB) en Copyright 2008 Parallels Wed, 10 Sep 2008 00:00:00 +0600 Wed, 10 Sep 2008 00:00:00 +0600 rt-team@parallels.com <![CDATA[How do I determine that my VE is hacked / compromised?]]> http://kb.parallels.com/en/1013

How do I determine that my VE is hacked / compromised?

Article ID: 1013 
Last Review: Mar,23 2009
Author: Vitaly Filatov
Last updated by: system APPLIES TO:
  • Parallels Virtuozzo Containers for Linux

Resolution

VE can be compromised if its owner uses insecure or out-of-date software. To detect if VE #101 has any rootkits installed one can use the chkrootkit utility either inside the VE or (better) on the hardware node using -r /vz/root/101 parameter. There is also a way to determine which packages were modified on the VE:

- mount VE private area (it may be needed in case VE can not be started):
# vzctl mount 101

- check packages integrity:
# /usr/share/vzpkgtools/vzrpm/bin/rpm --root=/vz/root/101 --veid 101 -Va | egrep '^..5|missing'


This command shows the files that were modified or removed.

Path to the needed package manger (/usr/share/vzpkgtools/vzrpm/bin/rpm n the example above) may be different for different VEs (it depends on OS template of VE). You may check which package  manager (PKGMAN) shoud be used in OS template in the file "/vz/template/$OSRELEASE/conf/$OSRELEASE.conf.$OSVERSION" for standard OS template or in the file  "/vz/template/$OS/$RELEASE/$ARCH/config/os/default/package_manager" for EZ template, and use appropriate rpm in the command above.

For example, CentOS 4 uses 'PKGMAN=rpm43x86' so the path will be '/usr/share/vzpkgtools/vzrpm43/bin/rpm'

Follow the instructions from the corresponding article to repair a hacked VE.
Keywords: hack crack compromise restore repair


Subscription for changes to this article Subscription for changes to this article
]]> Vitaly Filatov 660 LastUpdated: 2009-03-23 06:05:45 2008-10-06 09:10:57