Resolution
ATTENTION! THIS ARTICLE WORKS FOR STANDARD (STD) TEMPLATES ONLY!
For EZ templates, check this article.
A container (CT) can be compromised if its owner uses insecure or out-of-date software. To detect if CT #101 has any rootkits installed, you can use the chkrootkit utility either inside the CT or (better) on the hardware node using -r /vz/root/101 parameter. There is also a way to determine which packages were modified on the CT:
mount VE private area (it may be needed in case a CT can not be started):
# vzctl mount 101check packages integrity:
# /usr/share/vzpkgtools/vzrpm/bin/rpm --root=/vz/root/101 --veid 101 -Va | egrep '^..5|missing'
This command shows files that were modified (it is checked by comparing MD5 or SHA1/SHA512 sum) or removed.
The path to the needed package manager (/usr/share/vzpkgtools/vzrpm/bin/rpm in the example above) may be different for different containers - it depends on its OS template. You may check which package manager (PKGMAN) should be used in the OS template in the file "/vz/template/$OSRELEASE/conf/$OSRELEASE.conf.$OSVERSION" for a standard OS template named as "OSRELEASE $OSVERSION" in the output of vzpkgls $CTID command:
~# vzpkgls 101
centos-4 20070605
For example, CentOS 4 has PKGMAN=rpm43x86 so the path should be /usr/share/vzpkgtools/vzrpm43/bin/rpm.
~# grep PKGMAN /vz/template/centos-4/conf/centos-4.conf.20070605
PKGMAN=rpm43x86
The following command automates both steps:
~# vzpkgls $CTID | while read tmpl vers; do for ver in $vers; do grep ^PKGMAN= /vz/template/$tmpl/conf/$tmpl.conf.$ver 2>/dev/null; done; done | sort -u
PKGMAN=rpm43x86
(Replace "$CTID" with the actual container's ID value or define this variable using set CTID=101 before running the command.)
Follow the instructions from the article #1012 to repair a hacked CT.