Article ID: 1013, created on Oct 6, 2008, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux



For EZ templates, check this article.

A container (CT) can be compromised if its owner uses insecure or out-of-date software. To detect if CT #101 has any rootkits installed, you can use the chkrootkit utility either inside the CT or (better) on the hardware node using -r /vz/root/101 parameter. There is also a way to determine which packages were modified on the CT:

  1. mount VE private area (it may be needed in case a CT can not be started):

    # vzctl mount 101
  2. check packages integrity:

    # /usr/share/vzpkgtools/vzrpm/bin/rpm --root=/vz/root/101 --veid 101 -Va | egrep '^..5|missing'

This command shows files that were modified (it is checked by comparing MD5 or SHA1/SHA512 sum) or removed.

The path to the needed package manager (/usr/share/vzpkgtools/vzrpm/bin/rpm in the example above) may be different for different containers - it depends on its OS template. You may check which package manager (PKGMAN) should be used in the OS template in the file "/vz/template/$OSRELEASE/conf/$OSRELEASE.conf.$OSVERSION" for a standard OS template named as "OSRELEASE $OSVERSION" in the output of vzpkgls $CTID command:

~# vzpkgls 101
centos-4 20070605

For example, CentOS 4 has PKGMAN=rpm43x86 so the path should be /usr/share/vzpkgtools/vzrpm43/bin/rpm.

~# grep PKGMAN /vz/template/centos-4/conf/centos-4.conf.20070605

The following command automates both steps:

~# vzpkgls $CTID | while read tmpl vers; do for ver in $vers; do grep ^PKGMAN= /vz/template/$tmpl/conf/$tmpl.conf.$ver 2>/dev/null; done; done | sort -u

(Replace "$CTID" with the actual container's ID value or define this variable using set CTID=101 before running the command.)

Follow the instructions from the article #1012 to repair a hacked CT.

Search Words

trying to boot from sata drive 1


cli plesk


container fails to start

secure vnc

e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef c62e8726973f80975db0531f1ed5c6a2

Email subscription for changes to this article
Save as PDF