Results 1 to 22 of 22
  1. #1

    t0rn v8 and Showtree Rootkits

    Dear all

    Anyone knows the payload of the above rootkits? Or if you know where to get it, let me know.

    Thanks.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  2. #2
    Join Date
    Jul 2002
    Posts
    3,734
    http://lists.debian.org/debian-user/.../msg00788.html

    That's for tornV8. Not sure about the other one. `

  3. #3
    Actually I pretty much wiped out t0rn v8. Still getting a positive (possible) on showtree rootkit. I did it by analysing chkrootkit and see what they check for and replaced/deleted those binaries/libraries and so on.

    Will do so for showtree too.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    4th person today to get this hrmms!!!?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Probably related to the cPanel issue yesterday. Who's the other 3?
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  6. #6
    Thanks for the link andrew. Didn't find it on google, and I missed a file or two. But the funny thing is that they don't seem to have started any of the backdoors. Oh well, back to work.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    netstat -lntpe

    brought up

    tcp 0 0 0.0.0.0:21337 0.0.0.0:* LISTEN 0 104756549 11971/xntps


    i then ran

    ps auxf | grep 11971

    which brought up


    root 11971 0.0 0.0 1900 644 ? S 09:57 0:00 /usr/sbin/xntps -q


    which happens to be the backdoor
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    also check

    /etc/rc.d/rc.sysinit

    at the very bottom you will see

    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q
    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q
    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q
    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q


    remove it
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Jul 2002
    Posts
    3,734
    Nick says that's not an issue. :/

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    well nicks wrong, ive seen it in action
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #12
    I tested. Didn't work on ours.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  13. #13
    Update: I think our firewall cramp the trojan's style. Whoever ran it didn't even run any services. the files are there. That's about it. Not as bad as it seems now. On top of that, it's a server that we used to store offsite backups.

    Probably should write a script for auto t0rn v8 removal. Or anyone want to save me the trouble
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  14. #14
    Join Date
    Dec 2002
    Location
    Quad Cities, Iowa
    Posts
    1,606
    if you write a script for auto-removal let me know

  15. #15
    Join Date
    Nov 2003
    Location
    Toronto, Ontario
    Posts
    651
    scary to trust a machine after its been rooted, wow.

  16. #16
    Originally posted by HP-Kevin
    scary to trust a machine after its been rooted, wow.
    Not if you know what you are doing
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  17. #17
    Join Date
    Nov 2003
    Location
    Toronto, Ontario
    Posts
    651
    If you knew what you were doing, you wouldnt have gotten rooted

    scary stuff... you can get rid/reverse the actions of the rootkit maybe, but you never know if something else was modified or changed, or what sensitive information has been collected that could be used against you or your customers in the future. damn cyber-terrorists haha.

  18. #18
    Well, it was a spare server so there's nothing of note in it. All the servers in used are fine. Cpanel simply got a lot to answer for with their buggy code

    Like I said, if you know what you are doing, you would know what's modified or changed.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by HP-Kevin
    If you knew what you were doing, you wouldnt have gotten rooted

    How many times do i have to go around and say it.

    You cannot gain 100% security, you can however gain increased security. Only way to gain 100% security is to remove the internet, and lock it up in a safe where no one can get to it. But even then its not secure because someone could crack the safe.

    Besides this was a hole taken advantage of CPanels buggy code, nothing you could have done to help that. Someone is always ahead of you.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    Nov 2001
    Posts
    5,383
    Exactly, people break into places that have security guards and manned 24/7. Anyone determined enough will be able to hack your servers.
    Clustered Hosting With Continuous Data Protection (CDP)
    http://www.solidinternet.com
    8 Years of hosting excellence!

  21. #21
    That too. As the popular saying goes, the odds are against system admins. We have to patch 1001 holes and the hackers just need to find 1 to get in.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  22. #22
    Join Date
    Nov 2003
    Location
    Toronto, Ontario
    Posts
    651
    you guy's don't need to jump on me, look at my post I had a smile face I was joking around, hoy s*** this is WHT you're not impressing anybody, this is just discussion.

    Back to my point, you cannot be sure you have a machine back to being secure after its been rooted, I really don't think an exploited box can be trusted anymore... sure you can reverse the root kit like i said, but you don't know how elaborate the hacker got, and maybe he downloaded all your users passwords... cracking them, most people use weak *** passwords, its a scary situation, removing the kit isnt the solution, thats all I was saying.


    I agree there is no such thing as 100% security, I didn't say there was such a thing, but I think people don't take updates as serious as they should. Most of these "hackers" are just using the same info avalible to you,the sysadmin. the guy gets an email from cpanel or securityfocus or whereever saying exploit found, he was just faster at exploiting you then you were at protecting against the exploit.

    be proactive not reactive thats all I'm saying, no need to light me on fire, thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •