Results 1 to 22 of 22
-
05-15-2004, 04:23 AM #1Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
Help with possibile suckit rootkit
This morning i find:
Searching for Suckit rootkit ... Warning: /sbin/init INFECTED
and also:
Checking `sniffer'... /proc/6355/fd: No such file or directory
I know that suckit replaces /sbin/init with itself and then runs on a reboot, i ran:
ls -li /sbin/init /sbin/telinit
which looks ok
119402 -rwxr-xr-x 1 root root 27036 Feb 5 21:55 /sbin/init*
119410 lrwxrwxrwx 1 root root 4 May 13 00:59 /sbin/telinit -> init*
The strange listed process returns this:
6355 0.0 0.0 0 0 ? Z May13 0:00 [upcp <defunct>]
I did update cpanel the day before yesterday, so is this just a false alert and bit of a buggy cPanel update? i'm unsure of what to look for now so any help would be useful, thanks.
-
05-15-2004, 04:51 AM #2Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
ok, i killed the defunct process by killing it's parent, then ran /scripts/upcp manually which has solved that but chkrootkit still reports /sbin/init INFECTED so i guess they were not connected.
-
05-15-2004, 06:19 AM #3Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Cpanel update shouldn't give that error. You should look into cleaning your box or asking for a fresh reload of the OS.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-15-2004, 06:43 AM #4Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
If you need help, let me know. I can take a look for you.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-15-2004, 06:58 AM #5Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
for more info try skdetect ( http://tsd.student.utwente.nl/skdetect/ ) and http://www.phrack.org/phrack/58/p58-0x07
-
05-15-2004, 07:00 AM #6Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Yes. That's the article that publish the rootkit. If you can find it, there's actually an uninstall function (if you trust it) and provided the pepertuators have yet to modify the code .
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-15-2004, 09:11 AM #7Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
skdetect doesn't want to run for me, assuming i should just be able to run ./Makefile then run the executables right?
I ran the perl script which found 4 processes not in ps, in the 24 hours between a clean chkrootkit output and the one with the warning, i can't see anywhere in the log where the script might have been uploaded.
-
05-15-2004, 10:05 AM #8Linux Problems Solved.
- Join Date
- Dec 2001
- Location
- Los Angeles, CA
- Posts
- 1,337
try
*Use this at your own risk!
cd /usr/share/locale/sk/.sk12
./sk u
mv /sbin/init /sbin/init.hacked
cp /sbin/initsk12 /sbin/init
reboot server
If you indeed have a suckit rootkit installed, I'd suggest getting an os reinstall.Ronny Fang
Linux Problems Solved. | Built for the Hosting Industry
Server Management. Node Management. Helpdesk Management.
( AcuNett, Est. 15 Years, RateLobby 5 Stars )
-
05-15-2004, 10:46 AM #9Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
This is highly not recommended. You should at least try to see what hidden processes are running. suckit provides a backdoor and since then, the hacker may have run other hidden processes or additional backdoors.
At best, this is a largely incomplete solution.••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-15-2004, 11:21 AM #10Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
/usr/share/locale/sk/.sk12 doesn't exist.
I will request an OS reinstall, but as this isn't a critical server and only hosting a few personal sites i didn't see any harm in trying to learn as much about it as possibile first, especially how it got there. (most importantly this as i'm the only one with shell and there's hardly any scripts on the server)
The hidden processes each have:
lrwxrwxrwx 1 root root 0 May 15 16:16 exe -> /usr/sbin/named*
root@server3 [/proc/.3683]# cat environ
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/binPWD=/LANG=en_US.UTF-8SHLVL=2_=/sbin/initlogroot@server3 [/proc/.3683]#
Does this give me an indication where it might be? PWD=/LANG=e_US etc ....
What kind of directory is that? doesn't sound right to me
What i don't get is all the sites i've read about this, like this one say that on an infected machine /sbin/telinit will show as a real file not a symlink, but that's not the case here as per my first post
-
05-15-2004, 03:43 PM #11Web Hosting Evangelist
- Join Date
- May 2004
- Posts
- 465
Originally posted by Chris2k
/usr/share/locale/sk/.sk12 doesn't exist.
I will request an OS reinstall, but as this isn't a critical server and only hosting a few personal sites i didn't see any harm in trying to learn as much about it as possibile first, especially how it got there. (most importantly this as i'm the only one with shell and there's hardly any scripts on the server)
If you really want to study just unplug the network cable first.
Peter
<<< Signature to be setup in your profile >>>Last edited by choon; 05-15-2004 at 05:02 PM.
-
05-15-2004, 06:13 PM #12Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
try running rkhunter on the box, it finds things chkrootkit leaves behind. I would get a fresh reinstall or hire someone as a second opinion. Never good to trust a compromised box.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-15-2004, 06:43 PM #13Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
Originally posted by thelinuxguy
try running rkhunter on the box, it finds things chkrootkit leaves behind.
/sbin/depmod
/sbin/init
/sbin/insmod
/sbin/modinfo
/sbin/runlevel
/sbin/syslogd
-
05-15-2004, 06:45 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
are you running RHE? RKhunter does not have the new md5sums for the updated modutils package.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-15-2004, 07:01 PM #15Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
yes, it's RHE
-
05-15-2004, 07:06 PM #16Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
rpm -qa | grep modutils
whats it reportSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-15-2004, 07:12 PM #17Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
modutils-2.4.25-12.EL
modutils-devel-2.4.25-12.EL
-
05-15-2004, 07:14 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
[19:18:07] RPM info: your package 'modutils-2.4.25-12.EL'
[19:18:07] RPM info: packages in database: modutils-2.4.25-11.EL
modutils-2.4.25-11.EL
newest rkhunter supportsSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-15-2004, 07:18 PM #19Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
sorry you lost me, so the checksums are wrong?
-
05-15-2004, 07:32 PM #20Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
rkhunter does not have updated md5sums.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-15-2004, 07:33 PM #21Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 64
ok thanks, well in that case the rkhunter report is clean
-
05-15-2004, 08:00 PM #22Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I had contacted the creator the other day he said a new realease should be out soon
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance