Results 1 to 22 of 22
  1. #1

    Help with possibile suckit rootkit

    This morning i find:

    Searching for Suckit rootkit ... Warning: /sbin/init INFECTED

    and also:

    Checking `sniffer'... /proc/6355/fd: No such file or directory


    I know that suckit replaces /sbin/init with itself and then runs on a reboot, i ran:

    ls -li /sbin/init /sbin/telinit

    which looks ok

    119402 -rwxr-xr-x 1 root root 27036 Feb 5 21:55 /sbin/init*
    119410 lrwxrwxrwx 1 root root 4 May 13 00:59 /sbin/telinit -> init*

    The strange listed process returns this:

    6355 0.0 0.0 0 0 ? Z May13 0:00 [upcp <defunct>]


    I did update cpanel the day before yesterday, so is this just a false alert and bit of a buggy cPanel update? i'm unsure of what to look for now so any help would be useful, thanks.

  2. #2
    ok, i killed the defunct process by killing it's parent, then ran /scripts/upcp manually which has solved that but chkrootkit still reports /sbin/init INFECTED so i guess they were not connected.

  3. #3
    Cpanel update shouldn't give that error. You should look into cleaning your box or asking for a fresh reload of the OS.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  4. #4
    If you need help, let me know. I can take a look for you.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  5. #5
    Join Date
    Jun 2003
    Posts
    976

  6. #6
    Yes. That's the article that publish the rootkit. If you can find it, there's actually an uninstall function (if you trust it) and provided the pepertuators have yet to modify the code .
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  7. #7
    skdetect doesn't want to run for me, assuming i should just be able to run ./Makefile then run the executables right?

    I ran the perl script which found 4 processes not in ps, in the 24 hours between a clean chkrootkit output and the one with the warning, i can't see anywhere in the log where the script might have been uploaded.

  8. #8
    Join Date
    Dec 2001
    Location
    Los Angeles, CA
    Posts
    1,337
    try

    *Use this at your own risk!

    cd /usr/share/locale/sk/.sk12
    ./sk u

    mv /sbin/init /sbin/init.hacked

    cp /sbin/initsk12 /sbin/init

    reboot server

    If you indeed have a suckit rootkit installed, I'd suggest getting an os reinstall.
    Ronny Fang
    Linux Problems Solved. | Built for the Hosting Industry
    Server Management. Node Management. Helpdesk Management.
    ( AcuNett, Est. 15 Years, RateLobby 5 Stars )

  9. #9
    This is highly not recommended. You should at least try to see what hidden processes are running. suckit provides a backdoor and since then, the hacker may have run other hidden processes or additional backdoors.

    At best, this is a largely incomplete solution.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  10. #10
    /usr/share/locale/sk/.sk12 doesn't exist.


    I will request an OS reinstall, but as this isn't a critical server and only hosting a few personal sites i didn't see any harm in trying to learn as much about it as possibile first, especially how it got there. (most importantly this as i'm the only one with shell and there's hardly any scripts on the server)

    The hidden processes each have:

    lrwxrwxrwx 1 root root 0 May 15 16:16 exe -> /usr/sbin/named*


    root@server3 [/proc/.3683]# cat environ
    PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/binPWD=/LANG=en_US.UTF-8SHLVL=2_=/sbin/initlogroot@server3 [/proc/.3683]#

    Does this give me an indication where it might be? PWD=/LANG=e_US etc ....

    What kind of directory is that? doesn't sound right to me

    What i don't get is all the sites i've read about this, like this one say that on an infected machine /sbin/telinit will show as a real file not a symlink, but that's not the case here as per my first post

  11. #11
    Originally posted by Chris2k
    /usr/share/locale/sk/.sk12 doesn't exist.


    I will request an OS reinstall, but as this isn't a critical server and only hosting a few personal sites i didn't see any harm in trying to learn as much about it as possibile first, especially how it got there. (most importantly this as i'm the only one with shell and there's hardly any scripts on the server)
    Here is your problem. If you still have the compromised machine on the network then I am afraid you already lost time. Most likely you have more machines compromised as well. So, be careful with this study, better ask people around if you have any questions.
    If you really want to study just unplug the network cable first.

    Peter

    <<< Signature to be setup in your profile >>>
    Last edited by choon; 05-15-2004 at 05:02 PM.

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    try running rkhunter on the box, it finds things chkrootkit leaves behind. I would get a fresh reinstall or hire someone as a second opinion. Never good to trust a compromised box.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Originally posted by thelinuxguy
    try running rkhunter on the box, it finds things chkrootkit leaves behind.
    I already did, and it's check for suckit reports ok, but it does find some incorrect md5 checksums

    /sbin/depmod
    /sbin/init
    /sbin/insmod
    /sbin/modinfo
    /sbin/runlevel
    /sbin/syslogd

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    are you running RHE? RKhunter does not have the new md5sums for the updated modutils package.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    yes, it's RHE

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    rpm -qa | grep modutils

    whats it report
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  17. #17
    modutils-2.4.25-12.EL
    modutils-devel-2.4.25-12.EL

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    [19:18:07] RPM info: your package 'modutils-2.4.25-12.EL'
    [19:18:07] RPM info: packages in database: modutils-2.4.25-11.EL


    modutils-2.4.25-11.EL

    newest rkhunter supports
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    sorry you lost me, so the checksums are wrong?

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    rkhunter does not have updated md5sums.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    ok thanks, well in that case the rkhunter report is clean

  22. #22
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I had contacted the creator the other day he said a new realease should be out soon
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •