[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: chris at cr-secure.net (Chris)
Subject: Removing ShKit Root Kit
Thanks everyone for replies. I just took on this job for this client,
the past security admin did nothing hence theres a rootkit. I dont plan
on trying to save the box but its nice to look at forensic data so i
know what to look out for next time. I used the tool examiner to comment
the objdump on the ifconfig binary and im pretty sure theres a few
sockets calls in there that dont belong. So im sure it was rooted.
Chris
www.cr-secure.net
Alexander Schreiber wrote:
>On Sun, Dec 21, 2003 at 07:28:55PM -0500, Chris wrote:
>
>
>>Can anyone reccomend some links or useful information for removing the
>>"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
>>owned by a client of mine.
>>
>>"Searching for ShKit rootkit default files and dirs... Possible ShKit
>>rootkit installed" <== chkrootkit output
>>
>>I have only read limited information on this rootkit from a honeypot
>>report where it was used, no cleaning information. Ive googled a bunch
>>of times, dont go out of your way to answer this, the box will be redone
>>anyway. Im just curious to find out what this rootkit is about, not even
>>packetstorm has a copy to look at :)
>>
>>
>
>There is exactly one way to properly clean up a rooted box: backup the
>system (for later analysis and for keeping any data that might be
>needed), wipe the disks and reinstall from known clean install media,
>update the system to get all current security updates und properly
>secure the box.
>
>Just trying to "remove the rootkit" is not sufficient:
> - the attacker might have installed more than one root kit,
> - the attacker might have modified a standard root kit, rendering
> a "standard removal procedure" for this particular rootkit
> incomplete,
> - the attacker might have used a formerly unknown rootkit, so you have
> to analyze the system,
> - you might simply not find everything the attacker left, because
> kernel level tools where used and you are _running_ under the
> modified kernel environment which nicely hides parts of the
> modified system from you,
> - last but not least: even if you manage to successfully remove the
> rootkit, the original vulnerability which allowed the attacker
> to take over the machine in the first place it likely still there
>
>Regards,
> Alex.
>
>
Powered by blists - more mailing lists