| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: chris at cr-secure.net (Chris) Subject: Removing ShKit Root Kit Thanks everyone for replies. I just took on this job for this client, the past security admin did nothing hence theres a rootkit. I dont plan on trying to save the box but its nice to look at forensic data so i know what to look out for next time. I used the tool examiner to comment the objdump on the ifconfig binary and im pretty sure theres a few sockets calls in there that dont belong. So im sure it was rooted. Chris www.cr-secure.net Alexander Schreiber wrote: >On Sun, Dec 21, 2003 at 07:28:55PM -0500, Chris wrote: > > >>Can anyone reccomend some links or useful information for removing the >>"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server >>owned by a client of mine. >> >>"Searching for ShKit rootkit default files and dirs... Possible ShKit >>rootkit installed" <== chkrootkit output >> >>I have only read limited information on this rootkit from a honeypot >>report where it was used, no cleaning information. Ive googled a bunch >>of times, dont go out of your way to answer this, the box will be redone >>anyway. Im just curious to find out what this rootkit is about, not even >>packetstorm has a copy to look at :) >> >> > >There is exactly one way to properly clean up a rooted box: backup the >system (for later analysis and for keeping any data that might be >needed), wipe the disks and reinstall from known clean install media, >update the system to get all current security updates und properly >secure the box. > >Just trying to "remove the rootkit" is not sufficient: > - the attacker might have installed more than one root kit, > - the attacker might have modified a standard root kit, rendering > a "standard removal procedure" for this particular rootkit > incomplete, > - the attacker might have used a formerly unknown rootkit, so you have > to analyze the system, > - you might simply not find everything the attacker left, because > kernel level tools where used and you are _running_ under the > modified kernel environment which nicely hides parts of the > modified system from you, > - last but not least: even if you manage to successfully remove the > rootkit, the original vulnerability which allowed the attacker > to take over the machine in the first place it likely still there > >Regards, > Alex. > >
Powered by blists - more mailing lists