lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <48183.193.201.200.110.1072105917.squirrel@www.bigyellowfish.com>
From: full-disclosure at no-spam.co.uk (nicholas)
Subject: Removing ShKit Root Kit

>Can anyone reccomend some links or useful information for removing the
>"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
>owned by a client of mine.
>
>"Searching for ShKit rootkit default files and dirs... Possible ShKit
>rootkit installed" <== chkrootkit output
>
>I have only read limited information on this rootkit from a honeypot
>report where it was used, no cleaning information. Ive googled a bunch
>of times, dont go out of your way to answer this, the box will be redone
>anyway. Im just curious to find out what this rootkit is about, not even
>packetstorm has a copy to look at :)

posted this to the list from the wrong address.
here it is again, hopefully before the list admin modorator posts his copy.

hi there

In your case, if you want to have a poke around before you rebuild it, i'd
take the box off the network, and from your redhat CD reinstall the
following packages.
crontabs,   psmisc,
fileutils,  sysklogd,
findutils,  textutils,
net-tools,   util-linux,
procps,    xinetd.

This should replace any binaries overwriten by the attack.
For the shkit, i think it plays with your library linker too, so you might
have to reinstall that
Reboot the machine for good measure, and take a closer look at any unusual
processes or ports open that you aren't used ot seeing.

plug in a laptop you don't really care about with a crossover cable to the
ethernet port and run netstat -tupan on the server. if you see anything
strange there, like sshd listeing on a high port, try and connect to it
from your laptop. There plenty of other things to look out for, too many
to list here. To find out how oyur box was exploited, go through the logs
of all your major apps. start with your syslog, and guestimate when the
attack took place, then look at all your logs for around that period. It
will probably be a little too late to find out exactly _what_ files have
been modified, for that you'd need to compare some checksums or the like
on all your files, a list of which you probably dont have.
To avoid this sort of thing in the future, and to help you find out what
changed on your box, i'd look into www.lids.org, aide.sf.net,
ippersonality.sf.net and bits and pieces of the openwall.com project for
server level security (not network/firewall level).

good luck

nicholas
_________________________


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ