Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing ShKit Root Kit

From: Cael Abal <lists () onryou com>
Date: Sun, 21 Dec 2003 20:56:20 -0500
Chris wrote:
> Can anyone reccomend some links or useful information for removing
> the "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat
> 8.0 server owned by a client of mine.
>
> "Searching for ShKit rootkit default files and dirs... Possible
> ShKit rootkit installed" <== chkrootkit output
>
> I have only read limited information on this rootkit from a
> honeypot report where it was used, no cleaning information. Ive
> googled a bunch of times, dont go out of your way to answer this,
> the box will be redone anyway. Im just curious to find out what
> this rootkit is about, not even packetstorm has a copy to look at
> :)

Hi Chris,

The only real way to recover from a rooted machine is a complete
wipe and reinstall, regardless of the rootkit.  I definitely
wouldn't recommend trying to 'clean' a server, especially using some
third-party tool.

I know this isn't what you're looking for (and I'm sure you're aware
of the pitfalls associated with trying to secure a rooted box) --
this is more of a heads-up to those just getting their infosec feet
wet.  I'm imagining hordes of kids out there think that re-securing
a rooted box is just a matter of clicking the 'Uninstall ro0tkit...'
button.

take care,

Cael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: