Security Incidents mailing list archives

Re: New Rootkit?

From: Alvin Wong <alvin.wong () b2b com my>
Date: 17 Oct 2003 12:03:47 +0800

Yep,

It's the SucKIT alrite but another variant, i've been hit b4 and i
managed to find out using a command to look for setuid files and managed
to find where the directories where.
You should be able to toggle sk and get another shell that enables you
to find the password sniffer too. Look for telltale signs of ftping out
to another ip.
Probably someone produced a modified version of it, which is why
chkrootkit cannot detect it.

Regards,
Alvin

On Thu, 2003-10-16 at 23:45, Eoghan Casey wrote:

This sounds like SucKIT (http://hysteria.sk/sd/f/suckit/) or a variant.  
This has been in general use since last year. It injects itself  
directly into kernel memory rather than using kernel loadable modules.

See the README (http://hysteria.sk/sd/f/suckit/readme):

Q: How I can make suckit to run automatically each reboot of machine ?
   A: The generic way (as the install script does) is to
      rename /sbin/init to /sbin/init<hidesuffix>, and place sk binary
      instead of /sbin/init, so suckit will get resident imediatelly
      after boot. However, when it will get resident, all of such changes
      will be stealthed ;) If you can't fiddle with /sbin/init, you
      still can place binary to somewhere into  
/etc/rc.d/rc3.d/S##<hidesuffix>
      or such.

Eoghan Casey

On Thursday, October 16, 2003, at 03:38  AM, Jonas Frey (Probe  
Networks) wrote:

Hello,

we've just had a customer machine blasing some 50mbit into our lines
with pretty high pps counts. After a short analysis we found out the
init  got replaced/backdoored and the original init was moved to
/sbin/telinit. However the filesize on both files was the same. This is
probably due to a lkm the rootkit uses to hide its existence.
Chkrootkit did NOT find this rootkit. However it pointed us the right
way saying the system had hidden processes running.
After replacing init with a good version and updating the kernel we
rebooted the box and found the hacked init as well as other programs of
the rootkit beeing located in /etc/.MG/ (this directory was hidden
before). Apparently this is a rootkit with a ddosnet touch.
I've put up the files for further analysis at:
http://81.2.144.1/rootkit/


--  
Mit freundlichen Grüßen / With kind regards,
Jonas Frey


----------------------------------------------------------------------- 
----
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------- 
-----



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

Current thread:

New Rootkit? Frey (Probe Networks) (Oct 16)
- Re: New Rootkit? Thorsten Holz (Oct 16)
- Re: New Rootkit? Eoghan Casey (Oct 16)
  - Re: New Rootkit? Alvin Wong (Oct 17)
    - Re: New Rootkit? Russell Harding (Oct 19)
- Re: New Rootkit? Jeffrey Denton (Oct 16)