Full Disclosure mailing list archives
re: Removing ShKit Root Kit
From: "nicholas" <nicholas () no-spam co uk>
Date: Mon, 22 Dec 2003 14:18:58 -0000 (GMT)
Can anyone reccomend some links or useful information for removing the "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server owned by a client of mine. "Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed" <== chkrootkit output I have only read limited information on this rootkit from a honeypot report where it was used, no cleaning information. Ive googled a bunch of times, dont go out of your way to answer this, the box will be redone anyway. Im just curious to find out what this rootkit is about, not even packetstorm has a copy to look at :) hi there In your case, if you want to have a poke around before you rebuild it, i'd take the box off the network, and from your redhat CD reinstall the following packages. crontabs, psmisc, fileutils, sysklogd, findutils, textutils, net-tools, util-linux, procps, xinetd. This should replace any binaries overwriten by the attack. For the shkit, i think it plays with your library linker too, so you might have to reinstall that Reboot the machine for good measure, and take a closer look at any unusual processes or ports open that you aren't used ot seeing. plug in a laptop you don't really care about with a crossover cable to the ethernet port and run netstat -tupan on the server. if you see anything strange there, like sshd listeing on a high port, try and connect to it from your laptop. There plenty of other things to look out for, too many to list here. To find out how oyur box was exploited, go through the logs of all your major apps. start with your syslog, and guestimate when the attack took place, then look at all your logs for around that period. It will probably be a little too late to find out exactly _what_ files have been modified, for that you'd need to compare some checksums or the like on all your files, a list of which you probably dont have. To avoid this sort of thing in the future, and to help you find out what changed on your box, i'd look into www.lids.org, aide.sf.net, ippersonality.sf.net and bits and pieces of the openwall.com project for server level security (not network/firewall level). good luck nicholas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Removing ShKit Root Kit Chris (Dec 21)
- Re: Removing ShKit Root Kit Cael Abal (Dec 21)
- Re: Removing ShKit Root Kit Alexander Schreiber (Dec 21)
- Re: Removing ShKit Root Kit Chris (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- <Possible follow-ups>
- Re: Removing ShKit Root Kit nicholas (Dec 22)
- Re: Removing ShKit Root Kit Wesley D Craig (Dec 22)
- re: Removing ShKit Root Kit nicholas (Dec 22)
- RE: Removing ShKit Root Kit Schmehl, Paul L (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Message not available
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)