Re: possible rootkit, maybe partial?

["D.C. van Moolenbroek" <xanadu () chello nl>]

Hi there,

Indeed, your machine has been rooted, and you're very lucky that SucKIT
didn't "like" the newly installed kernel version! I suspect the following
happened..

Usually, SucKIT is launched as /sbin/init at system bootup, forks to install
itself into the kernel and start up a backdoor, and launches a copy of the
original "init" binary from the parent (with pid 1). Any subsequent
executions of /sbin/init are redirected to the original init.

In your case, SucKIT is also launched as /sbin/init, forks but fails to
install itself into the kernel, and launches the copy of the original init
anyway. However, since it failed to install, it will not be able to redirect
/sbin/init calls. So when you run reboot, reboot runs shutdown, and shutdown
runs /sbin/init: the SucKIT-version of init. SucKIT once again forks,
detects that it's not yet installed, and tries but still fails to install
itself in memory - that's where the weird message is coming from.

You should be able to confirm this by executing "ls -l /proc/1/exe", it
should show a symlink to the name of the copy of /sbin/init (that is,
"/sbin/init" with extra characters after it) instead of the normal
"/sbin/init".

It's hard to say whether the cracker actually succeeded in the first place,
or failed and walked away. As SucKIT includes a backdoor, an attacker does
not necessarily have to install anything but SucKIT in order to gain full
control of your system later; in practice, crackers usually do launch
additional programs (ssh daemons, irc bouncers/bots..), it depends on your
skill compared to the cracker's skill whether you can find these programs.
It would also be pretty easy to launch additional programs only if SucKIT
was installed successfully; a good reason to take the system offline if you
want to experiment with it (eg. to try another kernel version) - but you
should do that anyway, as long as it hasn't been completely reinstalled...

Regards,

David

"Benjamin Tomhave" wrote:
> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server.
The
> server is a fully-patched RH8 system, running iptables limited to ssh,
http,
> https and previously mysql (tcp 3306).  Kernel is RH 2.4.18-27.8.0.  The
> reason I'm at a bit of a loss here is because a) the tell-tale signs
aren't
> consistent with documented suckit compromises, and b) there doesn't seem
to
> be anything on the system comprising the rootkit.  Even chkrootkit comes
up
> empty/clean.  Which makes me wonder if someone found a whole in a
> developer's php code, tried to load suckit, had it fail, and then walked
> away.  What I can say for certain is that this issue has arisen in the
last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual,
either.
> tcpdump did not indicate any unexpected traffic.  No web pages have been
> defaced.
>
> Here's what leads me to believe that this is a rootkit compromise:
>
> # reboot
>
> Broadcast message from root (pts/0) (Wed Apr  2 20:27:23 2003):
>
> The system is going down for reboot NOW!
> /dev/null
> RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!
>
> Now, call me crazy, but the last part of the last line doesn't strike me
as
> something that belongs.  As it stands right now, I'm slating this box for
> low-level format and reinstall within the week.  Since it doesn't seem to
be
> an active zombie or anything, and since I'm still not 100% sure this is a
> compromised system, I'll take the chance of waiting.  I may also try
> reinstalling the kernel just to see if that makes a difference, too.
>
> Does this look familiar or suspicious to anyone else?  Anybody have any
> ideas on further diagnostics that I could run "just to be sure"?
>
> Thank you,
>
> -ben
>
> ***************************************
>  Benjamin Tomhave
>  falcon () cybersecret com
>  http://falcon.secureconsulting.net/

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents