Re: New Rootkit?

[Russell Harding <hardingr () cunap com>]

I agree.

  This has been my experice with SucKIT as well.  I had some machines
compromised before I arrived at my current place of employment, and got a
chance to take a look at the machines.

Often, many rootkits can be easily modified to avoid chkrootkit,
espeically as it is an open source tool, and the de facto standard for
initial forensic analysis.  Any system intruder can simply check what the
current version of chkrootkit does and quickly modify the source.

However, what many rootkits of various types have in common is hiding
processes and directories, which with the linux proc filesystem are one in
the same.  Make sure to use chkproc and chkdirs whenever you are using
chkrootkit.

    -Russell

On 17 Oct 2003, Alvin Wong wrote:

> Yep,
>
> It's the SucKIT alrite but another variant, i've been hit b4 and i
> managed to find out using a command to look for setuid files and managed
> to find where the directories where.
> You should be able to toggle sk and get another shell that enables you
> to find the password sniffer too. Look for telltale signs of ftping out
> to another ip.
> Probably someone produced a modified version of it, which is why
> chkrootkit cannot detect it.
>
> Regards,
> Alvin
>
> On Thu, 2003-10-16 at 23:45, Eoghan Casey wrote:
> > This sounds like SucKIT (http://hysteria.sk/sd/f/suckit/) or a variant.
> > This has been in general use since last year. It injects itself
> > directly into kernel memory rather than using kernel loadable modules.
> >
> > See the README (http://hysteria.sk/sd/f/suckit/readme):
> >
> > Q: How I can make suckit to run automatically each reboot of machine ?
> >    A: The generic way (as the install script does) is to
> >       rename /sbin/init to /sbin/init<hidesuffix>, and place sk binary
> >       instead of /sbin/init, so suckit will get resident imediatelly
> >       after boot. However, when it will get resident, all of such changes
> >       will be stealthed ;) If you can't fiddle with /sbin/init, you
> >       still can place binary to somewhere into
> > /etc/rc.d/rc3.d/S##<hidesuffix>
> >       or such.
> >
> > Eoghan Casey
> >
> > On Thursday, October 16, 2003, at 03:38  AM, Jonas Frey (Probe
> > Networks) wrote:
> >
> > > Hello,
> > >
> > > we've just had a customer machine blasing some 50mbit into our lines
> > > with pretty high pps counts. After a short analysis we found out the
> > > init  got replaced/backdoored and the original init was moved to
> > > /sbin/telinit. However the filesize on both files was the same. This is
> > > probably due to a lkm the rootkit uses to hide its existence.
> > > Chkrootkit did NOT find this rootkit. However it pointed us the right
> > > way saying the system had hidden processes running.
> > > After replacing init with a good version and updating the kernel we
> > > rebooted the box and found the hacked init as well as other programs of
> > > the rootkit beeing located in /etc/.MG/ (this directory was hidden
> > > before). Apparently this is a rootkit with a ddosnet touch.
> > > I've put up the files for further analysis at:
> > > http://81.2.144.1/rootkit/
> > >
> > >
> > > --
> > > Mit freundlichen Gr????en / With kind regards,
> > > Jonas Frey
> > >
> > >
> > > -----------------------------------------------------------------------
> > > ----
> > > FREE Whitepaper: Better Management for Network Security
> > >
> > > Looking for a better way to manage your IP security?
> > > Learn how Solsoft can help you:
> > > - Ensure robust IP security through policy-based management
> > > - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> > > networks
> > > - Quickly respond to network events from a central console
> > >
> > > Download our FREE whitepaper at:
> > > http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
> > > -----------------------------------------------------------------------
> > > -----
> >
> >
> > ---------------------------------------------------------------------------
> > FREE Whitepaper: Better Management for Network Security
> >
> > Looking for a better way to manage your IP security?
> > Learn how Solsoft can help you:
> > - Ensure robust IP security through policy-based management
> > - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> > networks
> > - Quickly respond to network events from a central console
> >
> > Download our FREE whitepaper at:
> > http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
> > ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------