Re: possible rootkit, maybe partial?

Hi there,

Indeed, your machine has been rooted, and you're very lucky that SucKIT didn't "like" the newly installed kernel version! I suspect the following happened..

Usually, SucKIT is launched as /sbin/init at system bootup, forks to install itself into the kernel and start up a backdoor, and launches a copy of the original "init" binary from the parent (with pid 1). Any subsequent executions of /sbin/init are redirected to the original init.

In your case, SucKIT is also launched as /sbin/init, forks but fails to install itself into the kernel, and launches the copy of the original init anyway. However, since it failed to install, it will not be able to redirect /sbin/init calls. So when you run reboot, reboot runs shutdown, and shutdown runs /sbin/init: the SucKIT-version of init. SucKIT once again forks, detects that it's not yet installed, and tries but still fails to install itself in memory - that's where the weird message is coming from.

You should be able to confirm this by executing "ls -l /proc/1/exe", it should show a symlink to the name of the copy of /sbin/init (that is, "/sbin/init" with extra characters after it) instead of the normal "/sbin/init".

It's hard to say whether the cracker actually succeeded in the first place, or failed and walked away. As SucKIT includes a backdoor, an attacker does not necessarily have to install anything but SucKIT in order to gain full control of your system later; in practice, crackers usually do launch additional programs (ssh daemons, irc bouncers/bots..), it depends on your skill compared to the cracker's skill whether you can find these programs. It would also be pretty easy to launch additional programs only if SucKIT was installed successfully; a good reason to take the system offline if you want to experiment with it (eg. to try another kernel version) - but you should do that anyway, as long as it hasn't been completely reinstalled...

Regards,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

David

"Benjamin Tomhave" wrote:
> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server.
The
> server is a fully-patched RH8 system, running iptables limited to ssh,
http,
> https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The
aren't
> consistent with documented suckit compromises, and b) there doesn't seem
to
> be anything on the system comprising the rootkit. Even chkrootkit comes
up
> empty/clean. Which makes me wonder if someone found a whole in a
last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual,
either.
> tcpdump did not indicate any unexpected traffic. No web pages have been
as
> something that belongs. As it stands right now, I'm slating this box for
be
> an active zombie or anything, and since I'm still not 100% sure this is a

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents