|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [CERT] possible rootkit, maybe partial?
From: ePAc (epac
korigan.net)
Date: Wed Apr 02 2003 - 22:27:17 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
My first thought would be towards some sort of module hack. That is a
module that loads, modify something in the kernel (replaces some
functions) and then unloads, but leaving the code availble. Of course, i
have no clue how you would check for such a thing, but i would guess that
it would be loaded by something like modutil or devfsd. have you checked
to see if you have some module somewhere in the tree under
/lib/modules/xxx that has no business being there ?
I hope this helps..
ePAc
On Wed, 2 Apr 2003, Benjamin Tomhave wrote:
> Date: Wed, 2 Apr 2003 20:47:05 -0700
> From: Benjamin Tomhave <falconcybersecret.com>
> To: incidentssecurityfocus.com
> Subject: [CERT] possible rootkit, maybe partial?
>
> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server. The
> server is a fully-patched RH8 system, running iptables limited to ssh, http,
> https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The
> reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
> consistent with documented suckit compromises, and b) there doesn't seem to
> be anything on the system comprising the rootkit. Even chkrootkit comes up
> empty/clean. Which makes me wonder if someone found a whole in a
> developer's php code, tried to load suckit, had it fail, and then walked
> away. What I can say for certain is that this issue has arisen in the last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual, either.
> tcpdump did not indicate any unexpected traffic. No web pages have been
> defaced.
>
> Here's what leads me to believe that this is a rootkit compromise:
>
> # reboot
>
> Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003):
>
> The system is going down for reboot NOW!
> /dev/null
> RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!
>
> Now, call me crazy, but the last part of the last line doesn't strike me as
> something that belongs. As it stands right now, I'm slating this box for
> low-level format and reinstall within the week. Since it doesn't seem to be
> an active zombie or anything, and since I'm still not 100% sure this is a
> compromised system, I'll take the chance of waiting. I may also try
> reinstalling the kernel just to see if that makes a difference, too.
>
> Does this look familiar or suspicious to anyone else? Anybody have any
> ideas on further diagnostics that I could run "just to be sure"?
>
> Thank you,
>
> -ben
>
> ***************************************
> Benjamin Tomhave
> falconcybersecret.com
> http://falcon.secureconsulting.net/
>
>
> ----------------------------------------------------------------------------
> Powerful Anti-Spam Management and More...
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.securityfocus.com/SurfControl-incidents
>
---
Nothing is foolproof to a sufficiently talented fool...
oo
,(..)\
~~
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]