OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: possible rootkit, maybe partial?

From: Richard Rager (kb8rlnpenguinmaster.com)
Date: Wed Apr 02 2003 - 22:29:03 CST

On Wed, 2 Apr 2003, Benjamin Tomhave wrote:

> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server. The
> server is a fully-patched RH8 system, running iptables limited to ssh, http,
> https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The
> reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
> consistent with documented suckit compromises, and b) there doesn't seem to
> be anything on the system comprising the rootkit. Even chkrootkit comes up
> empty/clean. Which makes me wonder if someone found a whole in a
> developer's php code, tried to load suckit, had it fail, and then walked
> away. What I can say for certain is that this issue has arisen in the last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual, either.
> tcpdump did not indicate any unexpected traffic. No web pages have been
> defaced.
>
> Here's what leads me to believe that this is a rootkit compromise:
>
> # reboot
>
> Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003):
>
> The system is going down for reboot NOW!
> /dev/null
> RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!

   I had the same thing in a root kit called. zk/backdoor

Does the same thing..

Run somthing called CORND <--all caps..

 

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents