chkrootkit and SuckIT

ddaas · 12-06-2005, 09:40 AM

Hi there,
On my Server (rhel3), #chkrootkit -q returns:

Quote:

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

I also ran rkhunter-1.2.7 and it didn't return anything.
I want to find out somehow if chrrootkit return a false positive or not because formatting / reinstalling the whole server is not such a easy work( the server is used as PDC in the company and this means that I should spend a night or two reinstalling the server of paralyzing the activity for one day ...)
I want to do this kind of stuff only after I get other evidence and info about this rootkit or chkrootkit (0.46a) false positive. I also maintain a AIDE checksum - database (offsite). /sbin/init was really changed on 2005-09-30 but that was a date when I did an update of the server (with redhat network). - On that day a lot of files were changed/added/removed so it could be a false positive:

Quote:

AIDE found differences between database and filesystem!!
Start timestamp: 2005-09-30 22:02:12
Summary:
Total number of files=152943,added files=14585,removed files=14602,changed files=16098

Please, I really need some help. Does anyone know something more about SuckIT, how can I find it for sure if it is really on my system? is there a database of checksums with different versions of linux binaries (like /sbin/init) to compare against my /sbin/init hash?

Keruskerfuerst · 12-06-2005, 12:39 PM

Information on Suckit:
http://la-samhna.de/library/rootkits/list.html
http://www.soohrt.org/stuff/linux/suckit/
http://www.trojaner-info.de/news2/li...backdoor.shtml
http://www.linuxquestions.org/questi...ad.php?t=35743

Really ugly!!!

ddaas · 12-06-2005, 02:13 PM

I am not so happy with this situation

I've read those links but I couldn't find for sure if this rootkit is on my server.
I've tried:

Quote:

for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done

and

Quote:

for i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done

and there is no sk binary. Now I don't know if I can trust cat, echo and the other binaries. Only chkrootkit reports /sbin/init as infected (rkhunter says it is ok). Could it be only a false positive?
I am really worried because this is an enterprise server and I should take a decision quickly.
Now I'm going to read more about SuckIT, and eventually look in the source code of chkrootkit where it checks for this rootkit.
Anyway, my only open ports on the Internet are: ssh (only key auth, no root login, and so on), imaps (all patches installed) and openvpn.
How was it installed? Is it more probably that it came from the inside? (this worries me a lot).

Any feedback on this topic is really really appreciated.

Keruskerfuerst · 12-06-2005, 02:44 PM

Can you replace /sbin/init with the version from CD/DVD or from a update server (file with a fingerprint)?

tkedwards · 12-06-2005, 04:23 PM

This is a known thing with RHEL3 - it happened to us after we updated to update 6. It seems to go away after a while (maybe they had an update to chkrootkit, I can't remember). Anyway you can assure yourself by rebooting off the resuce CD and doing a sha1sum on /sbin/init, and then comparing that to a system which doesn't flag as being infected by chkrootkit.

Although you should still be careful (just in case its no a false positive) I'd definately put my money on it being a false positive in your case, after what happened to us.

ddaas · 12-07-2005, 03:42 AM

I found this: http://forums.gentoo.org/viewtopic-t...ht-suckit.html

It seamns a false positive...

Capt_Caveman · 12-07-2005, 07:50 AM

Try verifying the integrity of the binary using rpm -V SysVinit. If it's clean, it should produce no output. Did rebooting (as per the link you posted) help?

ddaas · 12-07-2005, 07:57 AM

rpm -V SysVinit produces no output.

I didn't restart the server yet (as I said it is an enterprise server and I should wait for the others to finish they work). Maybe tonight...