I issued a shutdown -r now to my machine and received a message from SucKIT. I hear this is a root kit compromise and I have no idea what that means or can find no where that offers a fix explanation...
1. Essential: disconnect your box from the network now, this takes care of the cracker coming back to "rm -rf /" when detected or play other games with your system. Also make sure no one can access your box locally or remove files from the system.
2. Make sure: if you have chkrootkit(.org), chekc your system. If you have system integrity detection (Aide, Samhain, Tripwire) use it use databases off of read-only media if you don't have those but an off-site copy of your package managers library you can use it but it won't detect new files like for instance Aide does.
3. Check where sk is: cd /proc; for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i | grep -e "sk"); done This will return the PID for sk, change to that dir and grep environ -e "pwd". This returns the rootkits dir (/usr/share/locale/ro_US ?).
4. Uninstall rootkit: cd to that dir, and execute "./sk -u" to uninstall.
5. Make sure again: go tru the motions again. If you had a system integrity checker running you already have a list with changed files. Make sure you don't copy then off the system.
6. Rebuild your box. Save only human readable data, wipe your Linux partitions and reinstall from scratch, because you don't know where they came in. Make sure you change all passwds used, because a sniffer will have been installed. Make sure you reinstall your box more safely using a firewall, up to date software, and any integrity checking mechanism plus chkrootkit if you didn't already used that.
Read also: Steps for Recovering from a UNIX or NT System Compromise www.cert.org/tech_tips/root_compromise.html, AUSCERT UNIX Computer Security Checklist (Version 1.1) www.cert.org/tech_tips/AUSCERT_checklist1.1, Top ten vulnerabilities: www.sans.org/topten.htm and http://www.cert.org/present/cert-ove...ends/index.htm, Security Quick-Start HOWTO for Linux and Linux Security HOWTO.
*Suckit is mentioned here: http://la-samhna.de/library/lkm.html amongst many other places. A simple search with Google reveals a lot.
|All times are GMT -5. The time now is 10:47 AM.|