1. Essential: disconnect your box from the network now
, this takes care of the cracker coming back to "rm -rf /" when detected or play other games with your system. Also make sure no one can access your box locally or remove files from the system.
2. Make sure: if you have chkrootkit(.org), chekc your system. If you have system integrity detection (Aide, Samhain, Tripwire) use it use databases off of read-only media
if you don't have those but an off-site copy of your package managers library you can use it but it won't detect new files
like for instance Aide does.
3. Check where sk is: cd /proc; for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i | grep -e "sk"); done This will return the PID for sk, change to that dir and grep environ -e "pwd". This returns the rootkits dir (/usr/share/locale/ro_US ?).
4. Uninstall rootkit: cd to that dir, and execute "./sk -u" to uninstall.
5. Make sure again: go tru the motions again. If you had a system integrity checker running you already have a list with changed files. Make sure you don't copy then off the system
6. Rebuild your box. Save only
human readable data, wipe your Linux partitions and reinstall from scratch, because you don't know where they came in. Make sure you change all
passwds used, because a sniffer will have been installed. Make sure you reinstall your box more safely using a firewall, up to date software, and any integrity checking mechanism plus chkrootkit if you didn't already used that.
Read also: Steps for Recovering from a UNIX or NT System Compromise www.cert.org/tech_tips/root_compromise.html
, AUSCERT UNIX Computer Security Checklist (Version 1.1) www.cert.org/tech_tips/AUSCERT_checklist1.1
, Top ten vulnerabilities: www.sans.org/topten.htm
, Security Quick-Start HOWTO for Linux
and Linux Security HOWTO
*Suckit is mentioned here: http://la-samhna.de/library/lkm.html
amongst many other places. A simple search with Google reveals a lot.