1. Essential: disconnect your box from the network
now, this takes care of the cracker coming back to "rm -rf /" when detected or play other games with your system. Also make sure no one can access your box locally or remove files from the system.
2. Make sure: if you have chkrootkit(.org), chekc your system. If you have system integrity detection (Aide, Samhain, Tripwire) use it
use databases off of read-only media if you don't have those but an off-site copy of your package managers library you can use it
but it won't detect new files like for instance Aide does.
3. Check where sk is: cd /proc; for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i | grep -e "sk"); done This will return the PID for sk, change to that dir and grep environ -e "pwd". This returns the rootkits dir (/usr/share/locale/ro_US ?).
4. Uninstall rootkit: cd to that dir, and execute "./sk -u" to uninstall.
5. Make sure again: go tru the motions again. If you had a system integrity checker running you already have a list with changed files.
Make sure you don't copy then off the system.
6. Rebuild your box. Save
only human readable data, wipe your Linux partitions and reinstall from scratch, because you don't know where they came in. Make sure you change
all passwds used, because a sniffer will have been installed. Make sure you reinstall your box more safely using a firewall, up to date software, and any integrity checking mechanism plus chkrootkit if you didn't already used that.
Read also: Steps for Recovering from a UNIX or NT System Compromise
www.cert.org/tech_tips/root_compromise.html, AUSCERT UNIX Computer Security Checklist (Version 1.1)
www.cert.org/tech_tips/AUSCERT_checklist1.1, Top ten vulnerabilities:
www.sans.org/topten.htm and
http://www.cert.org/present/cert-ove...ends/index.htm,
Security Quick-Start HOWTO for Linux and
Linux Security HOWTO.
*Suckit is mentioned here:
http://la-samhna.de/library/lkm.html amongst many other places. A simple search with Google reveals a lot.
SucKIT
