LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2002, 04:46 AM   #1
acadcworks
LQ Newbie
 
Registered: Oct 2002
Posts: 21

Rep: Reputation: 15
Angry SucKIT


I issued a shutdown -r now to my machine and received a message from SucKIT. I hear this is a root kit compromise and I have no idea what that means or can find no where that offers a fix explanation...

help!?

thanks.
 
Old 11-18-2002, 06:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
1. Essential: disconnect your box from the network now, this takes care of the cracker coming back to "rm -rf /" when detected or play other games with your system. Also make sure no one can access your box locally or remove files from the system.
2. Make sure: if you have chkrootkit(.org), chekc your system. If you have system integrity detection (Aide, Samhain, Tripwire) use it use databases off of read-only media if you don't have those but an off-site copy of your package managers library you can use it but it won't detect new files like for instance Aide does.
3. Check where sk is: cd /proc; for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i | grep -e "sk"); done This will return the PID for sk, change to that dir and grep environ -e "pwd". This returns the rootkits dir (/usr/share/locale/ro_US ?).
4. Uninstall rootkit: cd to that dir, and execute "./sk -u" to uninstall.
5. Make sure again: go tru the motions again. If you had a system integrity checker running you already have a list with changed files. Make sure you don't copy then off the system.
6. Rebuild your box. Save only human readable data, wipe your Linux partitions and reinstall from scratch, because you don't know where they came in. Make sure you change all passwds used, because a sniffer will have been installed. Make sure you reinstall your box more safely using a firewall, up to date software, and any integrity checking mechanism plus chkrootkit if you didn't already used that.

Read also: Steps for Recovering from a UNIX or NT System Compromise www.cert.org/tech_tips/root_compromise.html, AUSCERT UNIX Computer Security Checklist (Version 1.1) www.cert.org/tech_tips/AUSCERT_checklist1.1, Top ten vulnerabilities: www.sans.org/topten.htm and http://www.cert.org/present/cert-ove...ends/index.htm, Security Quick-Start HOWTO for Linux and Linux Security HOWTO.

*Suckit is mentioned here: http://la-samhna.de/library/lkm.html amongst many other places. A simple search with Google reveals a lot.

Last edited by unSpawn; 11-18-2002 at 06:30 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SuckIT attack aahad1 Linux - Security 5 09-14-2004 03:40 AM
My server has been hacked, how to remove SUCKIT? ruleman Linux - Security 7 06-20-2004 06:25 AM
suckit disaster disatech Linux - Security 14 01-29-2004 11:07 PM
suckit seems to be installed, HELP wizardontherun Linux - Newbie 2 01-29-2004 04:16 PM


All times are GMT -5. The time now is 01:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration