Dear All,

Can anyone give me some details on the suckIT rootkit attack and its solutions.

I needed to re-install redhat linux 9.0 due to this attack.

My systems init file got compromised and it was running the suckIT process sk whn I execute init.

If anyone can give me detailed info on this,it will be very nice.

regards,

Abdul Ahad.H

SucKit isn't really an attack, but more of a tool to hide the fact that the system has been compromised and to hide the activities of the intruder from the system administrator. SucKit and other related tools are collectively known as rootkits. You can find out more general info on rootkits here:

http://la-samhna.de/library/rootkits/index.html

and the original phrack article is probably the best place for sucKit specific info:

http://www.phrack.org/show.php?p=58&a=7

Keep in mind that although finding a rootkit installed on your system is extremely bad and usually requires a re-installation, it's really a secondary issue in my opinion. A rootkit is simply a cracking tool that has to be downloaded and installed just like other software, which means that someone has to have attacked your system and exploited some other vulnerability on the system (sucKit doesn't have it's own attack mechanism). So when re-building your Redhat system, remember to keep up with security updates, turn off vulnerable applications, use good passwords, use encrypted protocols rather than un-encrypted ones, get a good firewall script, and use good security practices in general. Preventing the attack in the first place is the best line of defense in defeating rootkits. A great place to learning about general system hardening is in unSpawn's security references thread at the top of the forum. There's also some more rootkit reading available there.

Dear Caveman,

thaks a lot for the reply.
I checked those sites and the descriptions seems heavy for me to digest.

I'd blocked telnet and other ports and was using only ssh for remote logins.

Also firewall was enabled with iptables.

So can u tell me what r the next measures I need to do for preventing such attacks in future?

Regards,

Abdul Ahad

DEar Caveman,

I was able to detect my problem using this step by step procedure.

But here also no mention how the attacker got inside first.

As everyone know logs will be of no use in such attacks ,as the intruder clears all log files.!!



http://www.soohrt.org/stuff/linux/suckit/

A Ahad

If the logs have been erased, you can try using one of the various "un-delete" techniques to see if you can recover the deleted versions (see the section in unSpawn's security references thread). Though a full format and re-install will be necessary before putting the system back online.

The vast majority of intrusions I've seen are usually the result of not installing security upgrades in a timely manner. A firewall can help mitigate that risk, but keeping your system updated is really absolutley essential. Second, if you've been using weak passwords, there has been widespread scanning/brute-forcing of passwords using ssh over the last 2 months, so that could be another possible means of entry.

Dear Caveman.
Thanks for ur replies.

I found one more client of us got same problem.

So I'm now sure it is the same attack u mentioned.

Problem is isolated to ssh.

So now onwards I'll concentrate on making more secure ssh connections.

We normally block other ports and leave ssh port open for remoe access and remote login.

Regards,

Abdul Ahad.H
Dubai