LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-12-2004, 03:34 PM   #1
aahad1
LQ Newbie
 
Registered: Mar 2004
Posts: 7

Rep: Reputation: 0
Angry SuckIT attack


Dear All,

Can anyone give me some details on the suckIT rootkit attack and its solutions.

I needed to re-install redhat linux 9.0 due to this attack.

My systems init file got compromised and it was running the suckIT process sk whn I execute init.

If anyone can give me detailed info on this,it will be very nice.

regards,

Abdul Ahad.H
 
Old 09-12-2004, 09:24 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
SucKit isn't really an attack, but more of a tool to hide the fact that the system has been compromised and to hide the activities of the intruder from the system administrator. SucKit and other related tools are collectively known as rootkits. You can find out more general info on rootkits here:

http://la-samhna.de/library/rootkits/index.html

and the original phrack article is probably the best place for sucKit specific info:

http://www.phrack.org/show.php?p=58&a=7

Keep in mind that although finding a rootkit installed on your system is extremely bad and usually requires a re-installation, it's really a secondary issue in my opinion. A rootkit is simply a cracking tool that has to be downloaded and installed just like other software, which means that someone has to have attacked your system and exploited some other vulnerability on the system (sucKit doesn't have it's own attack mechanism). So when re-building your Redhat system, remember to keep up with security updates, turn off vulnerable applications, use good passwords, use encrypted protocols rather than un-encrypted ones, get a good firewall script, and use good security practices in general. Preventing the attack in the first place is the best line of defense in defeating rootkits. A great place to learning about general system hardening is in unSpawn's security references thread at the top of the forum. There's also some more rootkit reading available there.
 
Old 09-12-2004, 10:23 PM   #3
aahad1
LQ Newbie
 
Registered: Mar 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Dear Caveman,

thaks a lot for the reply.
I checked those sites and the descriptions seems heavy for me to digest.

I'd blocked telnet and other ports and was using only ssh for remote logins.

Also firewall was enabled with iptables.

So can u tell me what r the next measures I need to do for preventing such attacks in future?

Regards,

Abdul Ahad
 
Old 09-12-2004, 10:27 PM   #4
aahad1
LQ Newbie
 
Registered: Mar 2004
Posts: 7

Original Poster
Rep: Reputation: 0
DEar Caveman,

I was able to detect my problem using this step by step procedure.

But here also no mention how the attacker got inside first.

As everyone know logs will be of no use in such attacks ,as the intruder clears all log files.!!



http://www.soohrt.org/stuff/linux/suckit/

A Ahad
 
Old 09-13-2004, 08:36 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If the logs have been erased, you can try using one of the various "un-delete" techniques to see if you can recover the deleted versions (see the section in unSpawn's security references thread). Though a full format and re-install will be necessary before putting the system back online.

The vast majority of intrusions I've seen are usually the result of not installing security upgrades in a timely manner. A firewall can help mitigate that risk, but keeping your system updated is really absolutley essential. Second, if you've been using weak passwords, there has been widespread scanning/brute-forcing of passwords using ssh over the last 2 months, so that could be another possible means of entry.
 
Old 09-14-2004, 03:40 AM   #6
aahad1
LQ Newbie
 
Registered: Mar 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Angry SuckIT attack

Dear Caveman.
Thanks for ur replies.

I found one more client of us got same problem.

So I'm now sure it is the same attack u mentioned.

Problem is isolated to ssh.

So now onwards I'll concentrate on making more secure ssh connections.

We normally block other ports and leave ssh port open for remoe access and remote login.

Regards,

Abdul Ahad.H
Dubai
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What attack could this be??? darrel Linux - Security 10 02-26-2005 10:10 PM
My server has been hacked, how to remove SUCKIT? ruleman Linux - Security 7 06-20-2004 06:25 AM
suckit disaster disatech Linux - Security 14 01-29-2004 11:07 PM
suckit seems to be installed, HELP wizardontherun Linux - Newbie 2 01-29-2004 04:16 PM
SucKIT acadcworks Linux - Security 1 11-18-2002 06:27 AM


All times are GMT -5. The time now is 03:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration