LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-18-2009, 10:30 PM   #1
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Rep: Reputation: 32
Unhappy SucKit removal.


After SucKit was installed on my laptop, I have zeroed the drive, repartitioned and formatted and reloaded Lenny. While rkhunter and chkrootkit gave clean results, and BEFORE using this system on the internet, I fairly quickly get a message in rkhunter log that I
'Should check this system as it may be infected'. I have used my original Lenny DVD and a Linux Magazine DVD with same result. Restoring freshly downloaded files that I have md5sum checked from packages.debian.org using a Ubuntu 8.10 live DVD with an unmounted encrypted hdd. Unencrypted drive had been mounted and attacked in a prior reinstallation attempt while using Ubuntu 8.10 live DVD.

I have zeroed and repartitioned USB sticks as well and formatted as a FAT drive. I have also copied files to a DVD and reinstalled from there.

During the first recognised attempt I noticed that files with the ending .png.png had been added to my home directory under /?/thumbnails/fail directory (working from memory on this), and there were similar entries in .wine, which I now no longer use. If I use the menu Logout then select 'Menu' which is on the login screen and then select Shutdown it brings up an image that belonged to a SuSE installation and is not part of Debian in any way. It again asks me if I want to shutdown.

As far as I know I have attempted to avoid reinfection. If I log on to the internet using scripts I have written and checked myself and using firewall 'firestarter' the firewall is turned off in seconds.

I am now using live Ubuntu 8.10. My question is this. Should I change network card on the laptop and shoot a hole in the hard drive and attach a band and use it as cat toy?
 
Old 07-18-2009, 11:03 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,608

Rep: Reputation: 517Reputation: 517Reputation: 517Reputation: 517Reputation: 517Reputation: 517
Uhm.. suckit is a kernel rootkit.. if you've reformatted the drive it's gone. It's not like it LIVES IN TEH RAMMMM or can WITHSTAND A ZEROIGN1#!#!@!!1one!
 
Old 07-18-2009, 11:07 PM   #3
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Quote:
Originally Posted by mazinoz View Post
I am now using live Ubuntu 8.10. My question is this. Should I change network card on the laptop and shoot a hole in the hard drive and attach a band and use it as cat toy?
The Symantec web site says that you may be able to recover the use of your computer.

http://www.symantec.com/security_res...333-99&tabid=3

I believe that I would boot the Ubuntu live CD, open a terminal window, and use the shred utility to wipe the disk drive. The following is an example. The example will use shred to wipe a disk drive that Linux calls /dev/sda.
Code:
shred /dev/sda
The shred program will copy random data to every storage location on the disk. Shred will take a full day or more to finish so start the shred process and then put the machine aside for about a day.

Once shred has finished it will have messed up the structure of your partition table. You can use cfdisk to create a nice partition table that any OS will be happy to use. Note that the same thing cannot be said about fdisk, or so I have recently read.

If you have the time and resources then shred all of those USB sticks that you mentioned.

If the Ubuntu live CD doesn't have the shred utility then it will almost certainly have the wipe utility. I've heard that wipe will do as good a job as shred. I've never used wipe. I use shred often as part of a long process to prepare failed disks from my clients for disposal.
 
Old 07-19-2009, 02:46 AM   #4
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
SucKit / Rasputin type problem

Thanks everyone, I will read and reply later as my firewall was just turned off, even though I just changed root password.

When using Ubuntu it appears my rkhunter logs were edited and not logging results properly now. Resorted to attached screen prints. Then again maybe I am just being paranoid.

The screen prints are of the results of a manual rkhunter --checkall. Have never seen the output about language problems before.

Cheers
 
Old 07-19-2009, 06:00 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by mazinoz View Post
After SucKit was installed on my laptop, I have zeroed the drive, repartitioned and formatted and reloaded Lenny. While rkhunter and chkrootkit gave clean results, and BEFORE using this system on the internet, I fairly quickly get a message in rkhunter log that I 'Should check this system as it may be infected'.
As AlucardZero has said, if you've zeroed out and reformatted the computers harddisk it is not possible to get the LKM loaded from there. You should aim to understand how to run Rootkit Hunter before using it and at least know the meaning of 'Should check this system as it may be infected' (email) warning can only be understood by reviewing the warnings in the rkhunter.log. In general you should also understand that talking about errors is not as helpful (for you and us) as actually posting complete log lines or errors.



Quote:
Originally Posted by stress_junkie View Post
The Symantec web site says that you may be able to recover the use of your computer.
Please do not offer that kind of "recovery" information until you have 0) assessed there actually is a rootkit loaded, 1) have supported the user in finding out how it got there and 2) are certain this would be the right course of action.
Thanks for understanding.
 
Old 07-19-2009, 07:16 AM   #6
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Quote:
Originally Posted by unSpawn View Post
Please do not offer that kind of "recovery" information until you have 0) assessed there actually is a rootkit loaded, 1) have supported the user in finding out how it got there and 2) are certain this would be the right course of action.
Thanks for understanding.
I have to believe that you quoted the wrong lines in my post because there is nothing there to criticize as far as I can see. The Symantec web site reference was a reponse to the OP asking if the computer could ever be useful again.

If you are referring to my suggestion that he use shred on the disk drive then please note that the OP had said that he had already 'zeroed' the drive. Whatever method was used was not stated. If he simply 'zeroed' a partition then there is a chance that a boot sector virus had survived. Using shred would take care of this.

I very much doubt if any of us can determine if the OP really has/had a Linux virus. The OP has attempted and failed to post output from rkhunter.

Attempting to determine how a virus that may or may not exist got onto the computer is a truly glorious quest but I don't believe that it is likely to be fruitful. How do you propose to do that?

I think it is strange that you criticized my post but only refer to AlucardZero's post in positive terms. AlucardZero's post is weird and inaccurate. (Refer to my boot sector virus assertion above.)

Whatever.

I will step back and watch how it should be done, which I presume will be demonstrated by yourself.

Last edited by stress_junkie; 07-19-2009 at 07:25 AM.
 
Old 07-19-2009, 07:06 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
The short answer is that I am merely pointing out that in handling this type of incidents it is good to be methodical and using a structured approach. By all means let me know if you'd rather have the long answer instead.
 
Old 07-19-2009, 08:19 PM   #8
chigurh8
Member
 
Registered: Jul 2009
Distribution: Ubuntu, Gentoo
Posts: 102

Rep: Reputation: 18
Quote:
Thanks everyone, I will read and reply later as my firewall was just turned off, even though I just changed root password.

When using Ubuntu it appears my rkhunter logs were edited and not logging results properly now. Resorted to attached screen prints. Then again maybe I am just being paranoid.

The screen prints are of the results of a manual rkhunter --checkall. Have never seen the output about language problems before.
I might be very confused here ... When and how did you supposedly install SucKit or Rasputin or whatever?
What I understand of this thread doesn't make any sense.

Last edited by chigurh8; 07-19-2009 at 10:02 PM.
 
Old 07-19-2009, 08:36 PM   #9
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Quote:
Originally Posted by chigurh8 View Post
I might be very confused here ... When and how did you supposedly install SucKit or Rasputin or whatever?
What I've read of this thread doesn't make any sense.
I think the OP is either shredding the data on his disk drive or he is laughing heartily at the conversation. Or both. Hence is lack of response lately.

The thread started after the OP had already determined via rkhunter that his system had a virus. The OP never said how the virus, if it ever existed, got into his system. The OP had already tried zeroing his disk drive, whatever that really means, and reinstalling Linux to get rid of the virus. That's where #1 started.

The OP said in #1 that his efforts to get rid of this virus had apparently been unsuccessful.

Alucard Zero said that zeroing the hard drive, whatever that means, should have gotten rid of the virus, if it ever existed at all.

I suggested using shred on the entire spindle, not just on a partition. This was because I don't know what the OP meant by saying that he zeroed his disk drive so I just figured I'd suggest something that would definitely destroy all of the data on the disk including the MBR.

Unspawn suggested that it made more sense to diagnose the problem before recommending a solution.

And here we are. We're waiting for the OP to return with news of his system. I hope that clears things up for you.

Last edited by stress_junkie; 07-19-2009 at 08:43 PM.
 
Old 07-19-2009, 08:51 PM   #10
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
SucKit removal

Sorry for the accidental double-posting, bothered a bit by firewall/trojan problem.

Alucard, I don't know whether you are being sarcastic or are just asinine. SucKit is not an LKM but has to do with /dev/kmem access. If you have something useful to say go ahead. Reference article -"Linux on the fly kernel patching without LKM" issue 58.

Thank you stress-junkie for your efforts. What I am trying to determine is if there is a hidden sector on the drive that I am unable to zero, using dd if=/dev/zero of=/dev/sda (or whatever refers to hdd).

Alternatively is there a way I can purge /dev/kmem?.

I have just found an article that refers to kernel patching the Debian kernel to prevent this and will do this on the next reinstall. 'Hardening the kernel with GRSecurity' I will use shred or wipe as suggested by stress-junkie.

My reason for believing there is still a problem is the turning off of the firewall and skdet finding a variety of unidentified open ports. Unhide brute also finds hidden processes. Then there is the image from a long ago SuSE installation that comes up if I shutdown via Kmenu, logoff, bottom Menu, shutdown.

I am not a kernel expert but someone who has just started learning Debian, and what they do and don't do for you. I understand Fedora has patched this problem some time back.

Unspawn,my apologies, I was a bit impatient with earlier uploads. I have attempted to upload again but could only do this by truncating rkhunter.log file. I noticed there is now a new message about anacron. Similarly for mail log. I found it difficult as well because I was using a live CD and hard drive was encrypted and I couldn't mount it in Ubunutu. The message about the infection was in the mail log.

I will now proceed to zero and shred and double check log off problem from the fresh install. Will then install security and other applications.

Cheers and thanks
Attached Images
File Type: png Hidden PIDs-2.png (130.6 KB, 11 views)
Attached Files
File Type: txt rkhunter.txt (211.2 KB, 10 views)
File Type: txt annie.txt (52.3 KB, 7 views)

Last edited by mazinoz; 07-19-2009 at 08:54 PM. Reason: Can't attach file
 
Old 07-19-2009, 08:55 PM   #11
chigurh8
Member
 
Registered: Jul 2009
Distribution: Ubuntu, Gentoo
Posts: 102

Rep: Reputation: 18
I don't really understand, so I edited my post here, but I would think you would have to ... what? Have an installation CD that is clean - a CD-RW, install, get a virus/rootkit/trojan/whatever else, then have the CD-RW in, then they infected that also without you knowing ... If you're using more than one installation CD more than once. Unless you downloaded a Live CD with a virus/rootkit/trojan/whatever else in it, then I'd imagine someone would know about it ... and if it's not the installation CD, then if you completely wiped out your hard disk and did a fresh, complete installation you wouldn't have it any more ... I don't know what the odds are of downloading more than one installation CD with a rootkit or anything on them ...
I edited the rest of what I posted here because I think I don't know enough about it ...
I also apologize if I seem to be dismissing your posts, I'm just sleepy and wasn't sure what to post, and thought maybe adding something would help in some way ...

Last edited by chigurh8; 07-20-2009 at 01:04 AM.
 
Old 07-19-2009, 11:13 PM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
http://www.linux.org/news/2005/11/17/0001.html

From the article you referenced:
"a full-featured linux-ia32 rootkit, an example/tool, which implements all the techinques described here."

You installed a rootkit for "abusing the Linux kernel (syscalls mostly) without help of module support or System.map", to quote again from the article.

Using a rootkit intentionally, of course RK hunter will set off alarms.

The legitimate method of patching a live kernel without rebooting afterwards is to use ksplice.

Quote:
I have also copied files to a DVD and reinstalled from there.
This is very confusing. What files did you copy to the DVD? From the system you intentionally infected? After zeroing out your drive (from a live distro), perform a fresh install from an install disc. Check the md5sum of the disc against the one posted on the website it was downloaded from.

The rkhunter.txt file is truncated just before the section where it reports any root kit files.
Is this how it is on your system. Or did you truncate it yourself there as mentioned in post #10. You did mention that the rkhunter log looked edited. The part not shown is the part of most interest.

Last edited by jschiwal; 07-20-2009 at 12:13 AM. Reason: added ksplice info.
 
Old 07-20-2009, 01:04 AM   #13
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
SucKit problem.

Dear Chigurh8

I have tried installing Lenny onto a zeroed drive using a magazine supplied DVD. Used a Lenny DVD I had downloaded myself on a re-zeroed drive. Installed some security programs that I had downloaded from debian packages site after I had chksummed them as ok, but fairly soon in both installations, the security programs reported problems, and an image from a long ago installation of SuSE, popped up. Hence the questions. Rootkits often hide on the hard drive. As a last resort I installed Windows XP hoping it may be useful for wiping away data. It actually found my Windows XP computer name in spite of the drive having been zeroed, formatted in linux many times. I used gparted and dd to do this.

The Rasputin mention is a reference to an evil Russian priest who had been poisoned, stabbed, etc but refused to die despite all of these and more efforts. I recall there even was a pop song written about him. Just thought most people would know about the allusion. Obviously not.

My apologies for any confusion but your post and others were not present when I made my previous reply.
 
Old 07-20-2009, 01:29 AM   #14
chigurh8
Member
 
Registered: Jul 2009
Distribution: Ubuntu, Gentoo
Posts: 102

Rep: Reputation: 18
I also edited my post to apologize if I sounded like I was dismissing it, that's why I added that I didn't really know enough to post too much ...
I don't know too much about security, I just know the odds of downloading a Live CD or installation CD of any kind that are infected are probably pretty bad from almost any source, and added that I basically agreed with the other posts, that it's questionable ...
I don't know too much, I just have tripwire and antivirus and firewall ... I've been reading.
I also edited to say "what I understand of this thread" didn't make sense, to correct the way I phrased it.

Last edited by chigurh8; 07-20-2009 at 01:46 AM.
 
Old 07-20-2009, 01:36 AM   #15
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
SucKit refuses to die problem.

Dear jschwal

"After zeroing out your drive (from a live distro), perform a fresh install from an install disc. Check the md5sum of the disc against the one posted on the website it was downloaded from".

What I said was I had done what you suggested TWICE, once using a Linux magazine DVD and then rezeroed and used a DVD I had downloaded. Yet the SucKit rootkit keeps alive. I don't know why you would think I had infected my own computer deliberately. I stated I had tried to avoid doing this in every way possible, yet it still lives on, along with a file from a very long ago SuSE install and a Windows install.

In other words writing zero to the hard drive DID NOT appear adequate. dd only said it had written zeroes to my 80Gb drive not exactly how many mb it had written. There could still be a hidden part of the hard drive it didn't touch, hence these files survived. The files I copied to a DVD (read only) medium were chksummed as ok, security applications, such as rkhunter etc. That way they could not be affected by the rootkit.

Re: the rkhunter.log. I believe it was truncated by whoever was accessing my computer, and I truncated it myself in order for it to be small enough to be uploaded. There are still several interesting messages in what I did upload, and what had been deleted by hacker were as far as I can remember once again reported in a later part of the log that I uploaded anyway. So you didn't miss anything. BTW, how would you know if what was deleted by hacker or myself WAS the very bit you were interested in? Think you might be having a gratuitous shot there.

I am stumped because all of the usual advice given about dealing with rootkits isn't working in this case, hence the LQ question.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit and SuckIT ddaas Linux - Security 7 12-07-2005 07:57 AM
SuckIT attack aahad1 Linux - Security 5 09-14-2004 03:40 AM
suckit disaster disatech Linux - Security 14 01-29-2004 11:07 PM
suckit seems to be installed, HELP wizardontherun Linux - Newbie 2 01-29-2004 04:16 PM
SucKIT acadcworks Linux - Security 1 11-18-2002 06:27 AM


All times are GMT -5. The time now is 11:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration