LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 08-24-2013, 05:38 AM   #16
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199

tbh, I thought anything but, only delt with the all but the mbr, sorry, my bad! (I'll look it up later, unless you hav a link)

Quite right about the reply and spec.

Last edited by GlennsPref; 08-24-2013 at 05:40 AM. Reason: No Offence intended.
 
Old 08-24-2013, 01:36 PM   #17
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,141

Rep: Reputation: 329Reputation: 329Reputation: 329Reputation: 329
Intrigued by unSpawn's comment that chkrootkit was old, I tried it on my Fedora Rawhide distribution (because that's what I am on right now), and, sure enough, I was told the /sbin/init was infected by suckIT.

On Fedora systems, and several other recent distributions, /sbin/init is just a symbolic link to /lib/systemd/systemd.

The "test" for a SuckIT infection of /sbin/init in the chkrootkit script is:
Code:
   ### Suckit
   if [ -f ${ROOTDIR}sbin/init ]; then
      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \
	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
        then
        echo "Warning: ${ROOTDIR}sbin/init INFECTED"
      else
         if [ -d ${ROOTDIR}/dev/.golf ]; then
            echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
	 else
            if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
	 fi
      fi
   fi
and (since systemd generates several scripts) we have:
Code:
$ strings /sbin/init | grep HOME
HOME=%s
XDG_CONFIG_HOME
XDG_DATA_HOME
So that test, on any system using systemd with init symlinked to it, will report a SuckIT infection of init.

<edit>
See my comment #21, below, about the basis of the suckit exploit.
</edit>

Last edited by PTrenholme; 08-24-2013 at 11:07 PM.
 
2 members found this post helpful.
Old 08-24-2013, 02:36 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by PTrenholme View Post
So that test, on any system using systemd with init symlinked to it, will report a SuckIT infection of init.
Thanks for clearing that up! I'll use your explanation as reference. Plus it kind of confirms RKH made the right choice back then not to grep for a single string...
 
Old 08-24-2013, 04:35 PM   #19
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
Unspawn

Thanks for the reply. I believe this machine was infected when I unwittingly moved infected files from Win7 partition to linux one. Hence the re-emergence. I don't think it was a new infection.

I ran chkrootkit using Kali DVD as it was on the Kali DVD but unfortunately rkhunter was not. I wanted to see if changes happened when I booted linux partition or when I went on the internet from a fresh install. rkhunter reported nothing of interest when I later installed it. I did not make things very clear I'm afraid in my original post. When looked at from a live DVD files like pagefile.sys hyperfil.sys in Win7 would become executable when an infection was present. I may be a bit hypervigilant about Suckit.

I'm sorry I can't provide evidence, but it was happenstance, so just speculation. I don't want to try to reinfect this laptop! One thing I did differently this time round was encrypt the whole hard drive not just the home directory, after a fresh zeroing and reinstall. I did this TWICE. The encryption x 2 may have gotten rid of a Suckit encrypted binary. Some of the changes I find when an infection is present may just be peculiar to me eg: caps inversion, change from non-exe to .exe files in Windows, as the person I suspect is a programmer and contributes to Xubuntu.

Sorry for inconveniencing people, I just was trying to understand what had happened. But on this machine now it is all speculative. I'll try to run the tests requiring a reboot, but this machine is only working because of the overheating trick.

Noway2. This was on a basic reinstall, no wireshark or snort installed. Unsure about TCP dump.

Hey GlennsPref, another "Aussie", I also am living in Brisbane.

This is an ongoing saga as Unspawn knows. I could kick myself several times over this. I believe I unwillingly infected this beast from infected data on Win7. When I was using Win7 it was 'jailed' but when data copied to a linux partition => evil happens. Now I don't think it is infected as zeroing and more importantly encryption several times appears to have exorcised it.

I posted in an effort to find out if anything new had happened, such as a newer kernel or kernel patch that got rid of it. Just speculating at this stage, but after reading the above article, I think the encryption done at least twice got rid of the Suckit encrypted binary from where ever it was lurking on the hard drive. I can't provide evidence of infection on this machine as it appears to have been accidentally exorcised!

So hopefully now all this is behind me! Thanks again for the input everyone.

Last edited by mazinoz; 08-24-2013 at 04:37 PM.
 
Old 08-24-2013, 08:52 PM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by mazinoz View Post
Sorry for inconveniencing people, I just was trying to understand what had happened. But on this machine now it is all speculative.
I suggest you print the last 3 or 4 threads and keep them with your computer. Next time you think something is amiss first notify us, post output of whatever is asked for and wait for a reply from somebody who has intimate knowledge of things. Lessons learned (or so I'd hope) and case closed.
 
Old 08-24-2013, 11:04 PM   #21
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,141

Rep: Reputation: 329Reputation: 329Reputation: 329Reputation: 329
Still intrigued by the suckit rootkit, I looked at the description of the exploit in Phack Magazine. The exploit relies on writing to /dev/kmem as "root" and, as far as I can see, the 3.11.0 kernel (as compiled by the Fedora team) does not have that block device. So, even if the infection by was "real," I'm not sure that it would be able to do anything.

I'm not intrigued enough to find a live suckit to analyze, but I wonder if any real infection has occurred since /dev/kmem was removed from the default /dev list.

Oh, I also wonder about the O.P.'s assertion that his infection was real with a vector from a Win 7 system, making *.exe files executable on his Linux system. AFAIK, the only way to run a Windows executable file is by using wine or qemu. Clearly a raw Windows executable (or script, for that matter) is extremely unlikely to execute on a Linux system, and, if by chance, it did run, it would be even less likely to run correctly.
 
Old 08-25-2013, 04:40 AM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by PTrenholme View Post
(..) as far as I can see, the 3.11.0 kernel (as compiled by the Fedora team) does not have that block device. So, even if the infection by was "real," I'm not sure that it would be able to do anything.
Red Hat compiled kernels w/o /dev/kmem since 2004 / 2005 and the kernel devs /dev/kmem was phased out somewhere around 2008 / 2009. Not being able to write to /dev/kmem closed one avenue but did not make unwanted memory ops impossible.


Quote:
Originally Posted by PTrenholme View Post
(..) I wonder if any real infection has occurred (..)
In the Linux Security forum we often tell members we work with facts and not fiction. Unfortunately that means a failure to share evidence only leads to speculation...
 
Old 08-25-2013, 05:40 PM   #23
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Original Poster
Rep: Reputation: 32
PTrnholme
I did not say that windows files were the linux rootkit, just a symptom of activity by this particular hacker. The rootkit was present on linux only installs. I nevertried to run them from linux, as I hadenough problems already! pagefil.sys wasmade executable. Sorry for any confusion.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] chkrootkit LKM Trojan -- False Positive or not? Konphine Linux - Security 26 09-20-2011 03:28 PM
chkrootkit suckit initng infected network 8% mimithebrain Linux - Security 4 03-29-2006 09:39 AM
chkrootkit and SuckIT ddaas Linux - Security 7 12-07-2005 07:57 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 09:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 08:06 AM


All times are GMT -5. The time now is 05:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration