Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I have got suckit in sbin/init in my linux server and i unload it by typing /sbin/init u, but it display:
FUCK: Can't open /dev/kmem for read/write(2)
why is that? Thanks for helping!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Errrrr, SucKIT is a rootkit. It replaces /sbin/init with it's own binary that patches the kernel and then calls the original init (from a couple minutes on Google).
You need to go into system recovery mode. Consider all your data, passwords, encryption keys, etc to be compromised.
Thanks for reply first
Yes i 've already entered rescue mode since the rootkit make my linux unavailable to boot up.
then in rescue mode i type the unload command and it display the kmem error message.
any other idea? thanks very much
Yes i 've already entered rescue mode
No, no rescue mode.
What you need to do is first is understand that once the box is compromised it should not be used by anyone anymore. Then read and act on this: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html. Backup logs and disk contents for later perusal if necessary, backup data you can verify is OK, repartition, reformat, reinstall from scratch. If you can not determine the point of the crackers entry do not use backups to restore the system because then you can not determine the contents are "safe".
Yes i know that i may be hacked, but since i need to rerun the server normally to look for some infomation, so what i want is to remove the suckit, i have searched a lot of infomation about that, most of people can type the command "init -u" to remove it but i can't. what's the reason or any other way to recover my server's normal run?
Thanks so much
You haven't "may be" been hacked -- you have been hacked! Basically SuckIT replaces part of your kernel with its own code. However, SuckIT is designed for older kernels and so it doesn't work quite right with newer ones which is why you see that error message.
If you restart your server, SuckIT will just restart. Your system security has been totally compromised. I don't think you understood the very good advice that unSpawn gave you above. You absolutely must not restart your server normally. You can't possibly know what the attacker did to it and operating the server normally is a danger to you and to others. If the attacker instructed the server to look for other machines on the net to attack, you could easily find yourself in deep trouble by allowing that to continue.
If you have data on the server you need to get off, boot off a known good environment, e.g. a LiveCD like Knoppix, mount your partitions, and copy off the data. You will need to examine this carefully to make sure that you're not inadvertently copying anything the cracker left behind. You might consider creating an image of the hard drive for use in later forensics. If you intend to pursue the matter criminally you should probably keep the original hard drive (take it out of the system and store it somewhere safe, doing any actual forensics on the image you made).
If you don't intend to pursue the matter criminally or do detailed forensics, you can just reformat and reinstall after copying your data off. This is absolutely vital -- you must reformat sine you have no idea what all the attacker did to your system. Just cleaning up all the apparent damage is not good enough given that you have been root-compromised.
Under no circumstances should you operate the machine normally, especially connected to a network, until you have reformatted and reinstalled it. Seriously. Go read unSpawn's link. Then read it again, and a third time if need be.
no my linux is redhat linux 6.1, so if suckit is designed for old kernel the command must work.
Acyually i have ran chkrootkit, sbin/init is the only infected item. so i want to remove it to rerun my server to see how my server operate, then i will not use it as a server again. I 've tried to replace the init file with the same version of linux but it cannot run the init process totally. any other opinion? thanks all!
If you're running Red Hat 6.1 maybe your kernel is too old. Seriously, there is no excuse for having a system that old and unsupported connected to a network. RH 6.1 is old and unsupported. You're probably running a vulnerable, unpatched service which is how you got compromised in the first place. Do yourself a favor and follow the advice given in this thread. Do not attempt to restore this system. Wipe the OS and upgrade it to a modern, supported distro (CentOS would be a good choice if you like Red hat based systems).
Chkrootkit is a useful tool, but once you've been root compromised, particularly by a kernel mode root kit, you can no longer trust its results. The chkrootkit program uses standard *nix utilities like ls, netstat, etc. These programs could easily have been replaced by the attacker and thus are no longer to be trusted. If you boot off a Knoppix disk and use its binaries to run the scan you can trust the results more, but I still wouldn't lean too heavily on them. The only safe way to deal with this situation is a reformat and reinstall (of an up to date distro). Sorry, that's just the way it is and there's no way around it.
alternatively i consider buying norton antivirus to remove all the virus.
Either you do not fully understand the situation you're in or you do not *want* to understand.
As moderator I have to take drastic steps to make it clear to you you can not continue this way: Now hear this CFB: what you are going to do is reread the advice already given and act on it. Don't try to think up any alternatives, don't try to weasle your way out of it and don't wait any longer. If you have questions about advice given: ask here. As far as I'm concerned all other questions by you are out of bounds until you resolved the situation in a way that is satisfactory for not only you but for us as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.