Hi all,
I have got suckit in sbin/init in my linux server and i unload it by typing /sbin/init u, but it display:
FUCK: Can't open /dev/kmem for read/write(2)
why is that? Thanks for helping!

Errrrr, SucKIT is a rootkit. It replaces /sbin/init with it's own binary that patches the kernel and then calls the original init (from a couple minutes on Google).

You need to go into system recovery mode. Consider all your data, passwords, encryption keys, etc to be compromised.

Thanks for reply first
Yes i 've already entered rescue mode since the rootkit make my linux unavailable to boot up.
then in rescue mode i type the unload command and it display the kmem error message.
any other idea? thanks very much

Yes i 've already entered rescue mode
No, no rescue mode.

What you need to do is first is understand that once the box is compromised it should not be used by anyone anymore. Then read and act on this: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html. Backup logs and disk contents for later perusal if necessary, backup data you can verify is OK, repartition, reformat, reinstall from scratch. If you can not determine the point of the crackers entry do not use backups to restore the system because then you can not determine the contents are "safe".

Yes i know that i may be hacked, but since i need to rerun the server normally to look for some infomation, so what i want is to remove the suckit, i have searched a lot of infomation about that, most of people can type the command "init -u" to remove it but i can't. what's the reason or any other way to recover my server's normal run?
Thanks so much

You haven't "may be" been hacked -- you have been hacked! Basically SuckIT replaces part of your kernel with its own code. However, SuckIT is designed for older kernels and so it doesn't work quite right with newer ones which is why you see that error message.

If you restart your server, SuckIT will just restart. Your system security has been totally compromised. I don't think you understood the very good advice that unSpawn gave you above. You absolutely must not restart your server normally. You can't possibly know what the attacker did to it and operating the server normally is a danger to you and to others. If the attacker instructed the server to look for other machines on the net to attack, you could easily find yourself in deep trouble by allowing that to continue.

If you have data on the server you need to get off, boot off a known good environment, e.g. a LiveCD like Knoppix, mount your partitions, and copy off the data. You will need to examine this carefully to make sure that you're not inadvertently copying anything the cracker left behind. You might consider creating an image of the hard drive for use in later forensics. If you intend to pursue the matter criminally you should probably keep the original hard drive (take it out of the system and store it somewhere safe, doing any actual forensics on the image you made).

If you don't intend to pursue the matter criminally or do detailed forensics, you can just reformat and reinstall after copying your data off. This is absolutely vital -- you must reformat sine you have no idea what all the attacker did to your system. Just cleaning up all the apparent damage is not good enough given that you have been root-compromised.

Under no circumstances should you operate the machine normally, especially connected to a network, until you have reformatted and reinstalled it. Seriously. Go read unSpawn's link. Then read it again, and a third time if need be.

no my linux is redhat linux 6.1, so if suckit is designed for old kernel the command must work.
Acyually i have ran chkrootkit, sbin/init is the only infected item. so i want to remove it to rerun my server to see how my server operate, then i will not use it as a server again. I 've tried to replace the init file with the same version of linux but it cannot run the init process totally. any other opinion? thanks all!

If you're running Red Hat 6.1 maybe your kernel is too old. Seriously, there is no excuse for having a system that old and unsupported connected to a network. RH 6.1 is old and unsupported. You're probably running a vulnerable, unpatched service which is how you got compromised in the first place. Do yourself a favor and follow the advice given in this thread. Do not attempt to restore this system. Wipe the OS and upgrade it to a modern, supported distro (CentOS would be a good choice if you like Red hat based systems).

Chkrootkit is a useful tool, but once you've been root compromised, particularly by a kernel mode root kit, you can no longer trust its results. The chkrootkit program uses standard *nix utilities like ls, netstat, etc. These programs could easily have been replaced by the attacker and thus are no longer to be trusted. If you boot off a Knoppix disk and use its binaries to run the scan you can trust the results more, but I still wouldn't lean too heavily on them. The only safe way to deal with this situation is a reformat and reinstall (of an up to date distro). Sorry, that's just the way it is and there's no way around it.

thanks once more for your reply.
alternatively i consider buying norton antivirus to remove all the virus. Do u think it works?

alternatively i consider buying norton antivirus to remove all the virus.
Either you do not fully understand the situation you're in or you do not *want* to understand.


As moderator I have to take drastic steps to make it clear to you you can not continue this way:
Now hear this CFB: what you are going to do is reread the advice already given and act on it. Don't try to think up any alternatives, don't try to weasle your way out of it and don't wait any longer. If you have questions about advice given: ask here. As far as I'm concerned all other questions by you are out of bounds until you resolved the situation in a way that is satisfactory for not only you but for us as well.


Read, understand, act. NOW