Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-07-2006, 04:45 AM   #1
LQ Newbie
Registered: Jun 2006
Posts: 8

Rep: Reputation: 0
Chkroot scan - /sbin/init & /sbin/ifconfig INFECTED

I try to reboot my red hat 9.0 (using 'reboot' or 'init 6') and I couldn't do it. So I've made a scan with ./chkrootkit and it shows as result that /sbin/init/ and /sbin/ifconfig were infected. How could I fixe it.

Old 06-07-2006, 05:01 AM   #2
Senior Member
Registered: Dec 2005
Location: Indiana
Distribution: RHEL/CentOS/SL 5 i386 and x86_64 pata for IDE in use
Posts: 4,790

Rep: Reputation: 57
Keep it off the Internet and restore from backup or re-install the packages from a safe boot (linux rescue or other system boot) and change the passwords.

What did you expect anyhow, RHL9 is old, not supported and has been EOL'd for over two years. Consider this a good oppertunity to install a modern supported Linix OS, with keeping with the Red Hat family try CentOS or Fedora Core.
Old 06-07-2006, 05:38 AM   #3
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
Format and reinstall a patched (recent or do it yourself) distro.
Old 06-07-2006, 05:41 AM   #4
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563
First of all welcome to LQ. I'm sorry to see it had to be on such a sad occasion.

Like the others said, you have been running a blisteringly old release of Red Hat. 6.x was not only superseded by the (rather good) 7.x series one millennium ago, but the 6 series are about the most exploited ever. I am not against running legacy versions, but you have to know exactly what you do and at least run 7.x because Fedora Legacy still has updates for that. Secondly, if you have problems it is more helpful, "better" to post exact errors and messages instead of aproximations.

shows as result that /sbin/init/ and /sbin/ifconfig were infected.
As far as /sbin/init is concerned the most common corruptor (still?) is SuckIT.
As far as /sbin/ifconfig is concerned the most common corruptors are t0rnkit, tuxkit, like that, but to determine which one we would need to see the exact output from Chkrootkit.

Now rootkits can be cleaned up after, but more importantly (and most likely) they got hold of available login/passwd combo's and any personal/company data. If this box is a private standalone, other systems you access should be informed and checked too. If this box is part of an institutional or company network you have to inform reponsable IT personnel ASAP, preferably from another box.

If there is (depending on your situation) no IT personnel around you should do the following immediately if you have physical access to the box:
- shut down or power off the box or yank the power cable,
- only boot it again with a LiveCD like KNOPPIX to backup any human readable data (no binaries),
- normally we would make a bit-by-bit copy of the harddisk at this point before nuking it to investigate point of entry etc, etc, but by running 6.x that seems rather useless but you still may do so,
- completely wipe the harddrive. Then re-partition, re-format and re-install a (recent!) release of your O.S.
If the box is in colo, ask the colo people to handle backup, re-partition, re-format and re-installation of a recent release.
When done re-installing, make sure to change all login/passwords and properly harden your box Check out the LQ FAQ: Security references, post #1 under Checklists, Securing and Hardening.

Frequently Answered Questions:
Can I avoid the three R's?

No you can not. Re-partitioning, re-formatting and re-installing is vital to restore trust here.

But I don't have a recent release of CentOS/RHEL/Fedora Core
You can get .iso images online or tacked to a Linux magazine.
Whatever you do DO NOT load O.S. releases that have reached their End Of Life.

Surely there is no need for speed?
Yes there is. As long as the box is "live" in it's current corrupted state it is not only a threat to you but also to all of us.

What data should I backup?
It depends on what's there. Best is to stay with data that can be verified (by visual inspection or against a backup, or alike). Avoid system binaries: you won't need them anyway.

Any questions, just ask away.

Last edited by unSpawn; 06-07-2006 at 05:45 AM. Reason: //[0]have kbd, can't type. [1] mental lag.
Old 06-07-2006, 09:16 AM   #5
LQ Newbie
Registered: Jun 2006
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks for your help.
I'm using the box as proxy server only to access to internet. No data retrieved on it. I think that I will reinstall on the box debian. That will be better.
Thanks & Regards


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting /sbin/ifconfig to bash command ifconfig flammable2 Fedora 4 11-12-2005 07:58 AM
/sbin/rc: line 271: /sbin/devfsd: No such file or directory Alexander.s Linux - General 3 04-22-2005 04:44 PM
Want2use /sbin cmds undr non-root account w/o sudo. Is it safe 2 add /sbin 2 my PATH? kornerr Linux - General 4 02-25-2005 09:29 AM
/sbin/ifconfig IP fix navaladi Linux - Networking 5 02-21-2005 05:49 AM
/sbin/ifconfig gives command not found - help dmalsbury Linux - Software 8 01-06-2004 09:14 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:42 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration