Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-01-2007, 08:52 AM
|
#1
|
Member
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36
Rep:
|
Compromised Slackware 9.1
Hi folks,
I found (using rkhunter) that the SuckIT rootkit had been applied to one of my older machines, running Slackware 9.1. I've removed all traces that I can find, but it seems that:
/sbin/init
/sbin/file
are not from the original distro. Hashes don't match and I'm thinking that they need to be restored to their original install state.
Does anyone know where I can obtain these?
Thanks in advance for any/all comments.
Regards,
~Ray
|
|
|
08-01-2007, 10:25 AM
|
#2
|
LQ Newbie
Registered: Oct 2006
Location: Poland
Posts: 5
Rep:
|
Look at http://packages.slackware.it/browse.....1/slackware/a . Init program should be in sysvinit-2.84-i486-36.tgz package. But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
|
|
|
08-01-2007, 10:29 AM
|
#3
|
Member
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36
Original Poster
Rep:
|
achu,
Thank you! Thank you!
This is exactly what I was hoping to find.
Best regards,
~Ray
|
|
|
08-01-2007, 10:40 AM
|
#4
|
Member
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36
Original Poster
Rep:
|
Quote:
Originally Posted by achu
Look at http://packages.slackware.it/browse.....1/slackware/a . Init program should be in sysvinit-2.84-i486-36.tgz package. But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
|
I'm making the (hopefully right) assumption that in the sysvinit-2.84.i486.tgz package, I'll be using the file called init.new as init on my system. Does that sound right?
~R
|
|
|
08-01-2007, 10:43 AM
|
#5
|
Member
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36
Original Poster
Rep:
|
Quote:
Originally Posted by achu
<snipped>But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
|
my bad...'file' was in /usr/bin/
~R
|
|
|
08-01-2007, 10:49 AM
|
#6
|
LQ Newbie
Registered: Oct 2006
Location: Poland
Posts: 5
Rep:
|
Yes, installation script will move /sbin/init.new to /sbin/init.
|
|
|
08-01-2007, 11:14 AM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Achu, that's some seriously ill advice. If you never handled incidents like this please let somebody who does know handle it. If both of you would have searched this forum you would have found more than enough threads handling incidents. None of them talk about overwriting binaries with sane copies.
There's simple procedures for determining and recovering from a compromise. Thoroughly verifying the integrity of your system should be your first task, followed by finding out how the box got compromised. Restoring packages before doing any of that can and will destroy "evidence". Read these, act on them and then ask:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
|
|
|
08-01-2007, 11:23 AM
|
#8
|
Member
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36
Original Poster
Rep:
|
Thank you for the links. I have not overwritten anything and won't until I've a full understanding of what's happened. I do appreciate all the input!
Regards,
~Ray
|
|
|
All times are GMT -5. The time now is 09:46 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|