LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-01-2007, 08:52 AM   #1
rsleventhal
Member
 
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Rep: Reputation: 15
Compromised Slackware 9.1


Hi folks,

I found (using rkhunter) that the SuckIT rootkit had been applied to one of my older machines, running Slackware 9.1. I've removed all traces that I can find, but it seems that:

/sbin/init
/sbin/file

are not from the original distro. Hashes don't match and I'm thinking that they need to be restored to their original install state.

Does anyone know where I can obtain these?

Thanks in advance for any/all comments.

Regards,
~Ray
 
Old 08-01-2007, 10:25 AM   #2
achu
LQ Newbie
 
Registered: Oct 2006
Location: Poland
Posts: 5

Rep: Reputation: 0
Look at http://packages.slackware.it/browse.....1/slackware/a . Init program should be in sysvinit-2.84-i486-36.tgz package. But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
 
Old 08-01-2007, 10:29 AM   #3
rsleventhal
Member
 
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Original Poster
Rep: Reputation: 15
Talking

achu,

Thank you! Thank you!

This is exactly what I was hoping to find.

Best regards,
~Ray
 
Old 08-01-2007, 10:40 AM   #4
rsleventhal
Member
 
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by achu
Look at http://packages.slackware.it/browse.....1/slackware/a . Init program should be in sysvinit-2.84-i486-36.tgz package. But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
I'm making the (hopefully right) assumption that in the sysvinit-2.84.i486.tgz package, I'll be using the file called init.new as init on my system. Does that sound right?

~R
 
Old 08-01-2007, 10:43 AM   #5
rsleventhal
Member
 
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by achu
<snipped>But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
my bad...'file' was in /usr/bin/

~R
 
Old 08-01-2007, 10:49 AM   #6
achu
LQ Newbie
 
Registered: Oct 2006
Location: Poland
Posts: 5

Rep: Reputation: 0
Yes, installation script will move /sbin/init.new to /sbin/init.
 
Old 08-01-2007, 11:14 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Achu, that's some seriously ill advice. If you never handled incidents like this please let somebody who does know handle it. If both of you would have searched this forum you would have found more than enough threads handling incidents. None of them talk about overwriting binaries with sane copies.

There's simple procedures for determining and recovering from a compromise. Thoroughly verifying the integrity of your system should be your first task, followed by finding out how the box got compromised. Restoring packages before doing any of that can and will destroy "evidence". Read these, act on them and then ask:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
 
Old 08-01-2007, 11:23 AM   #8
rsleventhal
Member
 
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Original Poster
Rep: Reputation: 15
Thank you for the links. I have not overwritten anything and won't until I've a full understanding of what's happened. I do appreciate all the input!

Regards,
~Ray
 
  


Reply

Tags
files, hack, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised? Jukas Linux - Security 6 12-06-2006 07:16 PM
Compromised ? ./2[1].6.12 DaveQB Linux - Security 4 10-10-2006 06:47 PM
Compromised??? redice Linux - Security 5 02-25-2006 01:14 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration