OSSEC says "Suckit" rootkit possibly detected
Hi,
I am running Ubuntu 9.10 desktop on a Dell Inspiron E1505. OSSEC is hitting on a possibly trojaned file. The alert is: Quote:
So does anyone have any ideas as to whether I can confirm that there is or is not an infection? And if there is an infection, how can I remedy this problem? |
I got it fixed. I just backed everything up and did a clean re-install. It seemed like the only way to make sure the job really got done right.
|
I kind of doubt it...
Quote:
Quote:
Quote:
* Read The Signs - An attack will often be preceded by reconnaissance. This means that reading logs and filtering for signs of potentially malicious network activity serves as an Early Warning system. Add passive and active response capabilities like `man hosts_access`, iptables, Snort (+Guardian?), Denyhosts, Fail2ban, mod_security, OSSEC-HIDS, et cetera provide (that's an AND'ed choice not OR'ed), a passive logfile reader like Logwatch or Swatch, an active filesystem integrity scanner like Samhain or a passive one like Aide (or maybe even tripwire), reading alerts and and acting on anomalies can help avoid more attacks or alert you an investigation is necessary. * Rootkits in general - In general rootkit infections have dropped dramatically over the past years. As far as I can see they're becoming pretty rare. That said False Positives, especially for Suck-IT, I think would be equally rare due to what sk-1.3 and 2.x subvert. * Suck-IT specific - The link count of the /sbin/init binary, - Files with a '.xrk' or '.mem' suffix could "disappear" meaning it's active, - Common installed files like /sbin/initsk12, /sbin/initxrk, /usr/share/locale/sk/.sk12/sk, - If it was built on the box (depending on version) also a sniffer file, install script and login binary, - Strings in the login and init binary, - The 'skdet' binary finding a hidden process, Quote:
|
Quote:
Quote:
The second thing was the re-installation using the Ubuntu 9.10 disc. Integrity of the ISO was verified before it was burned. Then I did a clean re-install from scratch, completely reformatting the entire HDD, just as if I was blowing away the stock Windows installation. As for possibly re-introducing the vulnerability/exploit, I have been extra careful with anything I put on the computer since the re-install. Where possible, signatures, MD5 and/or SHA1 hashes and sums have been verified, and each new file gets virus-scanned with ClamAV and Avast. However I have not yet imported any of the backed-up material onto the system; most of it isn't very important anyway. Aside from that, if it was not a false positive, I'm completely at a loss as to how I could have stumbled across a malicious Linux rootkit. I never run anything as root unless the software in question is essentially required by the operating system and needs such privileges to function. I only download software from the repositories, the only exception being OSSEC, and I make use of the hashes and signatures they provide. And for the most part, I don't download random files or code that cannot be verified as legitimate, the only (very rare) exceptions being a video or MP3 file. Thank you for your response! Any further criticisms or comments are welcome! |
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 01:11 PM. |