LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-29-2005, 10:53 AM   #1
kamtono
LQ Newbie
 
Registered: Sep 2003
Location: Indonesia
Distribution: RedHat Linux
Posts: 14

Rep: Reputation: 0
replacing binaries


ehlo

i had suckit infected other months ago, now i got it again. it happened this evening (at my local time of course) it struck on /sbin/init/ when i do

#strings init | less

it's indicated that i got suckit again, it became clear when i checked with rkhunter lateset version and comparing init binary that belong on my friend server

before : 27036 bytes --> init binary on my friend server
after : 33756 bytes --> init binary on my server

also i have process id with i don't know what this character it's odd, i'm use RH 9.0

i want to replace the binaries init how ?
#rpm -qf /sbin/init
SysVinit-2.84-13

is it help ?

could this apply to
- ls (coreutils-4.5.3-19)
- netstat (net-tools-1.60.-12)
- ps (procps-2.0.11-6)
- ifconfig (net-tools-1.60.-12)
- find (findutils-4.1.7-9)
- pstree (psmisc-21.2-4) ?

thanks for your concerned
 
Old 07-29-2005, 11:42 AM   #2
Half_Elf
LQ Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 46
Forget about it...
Even if you clean everythign, it will be very hard to make sure there is so binary infected or there's no security holes left. The only way is back-up (everything but binaries!!) and reinstall. There is no good reason to try to save an infected server unless you like (to send) spam.

Btw, RH 9 is out-dated, so a big security hole by itself, unless you want to update by hand (is RH still provide update for RH9 ? I think not, but I may be wrong) you better switch to RH enterprise or Fedora (or even RH 7.3, I think RH still provide update for this one).
 
Old 07-29-2005, 01:04 PM   #3
kamtono
LQ Newbie
 
Registered: Sep 2003
Location: Indonesia
Distribution: RedHat Linux
Posts: 14

Original Poster
Rep: Reputation: 0
how to clean it without reinstall
are you never infected by trojan ? like me
what kind of security configuration you used ? may i applied to my server too

and again this program activated when i start my SSH Server ! du know how ?
i always turned off when i left my office just that
 
Old 07-29-2005, 01:23 PM   #4
Half_Elf
LQ Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 46
if your init or any important binary are infected, it will be very hard to clean. And as I said, even if you clean, you will never know if any rootkit is left... especially if some system binaries (ps, init, netstat,etc...) are infected. Reinstall is the only way.

Security isn't very hard : update + firewall should keep away 90% of the troubles.
 
Old 07-29-2005, 03:28 PM   #5
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Backup your data, as it was pointed out. Then you may try the following experiment.

As root, _update_ the rpm package itself (the one with the rpm binary), reinstall the findutils rpm, then run:
Code:
find / -perm -type f +0111 -exec ls -l {} \; >exes.txt
This will search your system for binaries and it will check if each one was installed from a rpm:
Code:
cat exec.txt | awk '{ print $9 }' | xargs rpm -q -f
Then you must verify the integrity of each binary (rpm uses to store it in a signed database):
Code:
rpm -Va >rpm-va.txt
Note: this will also check the kernel's modules (if they were installed by rpm) which could sabotage these steps. If you compiled a kernel yourself, then you better reinstall the sources and recompile.

Then you must individually delete (or "quarantine" for later analysis) each suspicious binary, and traverse your filesystem to find any "hidden" directories. This must be done after checking that the kernel itself and its modules weren't troyaned.

All of this is not recommended though. I would do a fresh install. It's just an experiment to test things
 
Old 08-01-2005, 06:54 AM   #6
kamtono
LQ Newbie
 
Registered: Sep 2003
Location: Indonesia
Distribution: RedHat Linux
Posts: 14

Original Poster
Rep: Reputation: 0
replacing binaries --continued

please let me know what you think about what i do this morning

i'm so very desperated about this rootkit, and the summary of all the answered is "you have to format your drive/system"

#whereis ls
/bin/ls /usr/share/man/man1/ls.1.gz
#cd /bin
#mv ls ls.hacked
Operation not permitted (du know why i couldn't rename this binary file) then
#chattr -isa ls
#rpm --replacepkgs -ivh coreutils-4.5.3-19.0.2

all binaries hacked like init, netstat, ps, ifconfig, find, pstree i do the same like above

is what i am doing is right ?
 
Old 08-01-2005, 09:57 AM   #7
Half_Elf
LQ Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 46
What you are doing is WRONG.
As everyone told you, you should NOT try to clean a rooted system. This thing will NEVER be clean again, or at least you will never have proof it really is. This mean you could be rooted AGAIN later by the same cracker using a rootkit you forgot. And this also mean you will be used as a SPAM, ZOMBIE and WAREZ/PORN router until you finally decide this box is doomed.

Next time, keep your system up to date and you will not be rooted.

Btw, the "--continued" post aren't allowed, as doubleposting is evil.
 
Old 08-01-2005, 10:39 AM   #8
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 126Reputation: 126
How can you be certain only those files have been infected? What if rpm is also infected? chattr?
 
Old 08-01-2005, 10:44 AM   #9
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
The problem is that you're doing this with possibly hacked binaries.
Unplug the network. Backup your data, and try to find & replace every binary, library & kernel module out there. Run rpm -Va to find which were modified and reinstall rpms. Libraries, the kernel itself and kernel modules are IMPORTANT too.

You could keep the troyaned versions of these on a directory for inspection (like run strings to find what rootkit it is and find information about what it does, which directories it creates and hiddes, etc.)
Never run ldd(1) on troyaned execs...

Find any "hidden" dirs, and world-writable files, devices and directories. Search for group-writable configuration files too because sometimes it's possible to add configuration directives and commands and just wait for cron or reboot to execute the server in question and get root.

Then run netstat(1) and shutdown services. Update the system.

There will be no guarantees anyway because you may leave some things behind. Unless you grasp a view of the entire filesystem and the versions you use of each program... It's better to reinstall a newer system. Don't reuse any passwords. Key-sniffing with troyaned libraries or kernel-modules is trivial. So you may consider changing all your passwords on the web as well. Keep up updating daemons and packages with suid binaries. Consider using tripwire / sanhaim / afick which you must install right after installing the OS and before any network conectivity. Use iptables

[EDIT]Remember what I said to you before: reinstall the rpm rpm. If you try to do this right, it could be very instructive. I'd reinstall though.[/EDIT]

Last edited by primo; 08-01-2005 at 10:46 AM.
 
Old 08-01-2005, 01:09 PM   #10
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 126Reputation: 126
Quote:
Originally posted by primo

Never run ldd(1) on troyaned execs...
So now I wonder why you make a point of this. I am assuming, of course, that I have a statically compiled version of ldd on some disk somewhere and am using an untrojaned version. What risks remain?
 
Old 08-01-2005, 02:50 PM   #11
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
From the "Program Library HOWTO":
Quote:
Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute.
It quite surprised me when I first read it, because I used ldd in the process of finding dynamically linked programs and enumerating their dependancies. It's somewhat misleading that the current Linux manual doesn't say anywhere that it has to execute the program. I checked the OpenBSD manpage at http://www.freebsd.org/cgi/man.cgi and it's true.

I don't like the rpm concept. Setuid binaries must be compiled static. LD_PRELOAD is ignored when executing an dinamically linked setuid, but /etc/ld.so.preload is not, so any function may be hijacked (read, getpass, etc). This file must be checked everytime that it doesn't exist and it would be useful to patch the linker itself, too.
 
Old 08-01-2005, 03:00 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
//Moderator note: This thread has been merged with your other one, as they are both about the same topic. In the future, please don't post multiple threads regarding the same topic.
 
Old 08-01-2005, 03:12 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Also note that suckit is particularly insideous in that it doesn't simply replace binaries. It also modifies syscall code via /dev/kmem patching. So while you may be able to find and replace any trojaned binaries, the system still can not be trusted (output from a clean binary can be obfuscated by the modified syscall).

Trying to completely restore a system and remove ALL traces of a compromise is not trivial and simply replacing binaries is not at all sufficient. I would strongly suggest that you reformat and reinstall. Select a distro that's supported by the vendor and spend some additional time hardening it so that you don't have to go through this again. Doing a forensic analysis of the system to identify how it was compromised is a good idea, but trying to take the short route and restore it is a bad one IMO.
 
Old 08-01-2005, 03:21 PM   #14
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 126Reputation: 126
That is interesting to know. I'll have to remember that. (About ldd)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What do with binaries? lectraplayer Linux - Newbie 21 11-11-2003 10:50 PM
no apollon binaries pawn-o-matic Linux - Software 2 07-26-2003 06:58 AM
rpm / binaries ? nimrod Linux - Newbie 3 12-17-2002 05:44 PM
Binaries are huge ugenn Linux - Software 1 12-13-2002 12:49 AM
Binaries socks Linux - Newbie 1 11-20-2002 10:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration