Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-12-2004, 03:34 PM
|
#1
|
LQ Newbie
Registered: Mar 2004
Posts: 7
Rep:
|
SuckIT attack
Dear All,
Can anyone give me some details on the suckIT rootkit attack and its solutions.
I needed to re-install redhat linux 9.0 due to this attack.
My systems init file got compromised and it was running the suckIT process sk whn I execute init.
If anyone can give me detailed info on this,it will be very nice.
regards,
Abdul Ahad.H

|
|
|
09-12-2004, 09:24 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
SucKit isn't really an attack, but more of a tool to hide the fact that the system has been compromised and to hide the activities of the intruder from the system administrator. SucKit and other related tools are collectively known as rootkits. You can find out more general info on rootkits here:
http://la-samhna.de/library/rootkits/index.html
and the original phrack article is probably the best place for sucKit specific info:
http://www.phrack.org/show.php?p=58&a=7
Keep in mind that although finding a rootkit installed on your system is extremely bad and usually requires a re-installation, it's really a secondary issue in my opinion. A rootkit is simply a cracking tool that has to be downloaded and installed just like other software, which means that someone has to have attacked your system and exploited some other vulnerability on the system (sucKit doesn't have it's own attack mechanism). So when re-building your Redhat system, remember to keep up with security updates, turn off vulnerable applications, use good passwords, use encrypted protocols rather than un-encrypted ones, get a good firewall script, and use good security practices in general. Preventing the attack in the first place is the best line of defense in defeating rootkits. A great place to learning about general system hardening is in unSpawn's security references thread at the top of the forum. There's also some more rootkit reading available there.
|
|
|
09-12-2004, 10:23 PM
|
#3
|
LQ Newbie
Registered: Mar 2004
Posts: 7
Original Poster
Rep:
|
Dear Caveman,
thaks a lot for the reply.
I checked those sites and the descriptions seems heavy for me to digest.
I'd blocked telnet and other ports and was using only ssh for remote logins.
Also firewall was enabled with iptables.
So can u tell me what r the next measures I need to do for preventing such attacks in future?
Regards,
Abdul Ahad
|
|
|
09-12-2004, 10:27 PM
|
#4
|
LQ Newbie
Registered: Mar 2004
Posts: 7
Original Poster
Rep:
|
DEar Caveman,
I was able to detect my problem using this step by step procedure.
But here also no mention how the attacker got inside first.
As everyone know logs will be of no use in such attacks ,as the intruder clears all log files.!!
http://www.soohrt.org/stuff/linux/suckit/
A Ahad
|
|
|
09-13-2004, 08:36 PM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
If the logs have been erased, you can try using one of the various "un-delete" techniques to see if you can recover the deleted versions (see the section in unSpawn's security references thread). Though a full format and re-install will be necessary before putting the system back online.
The vast majority of intrusions I've seen are usually the result of not installing security upgrades in a timely manner. A firewall can help mitigate that risk, but keeping your system updated is really absolutley essential. Second, if you've been using weak passwords, there has been widespread scanning/brute-forcing of passwords using ssh over the last 2 months, so that could be another possible means of entry.
|
|
|
09-14-2004, 03:40 AM
|
#6
|
LQ Newbie
Registered: Mar 2004
Posts: 7
Original Poster
Rep:
|
SuckIT attack
Dear Caveman.
Thanks for ur replies.
I found one more client of us got same problem.
So I'm now sure it is the same attack u mentioned.
Problem is isolated to ssh.
So now onwards I'll concentrate on making more secure ssh connections.
We normally block other ports and leave ssh port open for remoe access and remote login.
Regards,
Abdul Ahad.H
Dubai

|
|
|
All times are GMT -5. The time now is 02:42 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|