tbh, I thought anything but, only delt with the all but the mbr, sorry, my bad! (I'll look it up later, unless you hav a link)
Quite right about the reply and spec. |
Intrigued by unSpawn's comment that chkrootkit was old, I tried it on my Fedora Rawhide distribution (because that's what I am on right now), and, sure enough, I was told the /sbin/init was infected by suckIT.
On Fedora systems, and several other recent distributions, /sbin/init is just a symbolic link to /lib/systemd/systemd. The "test" for a SuckIT infection of /sbin/init in the chkrootkit script is: Code:
### Suckit Code:
$ strings /sbin/init | grep HOME <edit> See my comment #21, below, about the basis of the suckit exploit. </edit> |
Quote:
|
Unspawn
Thanks for the reply. I believe this machine was infected when I unwittingly moved infected files from Win7 partition to linux one. Hence the re-emergence. I don't think it was a new infection. I ran chkrootkit using Kali DVD as it was on the Kali DVD but unfortunately rkhunter was not. I wanted to see if changes happened when I booted linux partition or when I went on the internet from a fresh install. rkhunter reported nothing of interest when I later installed it. I did not make things very clear I'm afraid in my original post. When looked at from a live DVD files like pagefile.sys hyperfil.sys in Win7 would become executable when an infection was present. I may be a bit hypervigilant about Suckit. I'm sorry I can't provide evidence, but it was happenstance, so just speculation. I don't want to try to reinfect this laptop! One thing I did differently this time round was encrypt the whole hard drive not just the home directory, after a fresh zeroing and reinstall. I did this TWICE. The encryption x 2 may have gotten rid of a Suckit encrypted binary. Some of the changes I find when an infection is present may just be peculiar to me eg: caps inversion, change from non-exe to .exe files in Windows, as the person I suspect is a programmer and contributes to Xubuntu. Sorry for inconveniencing people, I just was trying to understand what had happened. But on this machine now it is all speculative. I'll try to run the tests requiring a reboot, but this machine is only working because of the overheating trick. Noway2. This was on a basic reinstall, no wireshark or snort installed. Unsure about TCP dump. Hey GlennsPref, another "Aussie", I also am living in Brisbane. This is an ongoing saga as Unspawn knows. I could kick myself several times over this. I believe I unwillingly infected this beast from infected data on Win7. When I was using Win7 it was 'jailed' but when data copied to a linux partition => evil happens. Now I don't think it is infected as zeroing and more importantly encryption several times appears to have exorcised it. I posted in an effort to find out if anything new had happened, such as a newer kernel or kernel patch that got rid of it. Just speculating at this stage, but after reading the above article, I think the encryption done at least twice got rid of the Suckit encrypted binary from where ever it was lurking on the hard drive. I can't provide evidence of infection on this machine as it appears to have been accidentally exorcised! So hopefully now all this is behind me! Thanks again for the input everyone. |
Quote:
|
Still intrigued by the suckit rootkit, I looked at the description of the exploit in Phack Magazine. The exploit relies on writing to /dev/kmem as "root" and, as far as I can see, the 3.11.0 kernel (as compiled by the Fedora team) does not have that block device. So, even if the infection by was "real," I'm not sure that it would be able to do anything.
I'm not intrigued enough to find a live suckit to analyze, but I wonder if any real infection has occurred since /dev/kmem was removed from the default /dev list. Oh, I also wonder about the O.P.'s assertion that his infection was real with a vector from a Win 7 system, making *.exe files executable on his Linux system.:scratch: AFAIK, the only way to run a Windows executable file is by using wine or qemu. Clearly a raw Windows executable (or script, for that matter) is extremely unlikely to execute on a Linux system, and, if by chance, it did run, it would be even less likely to run correctly. |
Quote:
Quote:
|
PTrnholme
I did not say that windows files were the linux rootkit, just a symptom of activity by this particular hacker. The rootkit was present on linux only installs. I nevertried to run them from linux, as I hadenough problems already! pagefil.sys wasmade executable. Sorry for any confusion. |
Quote:
I'm under MITM attacks 24/7 Financial mafia is scared of a little David I safe the system but they are still able to cause emergency shutdown overheating CPU. Btw. Stay far away from stock market they are already crashed. |
All times are GMT -5. The time now is 01:03 AM. |