LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-01-2006, 02:19 AM   #1
mr_empty
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Rep: Reputation: 15
Smile unload suckit problem


Hi all,
I have got suckit in sbin/init in my linux server and i unload it by typing /sbin/init u, but it display:
FUCK: Can't open /dev/kmem for read/write(2)
why is that? Thanks for helping!
 
Old 12-01-2006, 02:56 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Errrrr, SucKIT is a rootkit. It replaces /sbin/init with it's own binary that patches the kernel and then calls the original init (from a couple minutes on Google).

You need to go into system recovery mode. Consider all your data, passwords, encryption keys, etc to be compromised.
 
Old 12-01-2006, 03:06 AM   #3
mr_empty
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Re:

Thanks for reply first
Yes i 've already entered rescue mode since the rootkit make my linux unavailable to boot up.
then in rescue mode i type the unload command and it display the kmem error message.
any other idea? thanks very much
 
Old 12-01-2006, 04:32 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Yes i 've already entered rescue mode
No, no rescue mode.

What you need to do is first is understand that once the box is compromised it should not be used by anyone anymore. Then read and act on this: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html. Backup logs and disk contents for later perusal if necessary, backup data you can verify is OK, repartition, reformat, reinstall from scratch. If you can not determine the point of the crackers entry do not use backups to restore the system because then you can not determine the contents are "safe".
 
Old 12-03-2006, 04:04 AM   #5
mr_empty
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Yes i know that i may be hacked, but since i need to rerun the server normally to look for some infomation, so what i want is to remove the suckit, i have searched a lot of infomation about that, most of people can type the command "init -u" to remove it but i can't. what's the reason or any other way to recover my server's normal run?
Thanks so much
 
Old 12-03-2006, 04:20 AM   #6
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
You haven't "may be" been hacked -- you have been hacked! Basically SuckIT replaces part of your kernel with its own code. However, SuckIT is designed for older kernels and so it doesn't work quite right with newer ones which is why you see that error message.

If you restart your server, SuckIT will just restart. Your system security has been totally compromised. I don't think you understood the very good advice that unSpawn gave you above. You absolutely must not restart your server normally. You can't possibly know what the attacker did to it and operating the server normally is a danger to you and to others. If the attacker instructed the server to look for other machines on the net to attack, you could easily find yourself in deep trouble by allowing that to continue.

If you have data on the server you need to get off, boot off a known good environment, e.g. a LiveCD like Knoppix, mount your partitions, and copy off the data. You will need to examine this carefully to make sure that you're not inadvertently copying anything the cracker left behind. You might consider creating an image of the hard drive for use in later forensics. If you intend to pursue the matter criminally you should probably keep the original hard drive (take it out of the system and store it somewhere safe, doing any actual forensics on the image you made).

If you don't intend to pursue the matter criminally or do detailed forensics, you can just reformat and reinstall after copying your data off. This is absolutely vital -- you must reformat sine you have no idea what all the attacker did to your system. Just cleaning up all the apparent damage is not good enough given that you have been root-compromised.

Under no circumstances should you operate the machine normally, especially connected to a network, until you have reformatted and reinstalled it. Seriously. Go read unSpawn's link. Then read it again, and a third time if need be.
 
Old 12-03-2006, 04:59 AM   #7
mr_empty
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
no my linux is redhat linux 6.1, so if suckit is designed for old kernel the command must work.
Acyually i have ran chkrootkit, sbin/init is the only infected item. so i want to remove it to rerun my server to see how my server operate, then i will not use it as a server again. I 've tried to replace the init file with the same version of linux but it cannot run the init process totally. any other opinion? thanks all!
 
Old 12-03-2006, 05:08 AM   #8
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
If you're running Red Hat 6.1 maybe your kernel is too old. Seriously, there is no excuse for having a system that old and unsupported connected to a network. RH 6.1 is old and unsupported. You're probably running a vulnerable, unpatched service which is how you got compromised in the first place. Do yourself a favor and follow the advice given in this thread. Do not attempt to restore this system. Wipe the OS and upgrade it to a modern, supported distro (CentOS would be a good choice if you like Red hat based systems).

Chkrootkit is a useful tool, but once you've been root compromised, particularly by a kernel mode root kit, you can no longer trust its results. The chkrootkit program uses standard *nix utilities like ls, netstat, etc. These programs could easily have been replaced by the attacker and thus are no longer to be trusted. If you boot off a Knoppix disk and use its binaries to run the scan you can trust the results more, but I still wouldn't lean too heavily on them. The only safe way to deal with this situation is a reformat and reinstall (of an up to date distro). Sorry, that's just the way it is and there's no way around it.
 
Old 12-03-2006, 05:28 AM   #9
mr_empty
LQ Newbie
 
Registered: Nov 2006
Posts: 22

Original Poster
Rep: Reputation: 15
thanks once more for your reply.
alternatively i consider buying norton antivirus to remove all the virus. Do u think it works?
 
Old 12-03-2006, 07:27 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
alternatively i consider buying norton antivirus to remove all the virus.
Either you do not fully understand the situation you're in or you do not *want* to understand.


As moderator I have to take drastic steps to make it clear to you you can not continue this way:
Now hear this CFB: what you are going to do is reread the advice already given and act on it. Don't try to think up any alternatives, don't try to weasle your way out of it and don't wait any longer. If you have questions about advice given: ask here. As far as I'm concerned all other questions by you are out of bounds until you resolved the situation in a way that is satisfactory for not only you but for us as well.


Read, understand, act. NOW
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit and SuckIT ddaas Linux - Security 7 12-07-2005 07:57 AM
Can't unload (or power off) wireless card (ndiswrapper won't unload) shadowsnipes Linux - Wireless Networking 6 10-02-2005 10:48 AM
SuckIT attack aahad1 Linux - Security 5 09-14-2004 03:40 AM
usb unload problem with Mandrake 10 ocset Mandriva 1 05-04-2004 04:41 PM
SucKIT acadcworks Linux - Security 1 11-18-2002 06:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration