Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Diagnose SucKit
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Tue Apr 19, 2005 6:30 am    Post subject: Diagnose SucKit Reply with quote

Hello

I've seen mention multiple times in this forum of 'false positive' on SucKit rootkit via chkrootkit. Here are some tests to confirm if you've been infected or not. I ran across this problem.. and wanted to provide information to anyone else that may have lost a few years of their life stressing out about this.

Quote:
- The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.

- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.

- Rooted systems send usernames and passwords to other compromised machines using TCP port 55, so if you keep records of network connections, traffic to destination port TCP/55 merits further investigation.


This was taken from a great site:
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html

My false positive was related to a re-emerge of baselayout. I went through the steps above and all failed (which was good). Thanks for the 'badass' volumen1 we found out why chkrootkit was complaining:

In the sourcecode of chkrootkit.. grep'ing for Suckit he found this:
Code:
      ## Suckit rootkit
      expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME"
      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."


After verifying that the string 'HOME' was not in the /sbin/init we moved to the maps item
Code:
strings /sbin/init | grep HOME


We then cat'd /proc/1/maps and grep'd for init
Code:
cat /proc/1/maps | grep init


This is what we found:
Code:
08048000-08050000 r-xp 00000000 03:03 4556009    /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted)
08050000-08051000 rw-p 00007000 03:03 4556009    /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted)


so the space after init was matching the "init." that chkrootkit was looking for.

Normally the maps would show:
Code:
08048000-08050000 r-xp 00000000 03:03 7992667    /sbin/init
08050000-08051000 rw-p 00007000 03:03 7992667    /sbin/init


rebooting the system cleared out the map.. and running chkrootkit.. showed 'all clean' again. Also.. on a side note, rkhunter never did show SucKit on the system.

Both chkrootkit and rkhunter were freshly installed. We also verified with egress filtering that no outbound traffic was destined to port 55

Hope this helps someone.
hanji
Back to top
View user's profile Send private message
ddaas
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 106
Location: Germany

PostPosted: Tue Dec 06, 2005 8:16 pm    Post subject: chkrootkit and SucKit Reply with quote

Hi there,
On my Server, #chkrootkit -q returns:
Quote:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

I also ran rkhunter-1.2.7 and it didn't return anything.
I want to find out somehow if chrrootkit return a false positive or not because formatting / reinstalling the whole server is not such a easy work( the server is used as PDC in the company and this means that I should spend a night or two reinstalling the server or paralyzing the activity for one day ...)
I want to do this kind of stuff only after I get other evidence and info about this rootkit or chkrootkit (0.46a) false positive. I also maintain a AIDE checksum - database (offsite). /sbin/init was really changed on 2005-09-30 but that was a date when I updated the server. - On that day a lot of files were changed/added/removed so it could be a false positive:
Quote:
AIDE found differences between database and filesystem!!
Start timestamp: 2005-09-30 22:02:12
Summary:
Total number of files=152943,added files=14585,removed files=14602,changed files=16098

Please, I really need some help. Does anyone know something more about SuckIT, how can I find it for sure if it is really on my system? is there a database of checksums with different versions of linux binaries (like /sbin/init) to compare against my /sbin/init hash?

thanks,
ddaas
_________________
Best regards,
ddaas
Back to top
View user's profile Send private message
ddaas
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 106
Location: Germany

PostPosted: Tue Dec 06, 2005 8:35 pm    Post subject: Reply with quote

am not so happy with this situation
I've read some links but I couldn't find for sure if this rootkit is on my server.
I've tried:
Code:
for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done


and
Quote:

for i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done


and there is no sk binary. Now I don't know if I can trust cat, echo and the other binaries. Only chkrootkit reports /sbin/init as infected (rkhunter says it is ok). Could it be only a false positive?
I am really worried because this is an enterprise server and I should take a decision quickly.
Now I'm going to read more about SuckIT, and eventually look in the source code of chkrootkit where it checks for this rootkit.
Anyway, my only open ports on the Internet are: ssh (only key auth, no root login, and so on), imaps (all patches installed) and openvpn.
How was it installed? Is it more probably that it came from the inside? (this worries me a lot).

Any feedback on this topic is really really appreciated.
_________________
Best regards,
ddaas
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1490

PostPosted: Wed Dec 07, 2005 6:07 am    Post subject: Reply with quote

Hello

I had a false positive with suckit in the past. Have a look at this post I submitted a while back...

https://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html

HTH
hanji
Back to top
View user's profile Send private message
ddaas
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 106
Location: Germany

PostPosted: Wed Dec 07, 2005 9:55 am    Post subject: Reply with quote

Quote:
Hello

https://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html

HTH
hanji
That's a great post...

All the tests failed so it seems that it is a false positive from chkrootkit.

What I don't understand is that:
Code:
cat /proc/1/maps | grep init
returns
Code:
Binary file (standard input) matches


and
Code:

cat /proc/1/maps
Code:
08048000-0804e000 r-xp 00000000 08:02 999607     /sbin/initroot-dev (deleted)
0804e000-0804f000 rw-p 00006000 08:02 999607     /sbin/initroot-dev (deleted)


Here is where chkrootkit reports the SuckIt.What is that /sbin/initroot-dev (deleted)??
_________________
Best regards,
ddaas
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20054

PostPosted: Wed Dec 07, 2005 8:50 pm    Post subject: Reply with quote

Merged these two since they seem related. Might be helpful to someone else in the future.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
deadstar
Guru
Guru


Joined: 02 Nov 2004
Posts: 319
Location: England

PostPosted: Tue Jan 24, 2006 8:43 pm    Post subject: Reply with quote

pjp wrote:
Merged these two since they seem related. Might be helpful to someone else in the future.



...which it did. Found Suckit with chkrootkit and shat meself!! Tests show false.

But heres a question: how do I correct the problem and stop chkrootkit showing this false alarm? Re-emerging baselayout doesn't work, as mentioned above.
_________________
Hysteriagaming.co.uk is now DOT COM! New design, forum, articles, the works! http://www.hysteriagaming.com

(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination
Back to top
View user's profile Send private message
mike95376
n00b
n00b


Joined: 22 Sep 2010
Posts: 1

PostPosted: Wed Sep 22, 2010 5:32 pm    Post subject: Reply with quote

Most of you know this but for those who don't...
You have to be root to view anything in /proc/1/maps. ie.,
$ cat /proc/1/maps | grep init
$
$ sudo cat /proc/1/maps | grep init
7f9d3e93a000-7f9d3e957000 r-xp 00000000 08:01 7233564 /sbin/init (deleted)
7f9d3eb56000-7f9d3eb58000 r--p 0001c000 08:01 7233564 /sbin/init (deleted)
7f9d3eb58000-7f9d3eb59000 rw-p 0001e000 08:01 7233564 /sbin/init (deleted)
$
Thanks to the info here I determined that I am getting false positives.
Now we just have to wait for someone to fix chkrootkit. Zzzz.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum