Diagnose SucKit

[hanj]

Hello

I've seen mention multiple times in this forum of 'false positive' on SucKit rootkit via chkrootkit. Here are some tests to confirm if you've been infected or not. I ran across this problem.. and wanted to provide information to anyone else that may have lost a few years of their life stressing out about this.

- The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.

- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.

- Rooted systems send usernames and passwords to other compromised machines using TCP port 55, so if you keep records of network connections, traffic to destination port TCP/55 merits further investigation.

This was taken from a great site:
http://securecomputing.stanford.edu/ale ... r2004.html

My false positive was related to a re-emerge of baselayout. I went through the steps above and all failed (which was good). Thanks for the 'badass' volumen1 we found out why chkrootkit was complaining:

In the sourcecode of chkrootkit.. grep'ing for Suckit he found this:

Code: Select all

      ## Suckit rootkit
      expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME"
      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."

After verifying that the string 'HOME' was not in the /sbin/init we moved to the maps item

Code: Select all

strings /sbin/init | grep HOME

We then cat'd /proc/1/maps and grep'd for init

Code: Select all

cat /proc/1/maps | grep init

This is what we found:

Code: Select all

08048000-08050000 r-xp 00000000 03:03 4556009    /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted)
08050000-08051000 rw-p 00007000 03:03 4556009    /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted)

so the space after init was matching the "init." that chkrootkit was looking for.

Normally the maps would show:

Code: Select all

08048000-08050000 r-xp 00000000 03:03 7992667    /sbin/init
08050000-08051000 rw-p 00007000 03:03 7992667    /sbin/init

rebooting the system cleared out the map.. and running chkrootkit.. showed 'all clean' again. Also.. on a side note, rkhunter never did show SucKit on the system.

Both chkrootkit and rkhunter were freshly installed. We also verified with egress filtering that no outbound traffic was destined to port 55

Hope this helps someone.
hanji

[ddaas]

Hi there,
On my Server, #chkrootkit -q returns:
Quote:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

I also ran rkhunter-1.2.7 and it didn't return anything.
I want to find out somehow if chrrootkit return a false positive or not because formatting / reinstalling the whole server is not such a easy work( the server is used as PDC in the company and this means that I should spend a night or two reinstalling the server or paralyzing the activity for one day ...)
I want to do this kind of stuff only after I get other evidence and info about this rootkit or chkrootkit (0.46a) false positive. I also maintain a AIDE checksum - database (offsite). /sbin/init was really changed on 2005-09-30 but that was a date when I updated the server. - On that day a lot of files were changed/added/removed so it could be a false positive:
Quote:
AIDE found differences between database and filesystem!!
Start timestamp: 2005-09-30 22:02:12
Summary:
Total number of files=152943,added files=14585,removed files=14602,changed files=16098

Please, I really need some help. Does anyone know something more about SuckIT, how can I find it for sure if it is really on my system? is there a database of checksums with different versions of linux binaries (like /sbin/init) to compare against my /sbin/init hash?

thanks,
ddaas

[ddaas]

am not so happy with this situation
I've read some links but I couldn't find for sure if this rootkit is on my server.
I've tried:

Code: Select all

for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done

and

for i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done

and there is no sk binary. Now I don't know if I can trust cat, echo and the other binaries. Only chkrootkit reports /sbin/init as infected (rkhunter says it is ok). Could it be only a false positive?
I am really worried because this is an enterprise server and I should take a decision quickly.
Now I'm going to read more about SuckIT, and eventually look in the source code of chkrootkit where it checks for this rootkit.
Anyway, my only open ports on the Internet are: ssh (only key auth, no root login, and so on), imaps (all patches installed) and openvpn.
How was it installed? Is it more probably that it came from the inside? (this worries me a lot).

Any feedback on this topic is really really appreciated.

[hanj]

Hello

I had a false positive with suckit in the past. Have a look at this post I submitted a while back...

http://forums.gentoo.org/viewtopic-t-32 ... uckit.html

HTH
hanji

[ddaas]

Hello

http://forums.gentoo.org/viewtopic-t-32 ... uckit.html

HTH
hanji

That's a great post...

All the tests failed so it seems that it is a false positive from chkrootkit.

What I don't understand is that:

Code: Select all

cat /proc/1/maps | grep init

returns

Code: Select all

Binary file (standard input) matches

and

Code: Select all

cat /proc/1/maps 

Code: Select all

08048000-0804e000 r-xp 00000000 08:02 999607     /sbin/initroot-dev (deleted)
0804e000-0804f000 rw-p 00006000 08:02 999607     /sbin/initroot-dev (deleted)

Here is where chkrootkit reports the SuckIt.What is that /sbin/initroot-dev (deleted)??

[pjp]

Merged these two since they seem related. Might be helpful to someone else in the future.

[deadstar]

Merged these two since they seem related. Might be helpful to someone else in the future.

...which it did. Found Suckit with chkrootkit and shat meself!! Tests show false.

But heres a question: how do I correct the problem and stop chkrootkit showing this false alarm? Re-emerging baselayout doesn't work, as mentioned above.

[mike95376]

Most of you know this but for those who don't...
You have to be root to view anything in /proc/1/maps. ie.,
$ cat /proc/1/maps | grep init
$
$ sudo cat /proc/1/maps | grep init
7f9d3e93a000-7f9d3e957000 r-xp 00000000 08:01 7233564 /sbin/init (deleted)
7f9d3eb56000-7f9d3eb58000 r--p 0001c000 08:01 7233564 /sbin/init (deleted)
7f9d3eb58000-7f9d3eb59000 rw-p 0001e000 08:01 7233564 /sbin/init (deleted)
$
Thanks to the info here I determined that I am getting false positives.
Now we just have to wait for someone to fix chkrootkit. Zzzz.