View previous topic :: View next topic |
Author |
Message |
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Tue Apr 19, 2005 6:30 am Post subject: Diagnose SucKit |
|
|
Hello
I've seen mention multiple times in this forum of 'false positive' on SucKit rootkit via chkrootkit. Here are some tests to confirm if you've been infected or not. I ran across this problem.. and wanted to provide information to anyone else that may have lost a few years of their life stressing out about this.
Quote: | - The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.
- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.
- Rooted systems send usernames and passwords to other compromised machines using TCP port 55, so if you keep records of network connections, traffic to destination port TCP/55 merits further investigation. |
This was taken from a great site:
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
My false positive was related to a re-emerge of baselayout. I went through the steps above and all failed (which was good). Thanks for the 'badass' volumen1 we found out why chkrootkit was complaining:
In the sourcecode of chkrootkit.. grep'ing for Suckit he found this:
Code: | ## Suckit rootkit
expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME"
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." |
After verifying that the string 'HOME' was not in the /sbin/init we moved to the maps item
Code: | strings /sbin/init | grep HOME |
We then cat'd /proc/1/maps and grep'd for init
Code: | cat /proc/1/maps | grep init |
This is what we found:
Code: | 08048000-08050000 r-xp 00000000 03:03 4556009 /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted)
08050000-08051000 rw-p 00007000 03:03 4556009 /var/tmp/portage/baselayout-1.9.4-r6/image/sbin/init (deleted) |
so the space after init was matching the "init." that chkrootkit was looking for.
Normally the maps would show:
Code: | 08048000-08050000 r-xp 00000000 03:03 7992667 /sbin/init
08050000-08051000 rw-p 00007000 03:03 7992667 /sbin/init |
rebooting the system cleared out the map.. and running chkrootkit.. showed 'all clean' again. Also.. on a side note, rkhunter never did show SucKit on the system.
Both chkrootkit and rkhunter were freshly installed. We also verified with egress filtering that no outbound traffic was destined to port 55
Hope this helps someone.
hanji |
|
Back to top |
|
|
ddaas Tux's lil' helper
Joined: 28 Feb 2005 Posts: 106 Location: Germany
|
Posted: Tue Dec 06, 2005 8:16 pm Post subject: chkrootkit and SucKit |
|
|
Hi there,
On my Server, #chkrootkit -q returns:
Quote:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
I also ran rkhunter-1.2.7 and it didn't return anything.
I want to find out somehow if chrrootkit return a false positive or not because formatting / reinstalling the whole server is not such a easy work( the server is used as PDC in the company and this means that I should spend a night or two reinstalling the server or paralyzing the activity for one day ...)
I want to do this kind of stuff only after I get other evidence and info about this rootkit or chkrootkit (0.46a) false positive. I also maintain a AIDE checksum - database (offsite). /sbin/init was really changed on 2005-09-30 but that was a date when I updated the server. - On that day a lot of files were changed/added/removed so it could be a false positive:
Quote:
AIDE found differences between database and filesystem!!
Start timestamp: 2005-09-30 22:02:12
Summary:
Total number of files=152943,added files=14585,removed files=14602,changed files=16098
Please, I really need some help. Does anyone know something more about SuckIT, how can I find it for sure if it is really on my system? is there a database of checksums with different versions of linux binaries (like /sbin/init) to compare against my /sbin/init hash?
thanks,
ddaas _________________ Best regards,
ddaas |
|
Back to top |
|
|
ddaas Tux's lil' helper
Joined: 28 Feb 2005 Posts: 106 Location: Germany
|
Posted: Tue Dec 06, 2005 8:35 pm Post subject: |
|
|
am not so happy with this situation
I've read some links but I couldn't find for sure if this rootkit is on my server.
I've tried:
Code: | for i in *; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done |
and
Quote: |
for i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo $i); done |
and there is no sk binary. Now I don't know if I can trust cat, echo and the other binaries. Only chkrootkit reports /sbin/init as infected (rkhunter says it is ok). Could it be only a false positive?
I am really worried because this is an enterprise server and I should take a decision quickly.
Now I'm going to read more about SuckIT, and eventually look in the source code of chkrootkit where it checks for this rootkit.
Anyway, my only open ports on the Internet are: ssh (only key auth, no root login, and so on), imaps (all patches installed) and openvpn.
How was it installed? Is it more probably that it came from the inside? (this worries me a lot).
Any feedback on this topic is really really appreciated. _________________ Best regards,
ddaas |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
|
Back to top |
|
|
ddaas Tux's lil' helper
Joined: 28 Feb 2005 Posts: 106 Location: Germany
|
Posted: Wed Dec 07, 2005 9:55 am Post subject: |
|
|
That's a great post...
All the tests failed so it seems that it is a false positive from chkrootkit.
What I don't understand is that:
Code: | cat /proc/1/maps | grep init | returns Code: | Binary file (standard input) matches |
and
Code: | 08048000-0804e000 r-xp 00000000 08:02 999607 /sbin/initroot-dev (deleted)
0804e000-0804f000 rw-p 00006000 08:02 999607 /sbin/initroot-dev (deleted)
|
Here is where chkrootkit reports the SuckIt.What is that /sbin/initroot-dev (deleted)?? _________________ Best regards,
ddaas |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Wed Dec 07, 2005 8:50 pm Post subject: |
|
|
Merged these two since they seem related. Might be helpful to someone else in the future. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
deadstar Guru
Joined: 02 Nov 2004 Posts: 319 Location: England
|
Posted: Tue Jan 24, 2006 8:43 pm Post subject: |
|
|
pjp wrote: | Merged these two since they seem related. Might be helpful to someone else in the future. |
...which it did. Found Suckit with chkrootkit and shat meself!! Tests show false.
But heres a question: how do I correct the problem and stop chkrootkit showing this false alarm? Re-emerging baselayout doesn't work, as mentioned above. _________________ Hysteriagaming.co.uk is now DOT COM! New design, forum, articles, the works! http://www.hysteriagaming.com
(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination |
|
Back to top |
|
|
mike95376 n00b
Joined: 22 Sep 2010 Posts: 1
|
Posted: Wed Sep 22, 2010 5:32 pm Post subject: |
|
|
Most of you know this but for those who don't...
You have to be root to view anything in /proc/1/maps. ie.,
$ cat /proc/1/maps | grep init
$
$ sudo cat /proc/1/maps | grep init
7f9d3e93a000-7f9d3e957000 r-xp 00000000 08:01 7233564 /sbin/init (deleted)
7f9d3eb56000-7f9d3eb58000 r--p 0001c000 08:01 7233564 /sbin/init (deleted)
7f9d3eb58000-7f9d3eb59000 rw-p 0001e000 08:01 7233564 /sbin/init (deleted)
$
Thanks to the info here I determined that I am getting false positives.
Now we just have to wait for someone to fix chkrootkit. Zzzz. |
|
Back to top |
|
|
|