experimented and messed up....need help

Message

sinisterdomestik · Post by **sinisterdomestik** » Mon Aug 02, 2004 10:58 am

so i found this irc rootkit called sun2 and its one of those "learn how to root shit but dont do it.....not responsible.....keep yourself from bein rooted" kinda progs and i was bored so i wanted to start learnin how to keep that shit from happenin to me so i dl this .tar, and ran the ./setup.sh and it copied over my ls ps etc commands and i dont know how to get them back other than a new install which would make me REALLY sad. if anyone knows anything about this, please help me. thanks

PS
i know it was stupid to try this but i was bored and wanted to ACTUALLY learn something heh see what it gets me

_Max_ · Post by **_Max_** » Mon Aug 02, 2004 11:32 am

For each of the files that were overwritten, you can check which package supplies them and reemerge them:

emerge gentoolkit

For e. g. ls:

qpkg -f /bin/ls

or
qpkg -f `which ls`

on my systems that gives me
sys-apps/fileutils
sys-apps/coreutils

After reading the description, it looks as if you want to re-emerge coreutils... and so on. That should overwrite all the files you need with clean versions.

You could even script this, I guess.

sinisterdomestik · Post by **sinisterdomestik** » Mon Aug 02, 2004 11:41 am

emerging coreutils as we speak. lets hope for the best (crosses ALL fingers)

/EDIT

heres what i get

Code: Select all

BlackBeauty ~ # emerge coreutils
Calculating dependencies ...done!
>>> emerge (1 of 1) sys-apps/coreutils-5.2.1-r1 to /
[coreutils-5.2.1-r1] bash: rm: command not found
/usr/sbin/ebuild.sh: line 522: rm: command not found
/usr/sbin/ebuild.sh: line 523: rm: command not found
keeptemp
/usr/sbin/ebuild.sh: line 528: mv: command not found
keepwork
/usr/sbin/ebuild.sh: line 538: sort: command not found
/usr/sbin/ebuild.sh: line 538: tr: command not found
[coreutils-5.2.1-r1] bash: rm: command not found
>>> md5 src_uri ;-) coreutils-5.2.1.tar.bz2
>>> md5 src_uri ;-) coreutils-5.2.1-gentoo-0.5.tar.bz2
>>> md5 src_uri ;-) coreutils-5.2.1-i18n-0.2.patch.bz2
/usr/sbin/ebuild.sh: line 28: tee: command not found

any ideas

_Max_ · Post by **_Max_** » Mon Aug 02, 2004 12:34 pm

Did you delete the files (like e. g. rm, mv, sort, tr, tee) already? Are they in your $PATH? Have you copied over them with something that doesn't work? Ebuilds need those to install stuff.

If all else fails (e. g. if you have deleted things like mv etc), you still try to copy binaries over somehow. E. g. (this is a daft guess, I haven't ever done this myself) you might try booting into a LiveCD, mounting your harddisk and copying the binaries that you need over to your harddisk (like e.g. /bin/rm to /mnt/gentoo/myharddisk/bin/rm and so on). Once you get the basics working, you could re-emerge coreutils etc.

That might be more complicated than re-installing, and might not be worth it (depending on how much time you have spent on setting up your system).

nobspangle · Post by **nobspangle** » Mon Aug 02, 2004 12:50 pm

you could also download a stage 1 tarball and copy the files out of that.

huw · Post by **huw** » Mon Aug 02, 2004 12:55 pm

sinisterdomestik wrote: i wanted to start learnin how to keep that shit from happenin to me

I would suggest that not running shell scripts you get off IRC as root might be a good start.

Code: Select all

 which rm

etc might help you find out what's going on...

Houdini · Post by **Houdini** » Mon Aug 02, 2004 2:37 pm

ow.

Ok, you messed up. In general, don't do what you just did

Boot a install CD, and fix the damage (install coreutils) without chrooting. If you need help with that, one of us can build you a binary package of it (is there one on the CD?).

The rootkit might be keeping you from getting rid of it. Hopefully it didn't patch your kernel to help it.

At this point, your system is fairly untrusted. Unless you're really sure that you know everything it did, and that you can undo that damage, it's time to back up all of your data (no executables!) and reinstall.

_Max_ · Post by **_Max_** » Mon Aug 02, 2004 3:24 pm

If you don't re-install and get thinks working again, as a minimal precaution you might want to grab one of those forensic one-cd distros (something with clean binaries and chkrootkit etc on it) to check your install, to make sure that you really removed that thing.

As Houdini suggests, a re-install would probably be safer...

sinisterdomestik · Post by **sinisterdomestik** » Tue Aug 03, 2004 2:41 am

_Max_ wrote:For each of the files that were overwritten, you can check which package supplies them and reemerge them:

emerge gentoolkit

For e. g. ls:

qpkg -f /bin/ls

or
qpkg -f `which ls`

on my systems that gives me
sys-apps/fileutils
sys-apps/coreutils

After reading the description, it looks as if you want to re-emerge coreutils... and so on. That should overwrite all the files you need with clean versions.

You could even script this, I guess.

BlackBeauty ~ # qpkg -f /bin/ls
/usr/bin/qpkg: line 14: cut: command not found
/usr/bin/qpkg: line 17: rm: command not found
/usr/bin/qpkg: line 18: mkdir: command not found
/usr/bin/qpkg: line 20: basename: command not found
/usr/bin/qpkg: line 313: /bin/ls: cannot execute binary file
/usr/bin/qpkg: line 565: sort: command not found
/usr/bin/qpkg: line 565: uniq: command not found
/usr/bin/qpkg: line 577: rm: command not found

i get that for everything now, emerge, whatever the case is. this is no fun

sinisterdomestik · Post by **sinisterdomestik** » Tue Aug 03, 2004 2:46 am

Houdini wrote:Boot a install CD, and fix the damage (install coreutils) without chrooting. If you need help with that, one of us can build you a binary package of it (is there one on the CD?).

if it wouldnt be TO much trouble, that would be WONDERFUL. its been WAY to long since ive been on linux and i have forgotten a lot of the commands, etc. ANY help with the install cd bit would be tremendously helpful

_Max_ · Post by **_Max_** » Tue Aug 03, 2004 4:13 pm

I just had a look at a stage-1 tarball (stage1-x86-2004.1.tar.bz2).

Most of the things that you need seem to be the binaries in /bin.

You could boot into the LiveCD, mount your partitions on /mnt/gentoo as described in the Handbook, and then untar just the /bin directory of the stage-1 tarball onto the harddisk (i.e mount blah blah, cd to /mnt/gentoo/myfilesystemroot, cp the stage-1 tarball there, and run "tar tvfj stage1-x86-2004.1.tar.bz2 ./bin") - that should give you rm, ls, etc. At which point you could probably use emerge to re-install the rest.

Obviously, if you are not on x86, your tarball would have a different name.

However, you really should consider whether you don't want to re-install everything, since you probably shouldn't trust anything on that machine.

EDIT: You probably want to pass some option to do with permissions to tar - should be described in the handbook (don't know it off the top of my head).

EDIT2: In case there are still some things missing, you might want to check in that tarball whether the files you need are in /usr/bin in that tarball. It is very likely that the Gentoo devs have put binaries of everything you need to use portage into that tarball...

Houdini · Post by **Houdini** » Tue Aug 03, 2004 6:32 pm

Your machine is hosed.

I built a coreutils package and a fileutils package for you, they're at http://www.clanspum.net/~houdini/binpackages/. They are built for the lowest common denominator (686, -O0).

Let me know when they're downloaded so I can delete them. I don't really want to be a mirror of those two files

Alternately, you can do as _Max_ said below. Unpacking a stage 1 onto your smoking wreckage of a filesystem might do it. Instead of using the Gentoo boot CD, use one that has chkrootkit installed (http://biatchux.dmzs.com/ for instance), run the chkrootkit before you unpack the stage 1, unpack, then re-run chkrootkit. That'll give you some idea of how broken your Gentoo it.

However, there's a really good chance that the rootkit is smarter than that. My professional advice (as a data forensics / hack cleanup person) is to back up your data and reinstall. You can't really know how much damage has been done, or how deep the rootkit goes. There's always one smarter than you.

sinisterdomestik · Post by **sinisterdomestik** » Wed Aug 04, 2004 2:31 am

dl'ed, gonna try em now, thank you

/EDIT

stupid question, but how do you decompress a .tbz2 file?? never had to before

/EDIT

nm, i got it, tryin them now
/me crosses his fingers and hopes for the best

sinisterdomestik · Post by **sinisterdomestik** » Wed Aug 04, 2004 3:18 am

Houdini wrote:I built a coreutils package and a fileutils package for you, they're at http://www.clanspum.net/~houdini/binpackages/. They are built for the lowest common denominator (686, -O0).

i feel REALLY freakin stupid askin this question, but once i have them decompressed, do i just copy them over my old bin, etc, usr folders??

_Max_ · Post by **_Max_** » Wed Aug 04, 2004 10:33 am

sinisterdomestik wrote: stupid question, but how do you decompress a .tbz2 file?? never had to before

bzip2 -d <file>, then untar it? Alternatively, have a look at the tar man page under the "j" option. tbz2 is a tarball compressed with bzip2.

And yes, the point is that you copy the clean binary version of e. g. rm, mv, ls, etc over the versions in your /bin and /usr/bin directories. The reason being that a) the ones you have there don't seem to work b) if they do work they probably do stuff that you don't want them to do...

But maybe you don't want to overwrite your /etc folder, or at least if you do, do so selectively. Presumably you want to keep the setup of your system.

Honestly, though, it sounds as if it might be easier for you to take your data off the machine, and then re-installing everything. It will take fiddling to get the system working again, plus you won't know whether it is still compromised or not.

For the stage-1 tarball version of things:

Boot the LiveCD.
Make a mount point for your file system root
Code: Select all
```
mkdir /mnt/gentoo/myfilesystemroot
```
Mount the partition containing your filesystem root (hdaX is the name of that partition).
Code: Select all
```
mount /dev/hdaX /mnt/gentoo/myfilesystemroot
```
Make sure that you have bin and usr in this directory, and that they contain files (i.e. you have mounted everything you need to mount). If you keep e. g. your /usr on a separate partition, you will have to mount that too:
Code: Select all
```
mount /dev/hdaY /mnt/gentoo/myfilesystemroot/usr
```
After you have mounted the partition that holds your filesystem root etc etc cd to your filesystem root and untar what you need from your (possibly bz2-compressed) tarball so that it overwrites the files in /mnt/gentoo/myfilesystemroot/bin and so on - this means it overwrites the files on your harddisk.
Code: Select all
```
cd /mnt/gentoo/myfilesystemroot
tar tvfjp /path/to/stage1-x86-blah-blah.tbz2 ./bin
```
Have a look at the tar man page (assuming man still works on your system - you could also find that on Google) to see how that works before you do it.

sinisterdomestik · Post by **sinisterdomestik** » Wed Aug 04, 2004 10:40 am

thank you for helpin me, i REALLY appreciate it. i think imma try to fix it first, then if worse comes to worse, ill re-install. thanks again

/EDIT

so i think the root kit just deleted the files, bc im copyin them over and they are workin fine now!!!!!!!!!!!! thanks again, gonna keep fixing this shit

experimented and messed up....need help

experimented and messed up....need help

Re: experimented and messed up....need help