Re: Protection against SuckIt rootkit
On Thursday 14 September 2006 03:43, Markus Wetzel wrote:
> last week my server got infected with the SuckIt rootkit (Debian with
> 2.4 kernel). Fortunately I have discovered this rootkit (chkrootkit) and
> reinstalled the system because I didn't know what else has been
> compromised.
>
> Is there a way to protect my server against a new infection with SuckIt?
Marcus,
A system is usually exploited in two steps. First an attacker gains
temporary root access. Second the attacker installs a rootkit. The
root kit is used to conceal the attack and provide backdoors into the
system.
Since root can do anything one cannot prevent the installation of a
rootkit by root.
One has to examine logs, bash histories, time stamps and whatever else
it takes to determine how the attacker gained temporary root access.
Then you have to fix that security hole, then wipe and reinstall.
For example, we recently had a rootkit installed on a server. The
attacker exploited a known webmin vulnerability[1] to read /etc/shadow,
cracked an unprivileged user's password, used FTP to upload a trivial
CGI script to the user's account, and then used the same webmin
vulnerability to execute the CGI script as root. The logs revealed
the attack vector and a webmin update[2] secured it.
--Mike Bird
[1] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3392
[OT] As an aside, this webmin vulnerability is assigned a low
(2.3) priority by the bureaucrats at the US department of
homeland security as it "Allows unauthorized disclosure of
information". We have contacted them but they are unwilling
to change the priority despite that fact that "reading arbitrary
files" in this case allows reading arbitrary files as CGIs which
always execute with root privileges. [/OT]
[2] http://prdownloads.sourceforge.net/webadmin/
Reply to: