Hi there, Indeed, your machine has been rooted, and you're very lucky that SucKIT didn't "like" the newly installed kernel version! I suspect the following happened.. Usually, SucKIT is launched as /sbin/init at system bootup, forks to install itself into the kernel and start up a backdoor, and launches a copy of the original "init" binary from the parent (with pid 1). Any subsequent executions of /sbin/init are redirected to the original init. In your case, SucKIT is also launched as /sbin/init, forks but fails to install itself into the kernel, and launches the copy of the original init anyway. However, since it failed to install, it will not be able to redirect /sbin/init calls. So when you run reboot, reboot runs shutdown, and shutdown runs /sbin/init: the SucKIT-version of init. SucKIT once again forks, detects that it's not yet installed, and tries but still fails to install itself in memory - that's where the weird message is coming from. You should be able to confirm this by executing "ls -l /proc/1/exe", it should show a symlink to the name of the copy of /sbin/init (that is, "/sbin/init" with extra characters after it) instead of the normal "/sbin/init". It's hard to say whether the cracker actually succeeded in the first place, or failed and walked away. As SucKIT includes a backdoor, an attacker does not necessarily have to install anything but SucKIT in order to gain full control of your system later; in practice, crackers usually do launch additional programs (ssh daemons, irc bouncers/bots..), it depends on your skill compared to the cracker's skill whether you can find these programs. It would also be pretty easy to launch additional programs only if SucKIT was installed successfully; a good reason to take the system offline if you want to experiment with it (eg. to try another kernel version) - but you should do that anyway, as long as it hasn't been completely reinstalled... Regards, David "Benjamin Tomhave" wrote: > Hello, > > I'm investigating a possible SucKIT rootkit compromise on a web server. The > server is a fully-patched RH8 system, running iptables limited to ssh, http, > https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The > reason I'm at a bit of a loss here is because a) the tell-tale signs aren't > consistent with documented suckit compromises, and b) there doesn't seem to > be anything on the system comprising the rootkit. Even chkrootkit comes up > empty/clean. Which makes me wonder if someone found a whole in a > developer's php code, tried to load suckit, had it fail, and then walked > away. What I can say for certain is that this issue has arisen in the last > 1-2 weeks (the current kernel appears to have been installed 3/20). > Checking through /proc there doesn't appear to be anything unusual, either. > tcpdump did not indicate any unexpected traffic. No web pages have been > defaced. > > Here's what leads me to believe that this is a rootkit compromise: > > # reboot > > Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003): > > The system is going down for reboot NOW! > /dev/null > RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()! > > Now, call me crazy, but the last part of the last line doesn't strike me as > something that belongs. As it stands right now, I'm slating this box for > low-level format and reinstall within the week. Since it doesn't seem to be > an active zombie or anything, and since I'm still not 100% sure this is a > compromised system, I'll take the chance of waiting. I may also try > reinstalling the kernel just to see if that makes a difference, too. > > Does this look familiar or suspicious to anyone else? Anybody have any > ideas on further diagnostics that I could run "just to be sure"? > > Thank you, > > -ben > > *************************************** > Benjamin Tomhave > falconat_private > http://falcon.secureconsulting.net/ > -- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad- ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:33:32 PST