Rkhunter Installation Published: Jun 27, 2004
  • Rating

    5/5

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

T0rn Rootkit

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.


I am including this so that you all diag and clean up your hacked server.

First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
[] Allow cPanel users to reset their password via email


Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps

chkrootkit

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed


Step 2.  /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

Step 3. top

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

Step 4. tail /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

--------------------------------------------------------


OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.

Configuration files
<please use cat /path/filename/ to read what the files contain>


/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}


Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs


--------------------------------------------------------


Now, Lets start the cleaning process:

Step 1.
pico /etc/rc.d/rc.sysinit

remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


Step 2.
reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

 that should fix it.

-- since already in resuce mode, perhaps also ask them to --force install the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Step 3.
After the system is up

cd /lib
rm -rf lblip.tk

Step 4.
remove the configuration files given above.

Step 5.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

-- and rpm --force install them


Step 6.
if you see the hosts.h file, it says to hide all IP's from

cat /usr/include/hosts.h
193.60

thus, if you want, you can block all the IP's from 193.60 to your server via iptables.

Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again...

You should be OK!

  • Rating

    5/5

Related Articles

Comments (15)

  • Gravatar - Chris
    Chris 01:13, August 28, 2004
    You should update this to:<br />
    <br />
    wget http://downloads.rootkit.nl/rkhunter-1.1.6.tar.gz
  • Gravatar - mct
    mct 17:40, December 29, 2004
    make that 1.1.9 as of 12/28/04. :)
  • Gravatar - Amr
    Amr 16:53, March 16, 2005
    wget http://downloads.rootkit.nl/rkhunter-1.2.1.tar.gz<br />
    <br />
    as of 16 March 2005
  • Gravatar - mjm
    mjm 03:45, May 6, 2005
    updated yet again:<br />
    <br />
    wget http://downloads.rootkit.nl/rkhunter-1.2.5.tar.gz<br />
    <br />
    05-05-2005
  • Gravatar - Brad
    Brad 09:44, June 18, 2005
    Make that 1.2.7 as of 6/18/05
  • Gravatar - accyroy
    accyroy 14:57, June 18, 2005
    updated again...<br />
    <br />
    wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz<br />
    <br />
  • Gravatar - BoO_SuLtAn
    BoO_SuLtAn 16:16, June 19, 2005
    The Latest Version Is :<br />
    <br />
    http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz<br />
    <br />
    Best Regards"
  • Gravatar - Arif Kanji
    Arif Kanji 09:17, August 17, 2005
    Hi,<br />
    How do u make a scan at (for example) 3am everyday.<br />
    Cheers
  • Gravatar - Miguel Costa
    Miguel Costa 00:33, June 4, 2006
    Hy<br />
    <br />
    New version:)<br />
    <br />
    wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
  • Gravatar - harry
    harry 00:36, August 12, 2006
    Very helpful for level3 issues
  • Gravatar - Chanchal
    Chanchal 02:33, October 2, 2006
    The following binaries to be reported bad while checking Red Hat Linux release 9 (Shrike) servers using rkhunter. Checked 3 servers and confirmed on all.<br />
    <br />
    /bin/dmesg [ BAD ]<br />
    /bin/kill [ BAD ]<br />
    /bin/login [ BAD ]<br />
    /bin/mount [ BAD ]<br />
    <br />
    The package installed is util-linux-2.11y-9.2.legacy
  • Gravatar - Will
    Will 14:24, April 4, 2007
    New version: <br />
    <br />
    wget http://downloads.rootkit.nl/rkhunter-1.2.9.tar.gz
  • Gravatar - Mahdi
    Mahdi 03:47, January 7, 2008
    whats the new version link<br />
    i can not open the downloads.rootkit.nl url :(<br />
    please take te new version download link
  • Gravatar - cdixon311
    cdixon311 00:06, January 13, 2008
    http://superb-east.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz<br />
    <br />
    It seems there is a latter version out now.<br />
  • Gravatar - Ritesh
    Ritesh 05:39, March 14, 2008
    Error while running rkhunter<br />
    <br />
    rkhunter-1.3.0<br />
    <br />
    /usr/local/bin/rkhunter -c<br />
    Default logfile will be used (/var/log/rkhunter.log).<br />
    The internationalisation directory does not exist: /var/rkhunter/db/i18n

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com