From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 29 Apr 2005 - 00:36:54 BST
On Thu, Apr 28, 2005 at 02:31:23PM -0700, Roderick A. Anderson wrote:
> I have a vserver that has all the indicators that is is a victim of a root
> kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded
> through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable
life is hard without proc security ...
> kernel modules -- <http://la-samhna.de/library/rootkits/list.html> ).
> This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17
> ).
> Several other vservers , like this one , were built unified to a
> reference cserver so whenever I find a replaced/changed file in the
> 'compromised' vserver ; fcheck ( run in the main server ) reports all the
> unified vservers' files as changed.
>
> For awhile I didn't have fcheck checking all the places it should have so
> I've played hell trying to erradicate the rootkit. So my question is is
> possible for an exploit using /dev/kmem in a vserver to stick something
> in the kernel like a this?
very likely ...
> Each time after I find and remove or replace the files and/or directories
> I reboot the vserver ( not the main ). I'm still seeing the return of the
> '!@#$%^&*' buggers. So either I haven't got all the compromised accounts
> plugged or there is someway the hole is remaining open.
>
> I'm trying to remove this rather than just build a new vserver and move to
> it. A "Good" exercise I feel.
well, one of the basic rules with 'infected' or
'compromised' servers is, get it offline and shut
it down asap, then, from a known good system,
inspect the various things ...
> Any thoughts or ideas on this?
on 2.4.21ctx-17 there are plenty of options to
compromise guest and host system ...
best,
Herbert
> TIA,
> Rod
> --
> "Open Source Software - You usually get more than you pay for..."
> "Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL"
> "Will code for ale, porter, or single-malt"
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver