From: Bodo Eggert (7eggert_at_gmx.de)
Date: Fri 29 Apr 2005 - 01:27:38 BST
On Thu, 28 Apr 2005, Roderick A. Anderson wrote:
> I have a vserver that has all the indicators that is is a victim of a root
> kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded
> through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable
> kernel modules -- <http://la-samhna.de/library/rootkits/list.html> ).
> This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17
> For awhile I didn't have fcheck checking all the places it should have so
> I've played hell trying to erradicate the rootkit. So my question is is
> possible for an exploit using /dev/kmem in a vserver to stick something
> in the kernel like a this?
/dev/kmem should not exist, but an exploit might give similar access.
Change the kernel NOW.
> Each time after I find and remove or replace the files and/or directories
> I reboot the vserver ( not the main ). I'm still seeing the return of the
> '!@#$%^&*' buggers. So either I haven't got all the compromised accounts
> plugged or there is someway the hole is remaining open.
So it hooked itself into the start scripts.
You'll need to disable the start scripts and reenable them one by one
untill you find the one starting the bugger.
(If it's a rpm based vserver, you may try the rpm verify option.)
> I'm trying to remove this rather than just build a new vserver and move to
> it. A "Good" exercise I feel.
If it's for exercise only, it's OK, but if it's a productive system, see
-- Funny quotes: 31. Why do "overlook" and "oversee" mean opposite things? _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver