About this list Date view Thread view Subject view Author view Attachment view

From: Bodo Eggert (7eggert_at_gmx.de)
Date: Fri 29 Apr 2005 - 01:27:38 BST

On Thu, 28 Apr 2005, Roderick A. Anderson wrote:

> I have a vserver that has all the indicators that is is a victim of a root
> kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded
> through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable
> kernel modules -- <http://la-samhna.de/library/rootkits/list.html> ).
> This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17
> ).
> For awhile I didn't have fcheck checking all the places it should have so
> I've played hell trying to erradicate the rootkit. So my question is is
> possible for an exploit using /dev/kmem in a vserver to stick something
> in the kernel like a this?

/dev/kmem should not exist, but an exploit might give similar access.

Change the kernel NOW.

> Each time after I find and remove or replace the files and/or directories
> I reboot the vserver ( not the main ). I'm still seeing the return of the
> '!@#$%^&*' buggers. So either I haven't got all the compromised accounts
> plugged or there is someway the hole is remaining open.

So it hooked itself into the start scripts.

You'll need to disable the start scripts and reenable them one by one
untill you find the one starting the bugger.

(If it's a rpm based vserver, you may try the rpm verify option.)

> I'm trying to remove this rather than just build a new vserver and move to
> it. A "Good" exercise I feel.

If it's for exercise only, it's OK, but if it's a productive system, see

Funny quotes:
31. Why do "overlook" and "oversee" mean opposite things?
Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 29 Apr 2005 - 01:29:12 BST by hypermail 2.1.3