Rootkit / SSH dead

Hi

i have a rh6.2 box that SSH died on.

managed to get in via keyboard.

found some suspicious files in /tmp init & inst both chmod755

inst is a bash script that seems to have been used to install a file called
fk in /var/tmp/nest_hide
along with a sniffer

some lines from inst
chmod 0755 fk; if [ ! -f /sbin/init${H} ]; then cp -f /sbin/init
/sbin/init${H}; fi; rm -f /sbin/init; cp fk /sbin/init

which the hacker then calls with ./fk

fk has a few commands grabbed using strings fk

use:
%s <uivfp> [args]
u - uninstall
i - make pid invisible
v - make pid visible
f [0/1] - toggle file hiding
p [0/1] - toggle pid hiding

i also see a backdoor string "BD_Init: Starting backdoor daemon..."

/etc/pam.d has been altered along with /sbin/init and /sbin/telinit is now a
file.

Any pointers on how to recover (hopefully without a complete re-install).

Kram

"Kram" <kram.techie@NOSPAM.ntlworld.com> writes:

]Hi

]i have a rh6.2 box that SSH died on.

]managed to get in via keyboard.

]found some suspicious files in /tmp init & inst both chmod755

]inst is a bash script that seems to have been used to install a file called
]fk in /var/tmp/nest_hide
]along with a sniffer

]some lines from inst
]chmod 0755 fk; if [ ! -f /sbin/init${H} ]; then cp -f /sbin/init
]/sbin/init${H}; fi; rm -f /sbin/init; cp fk /sbin/init

]which the hacker then calls with ./fk

]fk has a few commands grabbed using strings fk

]use:
]%s <uivfp> [args]
]u - uninstall
]i - make pid invisible
]v - make pid visible
]f [0/1] - toggle file hiding
]p [0/1] - toggle pid hiding

]i also see a backdoor string "BD_Init: Starting backdoor daemon..."

]/etc/pam.d has been altered along with /sbin/init and /sbin/telinit is now a
]file.

]Any pointers on how to recover (hopefully without a complete re-install).


Sorry, do a complete reinstall. It is far too probable that you will
miss something if you try to clean the system.

If you do try to clean the system, you MUST first find and install new
versions of find, ps, ls, rpm ... They you MUST find all of the files which
the nasty put onto your system (eg using rpm -Va> /tmp/verify) Of course
you should use a copy of the /var/lib/rpm library which you saved befor
the crackers took over.
Then having replaced all of th files which the cracker changed, you must
look for those the cracker installed. First use find to find all of the
suid and sgid files, and make sure that they are all legitimate.
Then you have to find those which are not suid/sgid but can still be
used to break in.

"Kram" <kram.techie@NOSPAM.ntlworld.com> wrote in message
news:kjxob.1028$J4.7218@newsfep4-glfd.server.ntli.net...
> Hi
>
> i have a rh6.2 box that SSH died on.
>
> managed to get in via keyboard.
>
> found some suspicious files in /tmp init & inst both chmod755
>
> inst is a bash script that seems to have been used to install a file
called
> fk in /var/tmp/nest_hide
> along with a sniffer
>
> some lines from inst
> chmod 0755 fk; if [ ! -f /sbin/init${H} ]; then cp -f /sbin/init
> /sbin/init${H}; fi; rm -f /sbin/init; cp fk /sbin/init
>
> which the hacker then calls with ./fk
>
> fk has a few commands grabbed using strings fk
>
> use:
> %s <uivfp> [args]
> u - uninstall
> i - make pid invisible
> v - make pid visible
> f [0/1] - toggle file hiding
> p [0/1] - toggle pid hiding
>
> i also see a backdoor string "BD_Init: Starting backdoor daemon..."
>
> /etc/pam.d has been altered along with /sbin/init and /sbin/telinit is now
a
> file.
>
> Any pointers on how to recover (hopefully without a complete re-install).

Don't waste your time with it as it is. Do a clean installation of RH 7.3,
at least, 6.2 is way the heck out of date. It didn't even come with OpenSSH
built-in, so keeping that package up-to-date to avoid some very old and
long-repaired exploits is much easier with more recent releases.

Maybe set the disk aside and save it to pull files you want off of it, but
really, a bare-metal scrub and rebuild is probably the way to go.

Kram <kram.techie@nospam.ntlworld.com> wrote:
> Any pointers on how to recover (hopefully without a complete re-install).

Your system is contaminated. You must not trust it any more.

VB.
--
X-Pie Software GmbH
Postfach 1540, 88334 Bad Waldsee
Phone +49-7524-996806 Fax +49-7524-996807
mailto:vb@x-pie.de http://www.x-pie.de