The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root Kit

Discussion in 'General Discussion' started by B12Org, Dec 29, 2003.

  1. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    I ran a checkrootkit app and it stated that pstree is infected, login is infected, possible showtree rootkit, t0rn v8 rootkit, and possible shkit root kit installed.

    My question here is how do I get rid of these short of reinstalling, and how can I fix the pstree and login, as at least two of those are related to those files.

    I also want to find out what is infected, and where these infected files are, since they only show what kind, and not what is infected, or where they are.
     
  2. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    It seems most just say to re-install the os, I wish some pro's would actually give input on cleaning out trojans. I know it's possible...
     
  3. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    You can run the RPM tools to reinstall the individual packages a lot of times. If too much gets infected though a reinstall is best.
     
  4. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    what is the best and easiest way to look to see which rpms have been modified?
     
  5. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    chkrootkit will tell you a lot of them. Outside of that look for binaries modified, but if you automate upcp there will be lots of false positives. You could spend days just tracking down what they modified if you didn't catch the hack fast.
     
  6. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Thanks for the reply, but I already know that, and it doesnt bring me any closer to solving my problem.
     
  7. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    Quite simply you cannot since you dont have access to modify, overwrite or delete those binaries now. Your pretty much screwed. Get a restore and move on.
     
  8. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    You safest bet in the case of being rooted is to put in a clean drive with new OS and cpanel, then copy over your old user data from the old drive.. you may think you have gotten it all, but you never know.
     
  9. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Again, thanks for the reply, but you are not telling me anything that I dont already know. If I was going to do that, I would have already. I want to do it the hard way. I dont want to take the easy way out. I want to reinstall all the rpms that are affected, I want to replace files, and then I want to monitor the box to see what else is going on. Reimaging or installing the drives solves the problem, but gives you absolutely no information, and teaches you nothing.
     
  10. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    You cant replace the binaries. Whos the owner of the files? If its not root then you wont be able to do anything with them. And if i know rooted boxes those files are no longer owned by you.
     
  11. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    That really doesnt matter. It will always be root, and if not, then its easy to figure out and change back. Remember, I wouldnt even be asking if I didnt have root.
     
  12. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Again though, if we could limit posts here to those that are actually helpful and may portray some information, that would be great, and save us all some time, not to mention help expedite this task, rahter than random postings that really dont help.
     
  13. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    Then you need educating. It does matter. If for eg those root binaries are owned by 5000.5000 you wont be able to do a thing with them and thats a fact. Im not talking about whether you have root or not. We all know you do. I was asking about the owner of the file. Good luck in your endevours fo replacing your binaries. You should be more concerned with what processes are running on your box, what ports are open and to stop these people from continually logging into the box. Find the processes, find the hidden directories and go from there.
     
  14. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    I am more concerned with processes and specific files and rpms. I am NOT concerned with the binaries, and in fact I dont care if the binaries are intact or not. replacing them is not the purpose here. I want to fix everything ELSE, and then monitor the box. how else are you going to learn what to do, and what they do, if you cant watch it happening?
     
  15. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    One thing to search for is normal files that have been turned into block devices. We had one server get hit with a root kit last month and the thing we noticed was that things like a mysql.sock file that was a block device instead of the link to MySQL.
     
  16. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    How can you tell the difference, and what is the signifigance of the block device?
     
  17. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    They are non-writable, non-removable and cannot be modified in any way. Luckily they are usually just running in memory so a reboot will knock them out. They usually have a black box around them in an ls -al, that should help you locate some. Look under your /dev/mnt folders for some examples of normal ones.

    The bad thing of the rootkits making things like this is that they are running in memory and show up as hidden processes. Most rootkits install things like BitchX and other IRC port programs. Those aren't as harmful as some of the other folks who want root access and destroy things.
     
  18. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Thats true, and thats for the explanation. Isnt there an option to kill those kind of processes off in whm, like bitchx and about 4 or 5 others?
     
  19. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Do #locate BitchX and #locate sk12 (or other versions) to see if you see any. Try finding as much as you can. One thing that clued us in on which account was attempting the rootkit was doing a locate of several files in /usr/bin. They showed up as ghosted copies in the users directory. Make sure /tmp is non-executable and the other tmps are linked to /tmp. This helps prevent a lot of the rootkits from making it on the server. No one will ever be 100% but we can try and prevent as much as possible.
     
  20. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    how would you recomend linking individual users temp dirs to the noexec system temp dir, without having to make symbolic links to them all. I have hundreds of users, and that would take forever. I guess thats the price we pay for security.
     
Loading...

Share This Page