Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

forgot password?



Reply


Old
  Post #1 (permalink)   03-13-2004, 10:02 AM
HD Newbie
 
Join Date: Feb 2004
Posts: 43

Status: imported_TheLinuxGuy is offline
Hi,

Heres a quick and dirty how-to on removing the t0rnV8 rootkit, seen commonly with this CPanel exploit. How to prevent your self?

Login into WHM as the root account, go to tweak settings, turn off "Allow cPanel users to reset their password via email"
If you want to make sure your safe run this:

Quote:
chmod 000 /usr/local/cpanel/base/resetpass.cgi
chattr +i /usr/local/cpanel/base/resetpass.cgi

How to know you have been hit?

1. the most common thing you will see is when you run ls you will see this,
Quote:
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable.

2. Next try restarting syslog
Quote:
/etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]


Some info on what the rootkit installs/does:

Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}


Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor which is located at /lib/lblip.tk:

shdc
shhk.pub
shk
shrs



Lets remove this bugger

Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to:

Quote:
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
Remove them, this is the backdoor they installed. Addtionally run

Quote:
netstat -lntpe | grep xntps

find the pid and

kill -9 PIDNUMBER

Reinstall, needed binarys ( you will need to search for these you can also install from WHM ):

Quote:
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Remove their files:

cd /lib
rm -rf lblip.tk
rm -rf /usr/include/file.h
rm -rf /usr/include/proc.h
rm -rf /lib/lidps1.so
rm -rf /usr/include/hosts.h
rm -rf /usr/include/log.h
rm -rf /dev/sdr0
rm -rf /lib/ldd.so


Recompile your kernel, make sure you do this.

Reboot the server.


Run CHkrootkit again.


USE THIS AT YOUR OWN RISK, WE ARE NOT REPONSEABLE FOR ANY MISHAPS. THIS IS NOT TO BE CONSIDERED A REPLACEMENT FOR A REFORMAT BUT IT WILL WORK FINE




If needed binarys from a clean rh9 from /bin /usr/bin
http://www.rack911.com/files/bin9.tar.gz
http://www.rack911.com/files/userbin9.tar.gz

If needed binarys from a clean RHE from /bin /usr/bin
http://www.rack911.com/files/binrhe.tar.gz
http://www.rack911.com/files/userbinrhe.tar.gz
__________________
[ Rack911 - Managed Server Solutions ] [ http://www.rack911.com ]
 
 
 


Old
  Post #2 (permalink)   03-13-2004, 10:34 AM
HD Guru
 
Join Date: Oct 2003
Posts: 579
Send a message via AIM to Francisco Send a message via Yahoo to Francisco

Status: Francisco is offline
Hi LinuxGuy,

Would you Help us if we Create a "How-To" Forum ?

Just tell me and I'll talk to make it.

Regards,
Francisco
 
 
 


Old
  Post #3 (permalink)   03-13-2004, 10:36 AM
HD Newbie
 
Join Date: Feb 2004
Posts: 43

Status: imported_TheLinuxGuy is offline
yeah sure i can help out with tutorials
__________________
[ Rack911 - Managed Server Solutions ] [ http://www.rack911.com ]
 
 
 


Old
  Post #4 (permalink)   03-13-2004, 10:42 AM
HD Guru
 
Join Date: Oct 2003
Posts: 579
Send a message via AIM to Francisco Send a message via Yahoo to Francisco

Status: Francisco is offline
Quote:
Originally posted by TheLinuxGuy
yeah sure i can help out with tutorials
Ok, let me see when we can get that forum Online

~Francisco
 
 
 


Old
  Post #5 (permalink)   03-13-2004, 10:53 AM
HD Wizard
 
Join Date: Jul 2003
Posts: 2,100

Status: BlackStorm is offline
Quote:
Ok, let me see when we can get that forum Online
I think making a suggestion for this to other mods and members would be best Francisco hehe

TheLinuxGuy, not sure if you have seen www.HostingRefuge.com/articles/ but its a script for hosting related articles (I still have to sort out categories... ) but if you are able to create how-tos for that and you have a number that will help people, I can set you up as an admin on the script so you can add your own content etc.
You will have your own sig on the script and I dont mind you promoting your own site in it at all.
If your interested send me a PM

Thanks for doing this how-to
John
 
 
 


Old
  Post #6 (permalink)   03-13-2004, 11:32 AM
HD Guru
 
Join Date: Oct 2003
Posts: 579
Send a message via AIM to Francisco Send a message via Yahoo to Francisco

Status: Francisco is offline
Quote:
Originally posted by John Diver
I think making a suggestion for this to other mods and members would be best Francisco hehe
My Bad, I just asked the Mods
 
 
 


Old
  Post #7 (permalink)   06-12-2004, 10:08 AM
HD Newbie
 
Join Date: Jun 2004
Posts: 24

Status: diginode is offline
It's really sad, but removing a rootkit may still leave your system vulnerable as the intruder may have modified other files in the system.
__________________
::. www.diginode.net : Dedicated / VM Servers .::
::. Instant Remote Reboot & OS Installs : Secure Console Access .::
::. Over 20 OS to choose from : Install a new OS everyday .::
 
 
 


Old
  Post #8 (permalink)   06-14-2004, 03:27 PM
HD Newbie
 
Join Date: Feb 2004
Posts: 43

Status: imported_TheLinuxGuy is offline
Quote:
Originally posted by diginode
It's really sad, but removing a rootkit may still leave your system vulnerable as the intruder may have modified other files in the system.

Oh geeze, get this man a cookie. If you know what you are doing there is no problem.
__________________
[ Rack911 - Managed Server Solutions ] [ http://www.rack911.com ]
 
 
 


Old
  Post #9 (permalink)   06-14-2004, 04:59 PM
HD Wizard
 
Join Date: Jul 2003
Posts: 2,100

Status: BlackStorm is offline
Steve I think he was just letting people know that didn't already...incase they thought everything was removed once the rootkit was gone.
 
 
 
Reply

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: