Re: Do I have an infected init file?
From: Drew B. [Security Expertise/Freelance Security research]. (d4rkstorm_at_gmail.com)
Date: 05/13/05
- Previous message: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
- In reply to: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 May 2005 14:00:09 +1000 To: Matt Piechota <piechota@argolis.org>
To Update on this, I did some quick checks for you, and now i ca give
you a better runndown from an administrators p.o.v ::
www.rootkit.nl/ this has helped me GREATLY thus far in removing
'kiddie pests' , although for an experienced unix malicious user, i
assume it would maybe require more, however, i am against using such
apps as F-prot 'secure' etc, that gives off the impression you are
completely secure to the web, when infact,i could do many simple PoC
in 5minnutes infront of any A/V company gladly,using public tools, and
proove how easy it is to make an app hide from the actual scanner.
Anyhow,the mentioned URL and file rkhunter,are not my property nor
even had heard of them before I myself was compromised myself by an
experienced unix kitter,however i am using the product and can
definately say one thing,it will do alot more than pathetic a/v
scanners made for profit.(Until im involved in making an a/v product,
i will never back one)
Now lets get to rootkit hunter config,
I am going by the assumption that you coonfigure the apps conf file ,
to include MD5 hash checking, wich is one way most other rootkit
revealing software is lacking,even this one by default is "off".I had
turned mine on from day1 of usage.
I have instaled v1.6.2, it keeps a regular .rkhunter.log in ~/. and
its updater seems to operate fine with me on 3 machines tested today
(Fri 13th May-2005) 5.2.1fBSD-Stable,5.3-fBSD-Stable,5.4-fBSD-RelENG.
I see no reason not to use it, I am only offering additional advice
with this on the MD5 checking section, and also, try perform tests
using an older or un updated version, log it, then run it /rkhunter
--update , rescan, you will surely find changes,well you will be a
first if you do not.
I have discovered on my sytsem,that even using the BSD Ports and
pkg_add applications,i have been left with reports such as this,wich
has left me extremely unhappy with the ports system,and/or handling of
multiple packages,wich can pose as a potential major security risk
(log details of what i mean exactly) ::
- OpenSSL 0.9.7c [ Vulnerable ]
- OpenSSL 0.9.7e [ Unknown ]
Now this is fromrunning rkhunter in simple mode, then updating, and
finding i have previously 'unclean' and vulnerable parts still
attached, sofar it has happeend with Bind and OpenSSH , OpenSSH was
quite easy to adjust, although the OpenSSL is a completely new
install, meaning that from when i Installed via CD to this system in
particular (5.2.1), it automatically installed some features, now why
were these not removed when they were updated by me manually in ports
using updating, and making clean reinstalls,i do not understand.
Especially to have comeup security advisories,(rkhunter runs a sec
advisory checker,indeed handy),so should grab all BSD advisories and
makesure you are NOT vuln to any,combined with the MD5 sig checking +
most importantly now,an 'unkown' version of something, wich is the way
most 'rootkits' seem to be injected.
A vulnerability could not even ever showup in anything, if its say
crafted specially,perhaps targetted at a specific sytem, and then
patched up by an experienced 'rootkitter' (I know...what a great
sounding job,"Hi im a r00tkitter!" but it may perhaps show a version
of something you are no longer running, or have never infact ran, but
was injected for usage after infection , (ie, a ttyshell or telnetD
backdoor, or Bindshell), wich will then reveal somethng like Warning!
otdated Bind8.0.2,Please check! , thus, you would know you do not run
Bind,nor ever have, so it would atleast lead to the admin
'investigating'.
Sample of what you would see,
>>Your system contains some unknown version numbers. Please run Rootkit Hunter
>>with the --update parameter etc.
Ok well if anyone has ANY input or suggestions on anything I have
said, like 'want evidence' etc, I have not a problem in supplying it,
i wouldnt have joined this list otherwise.
I just hope I am making people more aware that sometimes the simplest
and oldest of tricks are re-used,and often those are the worst
threats, but still a Vigilant admin who has some security morals (Ie:
Updates theyre own server products), will always carry you through
even the toughest of times.
In regards to Linux and BSD 'hacking' and rootkitting I found while
again doing research on a backdoor found on a SuSe box,simply by using
very clear and specific targets in my searches,ie- i target a name,so
if i get told THC rootkit,i will enter thc+rootkit+release (or
download often works). It brought me across this, wich shows some
products I have proof of being used in current 'kits' ->
http://www.s0ftpj.org/en/tools.html
This scared me when i looked, and still is, as i have discovered alot
of sections of the code being written, is involved in recent property
and email,even IP Hijack-massmail crime.
I only wish i had the power to Investigate the people and online
activities more,my resources are extremely limited,my donators are
companies and isps, but they do not offer actual cash :)
I try what i can and when something "p**es me off" , like having to
wipe 4000000 emails due to firewall blocking them in (due to
bodgy,kiddy-kits),i think i have good reason. I just hope Im reaching
you guys, security is a really tough area for many people to
comprehend exactly how deep the problem is now that it involves making
money.
-Sorry for such a large post,I will pre-comment on that:
"Writing text needs time,writing short and easy to understand text
needs more time". -inspired by a freebsd current researcher :-)
-A quote on what you may find in your OWN searching:
"You can have a handgun to protect yourself,or use it to rob a bank".
-who knows but true!
Regards,
Drew B.
On 5/13/05, Drew B. [Security Expertise/Freelance Security research].
<d4rkstorm@gmail.com> wrote:
> Hello,
> I have used rootkit-hunter for Bsd, it can download MD5sums from
> whitehat which contains 'current' sigs, not that this matters, it only
> takes a good packagee,(ie file is encrypted, to bypass any rootkit
> revealer etc)
> However i do recommend rootkit-hunter, http://www.rootkit.nl ,it just
> runs when needed, (/rkhunter -c, /rkhunter --update), and it does a
> VERY thorough job, I recommend runing it without update forst,then
> update it, you will no doubt find some multiple package installs, wich
> seems to be a major problem with this, older package info staying in
> root,after package is updated.
> Hope this info is of any help, i can provide a detailed log of a
> rootkithunter.log..just ask me to attach a copy.
> Regards,
> Drew B.
>
> On 5/13/05, Matt Piechota <piechota@argolis.org> wrote:
> > On Thu, 12 May 2005, DH wrote:
> >
> > > I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 &
> > > 0.45 report that my /sbin/init file is infected.
> >
> > I should mention that 4.10-release is up to p13. You should really think
> > about patching up to current.
> >
> > > It appears as though the egrep for "UPX" in the output of "strings"
> > > triggers the infected notice. When I copy the init file from an
> > > uninfected box to this one chkrootkit continues to report it as
> > > infected. Is chkrootkit reading a copy of the /sbin/init file stored in
> > > active memory? If my machine is compromised, which rootkit is installed
> > > / how can I find out which rootkit is installed?
> >
> > The easiest way to figure out if you are rooted is probably to download or
> > create a clean version of /sbin/init, and compare the two files.
> > Creating might take some work, you'd have to install a clean 4.10, patch
> > it to p2, and make world.
> >
> > --
> > Matt Piechota
> > Key Available from pgp.mit.edu
> > PGP Key fingerprint = FC90 4D65 2F8A 38E9 D1A8 FABB 7AE8 C194 5EC8 9CAD
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> >
>
> --
> ------------------------------------------
> Drew B.
> /* Security researcher/expert,threat-focus,Freelance */
> ------------------------------------------
>
-- ------------------------------------------ Drew B. /* Security researcher/expert,threat-focus,Freelance */ ------------------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
- In reply to: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
