Re: [Full-Disclosure] Removing ShKit Root Kit
From: Chris (chris_at_cr-secure.net)
Date: 12/22/03
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- In reply to: Alexander Schreiber: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- Next in thread: nicholas: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Alexander Schreiber <als@thangorodrim.de> Date: Mon, 22 Dec 2003 17:43:54 -0500
Thanks everyone for replies. I just took on this job for this client,
the past security admin did nothing hence theres a rootkit. I dont plan
on trying to save the box but its nice to look at forensic data so i
know what to look out for next time. I used the tool examiner to comment
the objdump on the ifconfig binary and im pretty sure theres a few
sockets calls in there that dont belong. So im sure it was rooted.
Chris
www.cr-secure.net
Alexander Schreiber wrote:
>On Sun, Dec 21, 2003 at 07:28:55PM -0500, Chris wrote:
>
>
>>Can anyone reccomend some links or useful information for removing the
>>"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
>>owned by a client of mine.
>>
>>"Searching for ShKit rootkit default files and dirs... Possible ShKit
>>rootkit installed" <== chkrootkit output
>>
>>I have only read limited information on this rootkit from a honeypot
>>report where it was used, no cleaning information. Ive googled a bunch
>>of times, dont go out of your way to answer this, the box will be redone
>>anyway. Im just curious to find out what this rootkit is about, not even
>>packetstorm has a copy to look at :)
>>
>>
>
>There is exactly one way to properly clean up a rooted box: backup the
>system (for later analysis and for keeping any data that might be
>needed), wipe the disks and reinstall from known clean install media,
>update the system to get all current security updates und properly
>secure the box.
>
>Just trying to "remove the rootkit" is not sufficient:
> - the attacker might have installed more than one root kit,
> - the attacker might have modified a standard root kit, rendering
> a "standard removal procedure" for this particular rootkit
> incomplete,
> - the attacker might have used a formerly unknown rootkit, so you have
> to analyze the system,
> - you might simply not find everything the attacker left, because
> kernel level tools where used and you are _running_ under the
> modified kernel environment which nicely hides parts of the
> modified system from you,
> - last but not least: even if you manage to successfully remove the
> rootkit, the original vulnerability which allowed the attacker
> to take over the machine in the first place it likely still there
>
>Regards,
> Alex.
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- In reply to: Alexander Schreiber: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- Next in thread: nicholas: "Re: [Full-Disclosure] Removing ShKit Root Kit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
