cannot replace binaries after being rootkitted

From: don quixada (xanthus@NOSPAM.iname.com)
Date: 04/24/03 

From: don quixada <xanthus@NOSPAM.iname.com>
Date: Wed, 23 Apr 2003 16:25:20 -0700

Hi, I've been rootkitted with `suckit'. And I have two dilemmas
(dilemmae?). First, I cannot replace the affected binaries, i.e. I get
the permission denied message. I used `chkrootkit' and it says that
`ifconfig', `pstree' and `login' are infected; however, I cannot delete
them or replace them even using RPM. I noticed that the files are owned
by a non-root user and they cannot be changed back to root.

My second issue is that I think more files than the three indicated by
`chkrootkit' are infected. My main reason for suspecting this is that
`init' was affected (i.e. the cracker replaced my init with one that
didn't work (I _was_ able to fix that one)). I also noticed other files
that are owned by the same user as the infected files (that, I think,
should be owned by root) such as `ps', `ls', `md5' (which seems
especially bad) and `find' (`grep' does not seem to be affected). I
can't remember offhand, but I think `rpm' may be infected as well.

Anyway, my questions are these:

How can I replace/delete the infected files (short of reformatting)?
How can find out, for sure, which files are infected?

My system vital-statistics are:

RH 7.2, kernel 2.4.20, my machine is a desktop computer where I am the
sole user (although I have several login names-- the files in question
that aren't root-owned are owned by one of these users), I was running a
very insecure FTP server and Samba (for no reason other than I was lazy
to unintall it) so either one of those was probably how the cracker got in.

Please note that I am a newbie when it comes to Linux security (yes I
did read the FAQ)-- I guess I had that "It'll never happen to me!"
mentality.

Thanks in advance for your help.

dq

Relevant Pages

  • Re: Running top without a shell -- more questions
    ... > init never knew who was logged in. ... Getty gets the user's name, ... it the wtmp and/or utmp files which are updated by init, getty, login, ... around to tell the pam session module that the user has logged out. ...
    (freebsd-questions)
  • Re: Some users unable to log into domain.
    ... suggest you look into your DNS integrity. ... cannot contact your domain controller upon login. ... only one account login is able to currently ... The reason you can login with that other user is probably because at one ...
    (microsoft.public.windows.server.active_directory)
  • Re: An update is needed Fedora!
    ... a hard reason for PHP5 requirement. ... development SRPMs. ... > Could you send one more example for compiling, installing, configuring, etc? ... they should then be installed as an update using: rpm -Uvh ...
    (Fedora)
  • Re: Computer used by multiple users, same login
    ... If those types of objections didn't apply, I see no reason not to do exactly ... account more access than you intend, I'd go ahead and do it. ... without access to sharepoint, I create it the conventinal way (not using ... This user account will be setup to only login into this PC ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator cant log in locally
    ... I have seen this issue before and it's invariable a wrong group membership that denies a login. ... I don't see the point in the comment as relevant other than to berate for no reason, it doesn't solve the problem, and they weren't being rude about it in the first place - it is a reasonable question to ask. ... it doesn't appear that you paid attention to the point that they have been remote accessing this whole time - obviously if they could still remote access they wouldn't be bringing this problem up in the first place. ... I've done a little looking but haven't found a full solution, but I have found that there are in fact Linux boot disks with Registry editing utilities included. ...
    (microsoft.public.windows.server.sbs)
Loading