Re: [CERT] possible rootkit, maybe partial?

[ePAc <epac () korigan net>]

My first thought would be towards some sort of module hack. That is a
module that loads, modify something in the kernel (replaces some
functions) and then unloads, but leaving the code availble. Of course, i
have no clue how you would check for such a thing, but i would guess that
it would be loaded by something like modutil or devfsd. have you checked
to see if you have some module somewhere in the tree under
/lib/modules/xxx that has no business being there ?

I hope this helps..
ePAc

On Wed, 2 Apr 2003, Benjamin Tomhave wrote:

> Date: Wed, 2 Apr 2003 20:47:05 -0700
> From: Benjamin Tomhave <falcon () cybersecret com>
> To: incidents () securityfocus com
> Subject: [CERT] possible rootkit, maybe partial?
>
> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server.  The
> server is a fully-patched RH8 system, running iptables limited to ssh, http,
> https and previously mysql (tcp 3306).  Kernel is RH 2.4.18-27.8.0.  The
> reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
> consistent with documented suckit compromises, and b) there doesn't seem to
> be anything on the system comprising the rootkit.  Even chkrootkit comes up
> empty/clean.  Which makes me wonder if someone found a whole in a
> developer's php code, tried to load suckit, had it fail, and then walked
> away.  What I can say for certain is that this issue has arisen in the last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual, either.
> tcpdump did not indicate any unexpected traffic.  No web pages have been
> defaced.
>
> Here's what leads me to believe that this is a rootkit compromise:
>
> # reboot
>
> Broadcast message from root (pts/0) (Wed Apr  2 20:27:23 2003):
>
> The system is going down for reboot NOW!
> /dev/null
> RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!
>
> Now, call me crazy, but the last part of the last line doesn't strike me as
> something that belongs.  As it stands right now, I'm slating this box for
> low-level format and reinstall within the week.  Since it doesn't seem to be
> an active zombie or anything, and since I'm still not 100% sure this is a
> compromised system, I'll take the chance of waiting.  I may also try
> reinstalling the kernel just to see if that makes a difference, too.
>
> Does this look familiar or suspicious to anyone else?  Anybody have any
> ideas on further diagnostics that I could run "just to be sure"?
>
> Thank you,
>
> -ben
>
> ***************************************
>  Benjamin Tomhave
>  falcon () cybersecret com
>  http://falcon.secureconsulting.net/
>
>
> ----------------------------------------------------------------------------
> Powerful Anti-Spam Management and More...
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.securityfocus.com/SurfControl-incidents

---
Nothing is foolproof to a sufficiently talented fool...
  oo
,(..)\
  ~~

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents