Boot from your install cd in rescue mode. (Enter "linux rescue" when
booting.)
It will/should tell you how to chroot to your root partition.
Run passwd.
exit to reboot.
This will get you running, however you should think seriously about
keeping a compromised system. There is no telling what the hacker did
while he was logged in as root. Any hacker worth his black hat will
install a root kit or two and some hidden backdoors as well as other
surprises.
My policy is to immediately format any system that has been hacked. If
you want to preserve evidence for possible forensic analysis, buy a new
drive and send the compromised one to someone who knows this business.
I've never worked for a company that wanted to attempt prosecution, we
just wanted to know what happened and how to prevent it in the future.
My $0.02.
-Michael
>>> [EMAIL PROTECTED] 10/21/02 09:45AM >>>
Hi All,
Some one with nothing better to do hacked into one of my mom &
pop
customers FTP server using a program called SucKIT. In case you
haven't
heard of this before, I highly recommend looking it up at phrack.org
and
learning about it. I've even uploaded the README file if you would
like. It
talks about ways to safeguard yourself from this type of attack.
Anyways,
can anyone tell me how to change the root password back to what it was?
So
we can log in and get things fixed?
Thanks...
Greg
++ SucKIT README File
SucKIT v1.3b, (c) 2002 by sd <[EMAIL PROTECTED]> & devik <[EMAIL PROTECTED]>
+-+
Code: by sd, with a lot of help from devik
<[EMAIL PROTECTED]>
Concepts: by Silvio Cesare - /dev/kmem, devik - kmalloc & IDT
http://phrack.org/p58/phrack-09
Tested: by hundreds of script kiddos around the globe :)
Targets: i386-Linux boxen, kernels 2.2.x, 2.4.x without
security patches/modules.
Downloads:http://sd.g-art.nl/sk
The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The
code
stays in memory through /dev/kmem trick, without help of LKM support
nor System.map or such things. Everything is done on the fly. It can
hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have
integrated TTY shell access (xor+sha1) which can be invoked through
any running service on a server. No compiling on target box needed,
one binary can work on any of 2.2.x & 2.4.x kernels precompiled
(libc-free)
You could find details about technical background in 'src'
directory.
Compiling
+---+
To configure parameters (where is your home, which suffix will
hide
files, and of course, access password) must be given before
compiling
by:
$ make skconfig
Then you could compile the all of stuff by:
$ make
You will get a file, probably called 'inst' in current directory.
It's a script you upload to target box, exec it and then try to
remotely
login to that host using './login' and password you supplied in
skconfig.
FAQ
+-+
Q: When I try to load suckit, it will segfault with kernel oops, wtf
?
A: Fire up gdb and send me a bug report where is problem :)
Q: How I can login to machine running suckit from my Win95 ?
A: Dunno, btw, I'm interested in how many people ported
suckit to cygwin :)
Q: How I can make suckit to run automatically each reboot of machine
?
A: The generic way (as the install script does) is to
rename /sbin/init to /sbin/init, and place sk binary
instead of /sbin/init, so suckit will get resident imediatelly
after boot. However, when it will get resident, all of such
changes
will be stealthed ;) If you can't fiddle with /sbin/init, you
still can place binary to somewhere into
/etc/rc.d/rc3.d/S##
or such.
Q: When I make some pid invisible, it still appears in `ps` and
`top`
listing, what's wrong ?
A: Filtering out /proc records is only for non-suckit, regular,
users.
That means, it doesn't affect you when your shell is invisible.
*KEEP IN THE MIND* that suckit doesn't twist informations
in system for you, it does only for rest of the world :P
Q: How I can beat rootkits of such kind ?
A: There is many ways today. You should remove writing ability from
/dev/kmem (which will might make some lowlevel software angry,
Xfree,
for example) in conjuction with disabling LKM support. Or load
some
anti-lkm LKM (that doesn't work when sk alread installed),
such as StMichael (yes, this module can beat us :)
Also note that best thing to do is simple; don't allow kids
to enter your servers ;p
Q: I recompiled sk and it loses contact with kernel instance
running somewhere, what I could do ?
A: Please! Use ONE binary at the time! Each iteration of skconfig
will generate unique version which can not be used with any
later nor further iterations![btw, that will crash at the time
anyway]
Q
