DFN CERT warns about Linux root kits

August 4, 2008

The CERT of the Germany`s National Research and Education Network (DFN – Deutsches Forschungsnetz) warns about attacks on Linux servers, which hide with a root kit. This root kit hides directories and processes from the administrator. The attack is most likely carried out by stolen SSH keys.

Their experts found the directory /etc/khubd.p2/ on the compromised systems but this directory did not show up with ls -l /etc/. But it was possible to change into that directory. As it is very easy to change the source code of the root kid you should check with following:


$ ls -al /tmp/
total 44
drwxrwxrwt 10 root root 4096 2008-08-04 17:58 .
...

tells you the link count and following counts the entries returned by ls:


ls -al /tmp/ | grep "^d" | wc -l

If the do not match, you should really take a closer look. Of course you should use other directories as well. The second way to find leads on this root kit is to send signals to the hidden processes. If a process id is not in /proc, but responding to signals you should also take a closer look:

#!/bin/bash
for PID in `seq 1 65535`; do
  if kill -0 ${PID} 2>/dev/null
  then
  if ls /proc/*/task/*/cmdline | grep "/${PID}/cmdline" >/dev/null
    then
      true
    else
      CMD=`cat /proc/${PID}/cmdline`
      echo "PID ${PID} versteckt?! cmdline: '${CMD}'"
    fi
  fi
done

On olders systems the task directory is maybe missing, use /proc/*/cmdline in this case. If you find an active root kit, send a mail to cert at dfn-cert.de.

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 75 queries. 0.377 seconds.