DFN CERT warns about Linux root kits
August 4, 2008
The CERT of the Germany`s National Research and Education Network (DFN – Deutsches Forschungsnetz) warns about attacks on Linux servers, which hide with a root kit. This root kit hides directories and processes from the administrator. The attack is most likely carried out by stolen SSH keys.
Their experts found the directory /etc/khubd.p2/
on the compromised systems but this directory did not show up with ls -l /etc/
. But it was possible to change into that directory. As it is very easy to change the source code of the root kid you should check with following:
$ ls -al /tmp/
total 44
drwxrwxrwt 10 root root 4096 2008-08-04 17:58 .
...
tells you the link count and following counts the entries returned by ls:
ls -al /tmp/ | grep "^d" | wc -l
If the do not match, you should really take a closer look. Of course you should use other directories as well. The second way to find leads on this root kit is to send signals to the hidden processes. If a process id is not in /proc, but responding to signals you should also take a closer look:
#!/bin/bash
for PID in `seq 1 65535`; do
if kill -0 ${PID} 2>/dev/null
then
if ls /proc/*/task/*/cmdline | grep "/${PID}/cmdline" >/dev/null
then
true
else
CMD=`cat /proc/${PID}/cmdline`
echo "PID ${PID} versteckt?! cmdline: '${CMD}'"
fi
fi
done
On olders systems the task directory is maybe missing, use /proc/*/cmdline
in this case. If you find an active root kit, send a mail to cert at dfn-cert.de.
No Comments yet »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
35 queries. 0.069 seconds.