Void's Forums

[Void Main]

There is an archive.tar and a rootkit.tar, both of them are 0 bytes. Try renaming them and uploading again. Odd, I believe the file you uploaded yesterday was archive.tar so it might have clashed somehow.. How big is it? I only have 275MB available on that partition so if it's bigger than that I'll have to move/delete some stuff.

[Webdiggity]

It's only 127mb. Also, it looks like there are even the command instructions listed in the kit. To unhide the pid and uninstall the dang thing. I haven't done anything with it!!!!!

[Webdiggity]

It's gonna take a while to upload. Over an hour. Want me to give you access and let you download it?

Edit: I forgot to zip it. It's only 20mb now.

[Void Main]

You could have just gzipped (or bzipped) it right in the tar command:

# tar -cvzf file.tgz directory

I'll check it out now. Thanks!

[Webdiggity]

No, thank you.

One positive from all this. I have learned a ton more about Linux and my server. I've been reading stuff non-stop for the past 48 hours.

[Void Main]

I think there has been a mistake. I got a rootkit3.zip that contained an archive.tar that contained all your logs again. I just wanted the /usr/include/sdk* (whatever that directory was). Or was it buried somewhere in the file you sent?

[Webdiggity]

DAng, here it comes. ONly 240k too.

Are you feeling like you're dealing with an idiot yet?

[Void Main]

Not right now I'm not. I reserve that feeling for my work day. :) This one looks better. :)

[Webdiggity]

Wow, and you haven't been working there that long. haha. I must have their relatives here where I work. haha

[Void Main]

Hey, you mention something about instructions which makes me wonder if I got everything. I wanted the sdk* directory and everything under it. The archive you sent me had 6 files in it:

Code: Select all

$ file *
cli:             setuid setgid POSIX tar archive
ev:              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)
evtanazia_new.c: ASCII C program text, with CRLF line terminators
inf:             PCX ver. 2.5 image data
kit.tar:         POSIX tar archive
sk:              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)


Does that look like everything under that directory? There aren't any hidden files right?

The "sk" command appears to be the one that hides and unhides the process:

Code: Select all

$ strings sk
.
.
.
Usage:
%s [command] [arg]
Commands:
  u          uninstall
  t          test
  i <pid>    make pid invisible
  v <pid>    make pid visible (0 = all)
  f [0/1]    toggle file hiding
  p [0/1]    toggle proc hiding
configuration:
  c <hidestr> <password> <home>
invoking without args will install rewtkit into memory
.
.
.


So if that is correct then I would say "./sk v 0" would unhide all processes. If you feel froggy and want to take a chance and run that (may be taking a chance) then you could do this "ps auxwww > /tmp/ps.lst" and upload the ps.lst so I can see what processes are running. Also do a "./sk f 0" as it appears there are some hidden files. After doing that you might want to rerun the find command from before and upload the output from that.

[Webdiggity]

those are all I could see in the directory. What would you do? Run the unhide or just try to get rid of it?

[Webdiggity]

Since i've been rooted does that mean my /home directory is safe to copy out?

[Void Main]

Well usually a root kit only does stupid things like crank up password sniffers and a cron job to email them out (a good reason to only run "ssh" and not telnet and ftp). The actual root kit part of it are system binary executables modified in such a way to hide the running sniffer programs. This person I would have to say was a dumb oops because he modified web pages which certainly tipped you off. If it were me, I would run the command to unhide the stuff, get a snapshot of what is running and then kill them. Then you could run the comand to get rid of the kernel module that is doing the hiding by "./sk u" (if the help screen is accurate). I'll continue to analyze the files. It's odd I don't find anything on Google about it. I also need to check CERT. It appears to be an old kit so it should be seen out there. If it's not maybe we should report it to CERT.

[Webdiggity]

Looks like it worked.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT SUCKIT *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Currently installed version: v1.1c
Making all pid's visible...OK
root@dig2 [/usr/include/sdk386]#

Running your thing now. I'll upload it in a second.

[Webdiggity]

I did alot of searchin too and couldn't find it. Did a search for rewtkit tho and it came back to phrack.com Not alot of links tho.