My server has been hacked.

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.

Postby Void Main » Fri Feb 06, 2004 10:18 pm

There is an archive.tar and a rootkit.tar, both of them are 0 bytes. Try renaming them and uploading again. Odd, I believe the file you uploaded yesterday was archive.tar so it might have clashed somehow.. How big is it? I only have 275MB available on that partition so if it's bigger than that I'll have to move/delete some stuff.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 10:27 pm

It's only 127mb. Also, it looks like there are even the command instructions listed in the kit. To unhide the pid and uninstall the dang thing. :) I haven't done anything with it!!!!!
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Webdiggity » Fri Feb 06, 2004 10:29 pm

It's gonna take a while to upload. Over an hour. Want me to give you access and let you download it?

Edit: I forgot to zip it. It's only 20mb now. :)
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Void Main » Fri Feb 06, 2004 10:55 pm

You could have just gzipped (or bzipped) it right in the tar command:

# tar -cvzf file.tgz directory

I'll check it out now. Thanks!
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 10:57 pm

No, thank you. :)

One positive from all this. I have learned a ton more about Linux and my server. I've been reading stuff non-stop for the past 48 hours. :)
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Void Main » Fri Feb 06, 2004 11:01 pm

I think there has been a mistake. I got a rootkit3.zip that contained an archive.tar that contained all your logs again. I just wanted the /usr/include/sdk* (whatever that directory was). Or was it buried somewhere in the file you sent?
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 11:06 pm

DAng, here it comes. ONly 240k too. :(

Are you feeling like you're dealing with an idiot yet?
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Void Main » Fri Feb 06, 2004 11:18 pm

Not right now I'm not. I reserve that feeling for my work day. :) This one looks better. :)
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 11:22 pm

Wow, and you haven't been working there that long. haha. I must have their relatives here where I work. haha
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Void Main » Fri Feb 06, 2004 11:36 pm

Hey, you mention something about instructions which makes me wonder if I got everything. I wanted the sdk* directory and everything under it. The archive you sent me had 6 files in it:

Code: Select all
$ file *
cli:             setuid setgid POSIX tar archive
ev:              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)
evtanazia_new.c: ASCII C program text, with CRLF line terminators
inf:             PCX ver. 2.5 image data
kit.tar:         POSIX tar archive
sk:              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)


Does that look like everything under that directory? There aren't any hidden files right?

The "sk" command appears to be the one that hides and unhides the process:

Code: Select all
$ strings sk
.
.
.
Usage:
%s [command] [arg]
Commands:
  u          uninstall
  t          test
  i <pid>    make pid invisible
  v <pid>    make pid visible (0 = all)
  f [0/1]    toggle file hiding
  p [0/1]    toggle proc hiding
configuration:
  c <hidestr> <password> <home>
invoking without args will install rewtkit into memory
.
.
.


So if that is correct then I would say "./sk v 0" would unhide all processes. If you feel froggy and want to take a chance and run that (may be taking a chance) then you could do this "ps auxwww > /tmp/ps.lst" and upload the ps.lst so I can see what processes are running. Also do a "./sk f 0" as it appears there are some hidden files. After doing that you might want to rerun the find command from before and upload the output from that.
Last edited by Void Main on Fri Feb 06, 2004 11:49 pm, edited 1 time in total.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 11:40 pm

those are all I could see in the directory. What would you do? Run the unhide or just try to get rid of it?
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Webdiggity » Fri Feb 06, 2004 11:42 pm

Since i've been rooted does that mean my /home directory is safe to copy out?
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Void Main » Fri Feb 06, 2004 11:47 pm

Well usually a root kit only does stupid things like crank up password sniffers and a cron job to email them out (a good reason to only run "ssh" and not telnet and ftp). The actual root kit part of it are system binary executables modified in such a way to hide the running sniffer programs. This person I would have to say was a dumb oops because he modified web pages which certainly tipped you off. If it were me, I would run the command to unhide the stuff, get a snapshot of what is running and then kill them. Then you could run the comand to get rid of the kernel module that is doing the hiding by "./sk u" (if the help screen is accurate). I'll continue to analyze the files. It's odd I don't find anything on Google about it. I also need to check CERT. It appears to be an old kit so it should be seen out there. If it's not maybe we should report it to CERT.
Last edited by Void Main on Fri Feb 06, 2004 11:48 pm, edited 1 time in total.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Webdiggity » Fri Feb 06, 2004 11:47 pm

Looks like it worked.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* SUCKIT SUCKIT *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Currently installed version: v1.1c
Making all pid's visible...OK
root@dig2 [/usr/include/sdk386]#

Running your thing now. I'll upload it in a second. :)
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

Postby Webdiggity » Sat Feb 07, 2004 12:14 am

I did alot of searchin too and couldn't find it. Did a search for rewtkit tho and it came back to phrack.com Not alot of links tho.
Webdiggity
scripter
scripter
 
Posts: 63
Joined: Fri Jul 25, 2003 9:25 am

PreviousNext

Return to The Lounge

Who is online

Users browsing this forum: No registered users and 0 guests

cron