kamtono

helo

1. my linux box is infected with suckit rootkit how to remove it
2. and how to replace with uninfected binaries (procps, init-scripts, may i do uninstall the rpm and replace with the new ?)
3. when i do shutdown -h now or shutdown -r now i got some error afterall


/dev/null RK_Init idt=0xc036f000, sct[]=0xc030a0f0
**** : can't find kmalloc()!

is it safe to reset from reset button ?

thanks for your concerned

retired1af

If your system has been rooted, get it off line NOW.

As for just reinstalling binaries, how do you know what's been replaced with what? It needs to be totally formatted and reloaded from scratch. Otherwise, you may end up being rooted again because you missed a critical file that was replaced to allow access back into the system.

__________________
Registered Linux user #384279

Flatline

SuckIT installs default built binary called "sk" as /sbin/init. SuckIT (if unmodified) will uninstall itself when you call the "sk" binary with argument "u". So "/sbin/init u" should unload SuckIT. This by no means means you're in the safe zone.

Use your rescue CD (often your installation cd) for any operations on that box. Don't boot from the kernel on your hard drive!

Basically, you have no idea what the person who has rootkitted you has done to your box, what backdoors they have opened, etc. The only way to be sure that you are safe after a rootkit infection is the three "R"s: repartition, reformat and re-install from scratch

__________________
There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.

- Jeremy S. Anderson

puntmuts

And as an addition to the reply of Flatline: update your system frequently after reinstall.

__________________
I\'m so tired .....
#200472

Martin from Dublin

Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

Martin,

Dublin, Ireland

__________________
LINUX: Where do you want to go.......Tomorrow!

Registered Linux user 396633

puntmuts

__________________
I\'m so tired .....
#200472

loft306

heh.... running not as root online will keep it out!!!
and not allowing root login through 'ssh'
also pick a complicated passwords in the next install.....with 1234@#$%^aoeuiAOEUI all used in the passwd especialy the root passwd

__________________
~Mike ~~~ Forum Rules
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. ~ Linus Torvalds
http://loft306.org

retired1af

Not exactly, Martin. A root kit is a set of tools used by someone to maintain control of a system after he's broken into it.

__________________
Registered Linux user #384279

Goran

You should really consider reinstalling from scratch. You can never be sure that the damage is repaired and all the backdoors are closed.

kamtono

thank's for your response ...

actually, yesterday when i browsing form google i have this interactive link
[remove suckit rootkit] http://www.soohrt.org/stuff/linux/suckit/

regarding about to offline, sory i can't
Oh, yes i found /sbin/initsk12 but i do know where is the program's
about procps, autofs, init-scripts (i found when i do rpm -qi procps -- information what i read is package tools like ps, netstat, ls and many more)

#ls -l /sbin/init [TAB]
init initlog initsk12