rootkit infected

**kamtono** · 04-19-2005

helo

1. my linux box is infected with suckit rootkit how to remove it
2. and how to replace with uninfected binaries (procps, init-scripts, may i do uninstall the rpm and replace with the new ?)
3. when i do shutdown -h now or shutdown -r now i got some error afterall

/dev/null RK_Init idt=0xc036f000, sct[]=0xc030a0f0
**** : can't find kmalloc()!

is it safe to reset from reset button ?

thanks for your concerned

**retired1af** · 04-19-2005

If your system has been rooted, get it off line NOW.

As for just reinstalling binaries, how do you know what's been replaced with what? It needs to be totally formatted and reloaded from scratch. Otherwise, you may end up being rooted again because you missed a critical file that was replaced to allow access back into the system.

**Flatline** · 04-19-2005

SuckIT installs default built binary called "sk" as /sbin/init. SuckIT (if unmodified) will uninstall itself when you call the "sk" binary with argument "u". So "/sbin/init u" should unload SuckIT. This by no means means you're in the safe zone.

Use your rescue CD (often your installation cd) for any operations on that box. Don't boot from the kernel on your hard drive!

Basically, you have no idea what the person who has rootkitted you has done to your box, what backdoors they have opened, etc. The only way to be sure that you are safe after a rootkit infection is the three "R"s: repartition, reformat and re-install from scratch

**puntmuts** · 04-19-2005

And as an addition to the reply of Flatline: update your system frequently after reinstall.

**martinfromdublin** · 04-19-2005

Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

Martin,

Dublin, Ireland

**puntmuts** · 04-19-2005

http://la-samhna.de/library/rootkits/list.html

**loft306** · 04-19-2005

Originally Posted by Martin from Dublin

Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

Martin,

Dublin, Ireland

heh.... running not as root online will keep it out!!!
and not allowing root login through 'ssh'
also pick a complicated passwords in the next install.....with 1234@#$%^aoeuiAOEUI all used in the passwd especialy the root passwd

**retired1af** · 04-19-2005

Originally Posted by Martin from Dublin

Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

Martin,

Dublin, Ireland

Not exactly, Martin. A root kit is a set of tools used by someone to maintain control of a system after he's broken into it.

**Goran** · 04-20-2005

You should really consider reinstalling from scratch. You can never be sure that the damage is repaired and all the backdoors are closed.

**kamtono** · 04-20-2005

thank's for your response ...

actually, yesterday when i browsing form google i have this interactive link
[remove suckit rootkit] http://www.soohrt.org/stuff/linux/suckit/

regarding about to offline, sory i can't
Oh, yes i found /sbin/initsk12 but i do know where is the program's
about procps, autofs, init-scripts (i found when i do rpm -qi procps -- information what i read is package tools like ps, netstat, ls and many more)

#ls -l /sbin/init [TAB]
init initlog initsk12

Thread Tools

Display

rootkit infected

Posting Permissions