Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
helo 1. my linux box is infected with suckit rootkit how to remove it 2. and how to replace with uninfected binaries (procps, init-scripts, may i do uninstall the rpm ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2004
    Location
    Indonesia
    Posts
    84

    rootkit infected


    helo

    1. my linux box is infected with suckit rootkit how to remove it
    2. and how to replace with uninfected binaries (procps, init-scripts, may i do uninstall the rpm and replace with the new ?)
    3. when i do shutdown -h now or shutdown -r now i got some error afterall


    /dev/null RK_Init idt=0xc036f000, sct[]=0xc030a0f0
    **** : can't find kmalloc()!

    is it safe to reset from reset button ?

    thanks for your concerned

  2. #2
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    If your system has been rooted, get it off line NOW.

    As for just reinstalling binaries, how do you know what's been replaced with what? It needs to be totally formatted and reloaded from scratch. Otherwise, you may end up being rooted again because you missed a critical file that was replaced to allow access back into the system.
    Registered Linux user #384279
    Vector Linux SOHO 7

  3. #3
    Linux Guru Flatline's Avatar
    Join Date
    Feb 2005
    Posts
    2,204
    SuckIT installs default built binary called "sk" as /sbin/init. SuckIT (if unmodified) will uninstall itself when you call the "sk" binary with argument "u". So "/sbin/init u" should unload SuckIT. This by no means means you're in the safe zone.

    Use your rescue CD (often your installation cd) for any operations on that box. Don't boot from the kernel on your hard drive!

    Basically, you have no idea what the person who has rootkitted you has done to your box, what backdoors they have opened, etc. The only way to be sure that you are safe after a rootkit infection is the three "R"s: repartition, reformat and re-install from scratch
    There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.

    - Jeremy S. Anderson

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast puntmuts's Avatar
    Join Date
    Dec 2004
    Location
    Republic Banana
    Posts
    562
    And as an addition to the reply of Flatline: update your system frequently after reinstall.
    I\'m so tired .....
    #200472

  6. #5
    Linux User martinfromdublin's Avatar
    Join Date
    Dec 2004
    Location
    Dublin, Rep. of Ireland
    Posts
    448
    Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

    Martin,

    Dublin, Ireland
    LINUX: Where do you want to go.......Tomorrow!

    Registered Linux user 396633

  7. #6
    Linux Enthusiast puntmuts's Avatar
    Join Date
    Dec 2004
    Location
    Republic Banana
    Posts
    562
    I\'m so tired .....
    #200472

  8. #7
    Linux Guru loft306's Avatar
    Join Date
    Oct 2003
    Location
    The DairyLand
    Posts
    1,666
    Quote Originally Posted by Martin from Dublin
    Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

    Martin,

    Dublin, Ireland
    heh.... running not as root online will keep it out!!!
    and not allowing root login through 'ssh'
    also pick a complicated passwords in the next install.....with 1234@#$%^aoeuiAOEUI all used in the passwd especialy the root passwd
    ~Mike ~~~ Forum Rules
    Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. ~ Linus Torvalds
    http://loft306.org

  9. #8
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    Quote Originally Posted by Martin from Dublin
    Pardon my ignorance guys, but is SuckIT a kind of trojan that infects Linux? I've never heard of it before. Will Shorewall keep it out (I've just installed Shorewall thanks to Flatline).

    Martin,

    Dublin, Ireland
    Not exactly, Martin. A root kit is a set of tools used by someone to maintain control of a system after he's broken into it.
    Registered Linux user #384279
    Vector Linux SOHO 7

  10. #9
    Linux Newbie
    Join Date
    Jan 2004
    Location
    Belgrade, S&M
    Posts
    177
    You should really consider reinstalling from scratch. You can never be sure that the damage is repaired and all the backdoors are closed.

  11. #10
    Just Joined!
    Join Date
    Feb 2004
    Location
    Indonesia
    Posts
    84
    thank's for your response ...

    actually, yesterday when i browsing form google i have this interactive link
    [remove suckit rootkit] http://www.soohrt.org/stuff/linux/suckit/

    regarding about to offline, sory i can't
    Oh, yes i found /sbin/initsk12 but i do know where is the program's
    about procps, autofs, init-scripts (i found when i do rpm -qi procps -- information what i read is package tools like ps, netstat, ls and many more)

    #ls -l /sbin/init [TAB]
    init initlog initsk12

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •