Hi all!
I've found undetected rootkit. It looks like some modification of
SHV4/SHV5.
(Checked with Rootkit Hunter 1.2.9).
Unfortunetely I've removed some part of its files, but some remains
(attached).
Rootkit was installed in /etc/inittab as a call to:
/usr/sbin/ttyload
This is simple shell script, calling two daemons:
/sbin/ttyload -q >/dev/null 2>&1
/sbin/ttymon >/dev/null 2>&1
The file /sbin/ttyload is a modified ssh daemon, listening on port 974:
ttylod --help
sshd version 2.0.13 [i686-unknown-linux]
Usage: _ttyload [options]
Options:
-f file Configuration file (default /usr/lib/libsh/sshd_config)
-d Debugging mode
-i Started from inetd
-q Quiet (no logging)
-p port Listen on the specified port (default: 22)
-k seconds Regenerate server key every this many seconds (default:
3600)
-g seconds Grace period for authentication (default: 300)
-b bits Size of server RSA key (default: 768 bits)
-h file File from which to read host key
(default: /lib/libsh.so/shhk)
-V str Remote version string already read from the socket
There is also some set of files in /lib/libsh.so
-rwxr-xr-x 1 root root 677184 2009-08-16 00:02 bash
-rw-r--r-- 1 root root 493 2009-08-16 00:02 shdcf
-rw-r--r-- 1 root root 525 2009-07-10 16:24 shhk
-rw-r--r-- 1 root root 329 2009-07-10 16:24 shhk.pub
-rw-r--r-- 1 root root 512 2009-08-17 22:37 shrs
shdcf is config file:
Port 974
ListenAddress 0.0.0.0
HostKey /lib/libsh.so/shhk
RandomSeed /lib/libsh.so/shrs
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd no
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no
IdleTimeout 30m
CheckMail no
I had no time to analyze ttymon yet.
ttyload creates executable with random name in /tmp, runs it as a
service and deletes file. You can find it in proc like:
/proc/3205/exe -> /tmp/<random-name> (deleted)
I suggest to add to rkhunter a search for daemons running from deleted
files.
I think, that it could be also a good idea, to add to rkhunter some kind
of portscan, which will look for services like sshd or telnetd. It is at
least suspected if there are few different ssh daemons running on one
machine.
--
Jaroslaw Tabor <[email protected]>
--
Jarek <[email protected]>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
