[LUGOS-SEC] Re: [LUGOS-BLA] Hacked?

Tue Jul 8 08:26:15 CEST 2003

Definitivno hack....SucKIT

hehe...majo pa zanimivo kodo:) Vprašanje preko česa so ti hacknili; rookit 
pa deluje kot že znano preko init-a; backdoor se pripopa na raw socket in 
posluša na določen paket, ter šele nato odpre /bin/bash login,....

--snip--
Indeed, your machine has been rooted, and you're very lucky that SucKIT
didn't "like" the newly installed kernel version! I suspect the following
happened..

Usually, SucKIT is launched as /sbin/init at system bootup, forks to 
install
itself into the kernel and start up a backdoor, and launches a copy of the
original "init" binary from the parent (with pid 1). Any subsequent
executions of /sbin/init are redirected to the original init.

In your case, SucKIT is also launched as /sbin/init, forks but fails to
install itself into the kernel, and launches the copy of the original init
anyway. However, since it failed to install, it will not be able to 
redirect
/sbin/init calls. So when you run reboot, reboot runs shutdown, and 
shutdown
runs /sbin/init: the SucKIT-version of init. SucKIT once again forks,
detects that it's not yet installed, and tries but still fails to install
itself in memory - that's where the weird message is coming from.

You should be able to confirm this by executing "ls -l /proc/1/exe", it
should show a symlink to the name of the copy of /sbin/init (that is,
"/sbin/init" with extra characters after it) instead of the normal
"/sbin/init".

It's hard to say whether the cracker actually succeeded in the first 
place,
or failed and walked away. As SucKIT includes a backdoor, an attacker does
not necessarily have to install anything but SucKIT in order to gain full
control of your system later; in practice, crackers usually do launch
additional programs (ssh daemons, irc bouncers/bots..), it depends on your
skill compared to the cracker's skill whether you can find these programs.
It would also be pretty easy to launch additional programs only if SucKIT
was installed successfully; 
--snip--

lp,
Marko
On Mon, 7 Jul 2003, Jure Pecar wrote:

> On Mon, 7 Jul 2003 13:08:54 +0200
> Nejc Skoberne <nejc.skoberne at guest.arnes.si> wrote:
> 
> > Zdravo.
> > 
> > root at Masina:/var/spool/hylafax/etc# init q
> > /dev/null
> > RK_Init: idt=0xc03a7000, sct[]=0xc0341834, FUCK: Can't find kmalloc()!
> > 
> > A je kdo ze videl kaj takega?
> 
> ja. suckit.
> 
> glede na tisti fuck imas sreco in se ne pozene. ker ko se, je absolutno tiho
> :)
> 
> z googlanjem najdes source in navodila zanj ... zelo bistro napisana rec,
> kaki firewalli ga ne motijo kaj dosti. no, z dvema oneliner patchema v
> kernel mu onemogocis miganje ...
> 
> 
> btw, ker je stvar kot mi je znano nekam alarmantno pogosta, bi me zanimalo,
> ce je komu uspelo dobiti kake source IPje, od kod to prihaja ... 
> 
> 
> 