[sclug] Adore root kit

Alex Butcher lug at assursys.co.uk
Fri May 27 10:54:10 UTC 2005


On Fri, 27 May 2005, David Herring wrote:

> We just had one of our devel servers 'hacked' from Russia.
>
> It's running a 8.0 Suse, so probabley exploited some vunerability in OS.
>
> I know the adore root kit has been installed, but the strange thing isthat 
> they have also changed root passwd. This is odd, since it tells me the 
> machine has changed - i.e I thought naively that the purpose of a root kit 
> would be to have 'silent' root access to the server to do whatever whilst the 
> owner is unaware ?

Not really; a root kit is typically used for one or more of a) to obtain
root via local privilege escalation b) to disguise the compromise and c) to
insert backdoors.

Personally, if I were 0wn1ng a system, I'd just modify one of the standard
role accounts (e.g. daemon, shutdown, oper) to have root UID (i.e. 0), no
password and a shell in order to try to keep the compromise low-profile.

> Anyhow, server will be re-installed. But prior to getting to docklands, is
> there anyway I can gain back a root account ? I can login as a user
> account - can see the adore root kit which has been installed, etc. If
> anyone things they 'become' root on such a system, then please let me
> know.

You could find a local exploit yourself, or alternatively, have someone
local to the machine boot it in single user mode or with 'init=/bin/sh' and
reset the root password.

As others have said, though, *nothing* on that machine is now trustworthy.
Reinstall the OS from trusted media, patch it before making any network
services live or unfirewalled, and only restore data from a trusted backup
and after checking it for illegitimate modifications.

> Thanks dave

HTH,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                         <http://www.assursys.com/>


More information about the Sclug mailing list