[sclug] Adore root kit
Alex Butcher
lug at assursys.co.uk
Fri May 27 10:54:10 UTC 2005
On Fri, 27 May 2005, David Herring wrote:
> We just had one of our devel servers 'hacked' from Russia.
>
> It's running a 8.0 Suse, so probabley exploited some vunerability in OS.
>
> I know the adore root kit has been installed, but the strange thing isthat
> they have also changed root passwd. This is odd, since it tells me the
> machine has changed - i.e I thought naively that the purpose of a root kit
> would be to have 'silent' root access to the server to do whatever whilst the
> owner is unaware ?
Not really; a root kit is typically used for one or more of a) to obtain
root via local privilege escalation b) to disguise the compromise and c) to
insert backdoors.
Personally, if I were 0wn1ng a system, I'd just modify one of the standard
role accounts (e.g. daemon, shutdown, oper) to have root UID (i.e. 0), no
password and a shell in order to try to keep the compromise low-profile.
> Anyhow, server will be re-installed. But prior to getting to docklands, is
> there anyway I can gain back a root account ? I can login as a user
> account - can see the adore root kit which has been installed, etc. If
> anyone things they 'become' root on such a system, then please let me
> know.
You could find a local exploit yourself, or alternatively, have someone
local to the machine boot it in single user mode or with 'init=/bin/sh' and
reset the root password.
As others have said, though, *nothing* on that machine is now trustworthy.
Reinstall the OS from trusted media, patch it before making any network
services live or unfirewalled, and only restore data from a trusted backup
and after checking it for illegitimate modifications.
> Thanks dave
HTH,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>
More information about the Sclug
mailing list