[sclug] Adore root kit

Fri May 27 11:10:35 UTC 2005

On Fri, May 27, 2005 at 11:54:04 +0100, Alex Butcher wrote:
: On Fri, 27 May 2005, David Herring wrote:

: >We just had one of our devel servers 'hacked' from Russia.

: >It's running a 8.0 Suse, so probabley exploited some vunerability in OS.

: >I know the adore root kit has been installed, but the strange thing isthat 
: >they have also changed root passwd. This is odd, since it tells me the 
: >machine has changed - i.e I thought naively that the purpose of a root kit 
: >would be to have 'silent' root access to the server to do whatever whilst 
: >the owner is unaware ?

Ideally yes, that's the point of a rootkit.  Decent ones make a good job
of hiding the fact that the machine's compromised: lsmod won't show any
loaded modules, ls won't show any objects the 0wner doesn't want it to,
that sort of thing.

But there's no accounting for taste.

Whilst I was at uni many moons ago, we had a bunch of muppets break into
the compute server there.  They used pico to edit the password file, and
asked (via wall(1)) what the magic '+' entry meant in the password file
(it means use NIS).  Impressed?  I laughed...

: Not really; a root kit is typically used for one or more of a) to obtain
: root via local privilege escalation b) to disguise the compromise and c) to
: insert backdoors.

: Personally, if I were 0wn1ng a system, I'd just modify one of the standard
: role accounts (e.g. daemon, shutdown, oper) to have root UID (i.e. 0), no
: password and a shell in order to try to keep the compromise low-profile.

Better to get yourself something that'll just hide everything; kernel
modules are great...

: >Anyhow, server will be re-installed. But prior to getting to docklands, is
: >there anyway I can gain back a root account ? I can login as a user
: >account - can see the adore root kit which has been installed, etc. If
: >anyone things they 'become' root on such a system, then please let me
: >know.

: You could find a local exploit yourself, or alternatively, have someone
: local to the machine boot it in single user mode or with 'init=/bin/sh' and
: reset the root password.

That's a good plan.

: As others have said, though, *nothing* on that machine is now trustworthy.
: Reinstall the OS from trusted media, patch it before making any network
: services live or unfirewalled, and only restore data from a trusted backup
: and after checking it for illegitimate modifications.

Indeed.  Boot from known-good media (and this is where a handy terminal
server and jumpstart machine is useful) and reinstall everything from
scratch.  Don't bother copying anything from it now for forensic purposes,
you'll need to boot from known-good on the offchance they have a decent
module installed anyway.

One other handy hint: get an account on a machine on the same subnet that
it's on, login, and delete the default route.  That gives you a machine
which can't do any damage, can't be compromised further, and can be poked
and prodded in safety.  You can get things to and from it via the other
account.

-- 
Dickon Hood

Due to constant nagging to change it, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible.  We apologise for the
inconvenience in the meantime.