Rootkit Detection and Removal
The other day I noticed something weird when I performed the command “ls -l”. Bash was reporting some strange output and the first thing I did was throw it into Google…. which revealed one thing; my Linux box had been comprised. Freaked out at first, I started researching everything I could; I was already aware of tools such as rkhunter and Chkrootkit and this was the first thing I did. RKHunter confirmed what I thought, my server had a rootkit, a SHV5 Rootkit to be correct. The compromised server was used in a web hosting environment and had all the usual services running such as; ftp, http, smtp, dns, pop3, imap etc. After some “intense” googling, I revealed that many sites and forums stated the three R’s to root kit removal;
Repartition, Reformat, Reinstall
And whilst I agree that the above actions are the only 100% way to ensure your system is completely rootkit free, I offer advice on how you can get get up and running without having to rebuild or disappoint your clients *gasp*.
Please take the following advice with caution – we cannot be held responsible for any further damage that you may cause. Further to that, this article is “always updating” – should you have further advice as to assist with the removal of Rootkits – please feel free to chip in and lend a hand.
Detection
The first step is to detect what Rootkit you have and there are two well known tools to do this;
- RKhunter
- Chkrootkit
Cleaning up
The first thing you should do once you KNOW what rootkit you have, is to Google any information you can. What you want to do is find out exactly what the rootkit does and often there are detailed posts or whitepapers which explain this.
In my case, the SHV5 rootkit replaced quite a few system binaries with its own “trojan’ed” version, designed to hide any suspicious activity from the system administrator. An example of commands that were replaced were; ps, ls, top, lsmod, find, netstat etc. (As you can see, these are essential tools to help clean out the rootkit! We need our originals back asap!)
The SHV5 rootkit also set the immutable attribute on core system commands, making it “undeletable”. To check what files the Rootkit may have infected, use the “lsattr” command.
root# lsattr /bin
You may see something like;
s---ia------- /bin/netstat
------------- /bin/zcat
s---ia------- /bin/mv
------------- /bin/date
s---ia------- /bin/cp
------------- /bin/grep
s---ia------- /bin/ls
The files that have the “sia” flags set have most likely been compromised and you are advised to replace them from your package maintainer. The flag “i” represents immutable, meaning it cannot be modified, renamed or deleted.
If you run a system that uses RPM’s, you’ll most likely have to delete the package that contains the above compromised tools, before you can replace them. As this is a dangerous move (deleting crucial commands), I suggest you get everything in place before you proceed.
Simple download the packages you need. In my case I needed the following;
- coreutils-x.i386.rpm
- findutils-x.i386.rpm
- net-tools-x.i386.rpm
- proccps-x.i386.rpm
Once downloaded I performed the following commands;
Because RPM won’t let me uninstall a package that has files with immutable set, I did the following;
chattr -ias /bin/ls
chattr -ias /bin/find
Then;
rpm -e coreutils.i386 --nodeps
rpm -i coreutils-x.i386.rpm
And I did this for all the files that I knew were compromised. Now that I had my everyday system commands back up and running, I could explore further.
Always check the /tmp folder, as this is most likely where the rootkit was first introduced. The /tmp folder is used by many web applications which is often the method of intrusion. In my case I found /tmp/r00t … interesting? I ziped up the folder and stored elsewhere for later viewing. (Oh and I also rm -rf’ed the prick 
)
The SHV5 rootkit installs itself under /usr/lib/libsh – and removing this folder is probably a good idea.
Conclusion
Once you’ve got your core system commands back, you can perform an analysis of the situation, digging deeper to see what else has changed. For example;
- netstat -an
Use this command to verify which ports on your machine are open and awaiting information. SHV5 has the ability to run a hidden shell session, listening on a particular port.
- lsof
Cycle through the output this command generates and see what files are being used by the system.
Good luck!
Resources
Some handy sites to assist;
- Linux RootKits For Beginners – From Prevention to Removal
- Analysis of RedHat 8.0 Honeypot Compromise
No related posts.
35 Responses to “Rootkit Detection and Removal”
[...] Recent public urls tagged “findutils” → I got Root’ed (Rootkit Detection and Removal) [...]
[...] public links >> r00t Rootkit Detection and Removal Saved by policebrutality10169 on Fri 12-9-2008 Hacked By R00T-X ] Saved by sailorstar1717 on Mon [...]
[...] … gbr files are in the main folder not in subfolders (.gbr files are brushes files for GIMP …Rootkit Detection and Removal – Jigsaw BoysThe files that have the sia flags set have most likely been compromised and you are … Name [...]
Thank you for sharing how to detect and remove rootkit. This will help since Im new in this field.
A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.
great post
thanks alot. that working. i can remove libsh now. thanks. i love u
Great opinion you got here.
It would be intresting to read something more concerning this topic.
Thanks for inform that information.
With best regards!!!
i found this post very informative it is a great sharing
This is really great post. Thanks for sharing.
I need to state that I haven’t read something so attractive in a even as. There are alot of moving views and opinions.
This ancient virus yes …
Better prepared umbrella before the rain arrived.
How to detect and remove Rootkit. Thanks for sharing the info…
when my brother Mark suggested there was this fantastic site that displayed a wide selection of digital picture frames. Thanks to Nix digital frames, the manufacturers of quality digital photo frames I was able to get the perfect gift for him.
Thanks for sharing this valuable information about detection and removing the rootkit.
Seems to be directly put into practice. Writing cool friend.
Seems to be directly put into practice. Writing cool friend.
Just share all hehehe…
Hi
I daily read comments it increases my ideas and it is best way to increase our awareness whats, changing
And whilst I agree that the above actions are the only 100% way to ensure your system is completely rootkit free, I offer advice on how you can get get up and running without having to rebuild or disappoint your clients *gasp*.
Thank you for sharing how to detect and remove rootkit. This will help since Im new in this field.
Thanks for sharing this valuable information about detection and removing the rootkit.
I’m always reading your Blog, I am so inspired of your thoughts. Love seeing your background as well. Please, stay us connected here. It’s really helpful to many blogger like me. I got a lot of tips here. Thanks to you, dear!
It is always a good idea to have more than one tool capable of removal. Real time anti-rootkit detection Can detect all types of infections
Wholesale Cell Phones
Actually, this is the result of miscommunication. Nothing is going to beat a dialogue or a talk of the two worried nation. this will avert further misunderstanding and promote better associations.
I am happy to have found this blog, and more happy to have long tail explained so well. Thanks.
Thanks a lot for these intelligible recommendations. I guess I can use it with benefit even despite my dilettante level of use.
I love to read this type of stuff. Good and attractive information I take from it..Thank you for posting such a nice article.
great inspiring article. I am pretty much pleased with your good work. You put really helpful information. Looking forward to your next post.
Thanks, by appraisal in your blog I solve my concern I was search for a long time. Gratitude for your work.
Thanks for an excellent article! I appreciate your insights and agree with what you wrote.
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
This is a really good site post, im delighted I came across it. Ill be back down the track to check out other posts that
I’ll be back soon on your site again so please continue sharing your great tips.
I always like your blog because you always comes with different ideas and information. I always shared your site post with my friends. Keep posting and i will follow you..