Results 1 to 1 of 1
-
15th Jun 2014, 01:46 PM #1
Detect and Clean a hacked server T0rnkit Tutorial
T0rn Rootkit
Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.
The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.
I am including this so that you all diag and clean up your hacked server.
First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email
Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps
chkrootkit
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
Step 4. tail /etc/rc.d/rc.sysinit
Code:# Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps -q
OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.
Configuration files
<please use cat /path/filename/ to read what the files contain>
Code:/usr/include/file.h (for file hiding) /usr/include/proc.h (for ps proc hiding) /lib/lidps1.so (for pstree hiding) /usr/include/hosts.h (for netstat and net-hiding) /usr/include/log.h (for log hiding) /lib/lblip****/ (backdoored ssh configuration files are in this directory) /dev/sdr0 (systems md5 checksum) /lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Code:libproc.a,libproc.so.2.0.6,libproc.so BackDoor: (located at /lib/lblip****) shdc shhk.pub shk shrs
Now, Lets start the cleaning process:
Step 1.
Code:pico /etc/rc.d/rc.sysinit
Code:# Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps -q
reboot the system
WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.
-- since already in resuce mode, perhaps also ask them to --force install the following rpm's
Code:procps*.rpm psmisc*.rpm findutils*.rpm fileutils*.rpm util-linux*.rpm net-tools*.rpm textutils*.rpm sysklogd*.rpm
After the system is up
Code:cd /lib rm -rf lblip****
remove the configuration files given above.
Step 5.
Code:cat /etc/redhat-release
Rpmfind mirror
search for the following rpm's
Code:procps*.rpm psmisc*.rpm findutils*.rpm fileutils*.rpm util-linux*.rpm net-tools*.rpm textutils*.rpm sysklogd*.rpm
Step 6.
if you see the hosts.h file, it says to hide all IP's from
Code:cat /usr/include/hosts.h 193.60
Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again...
You should be OK!Areon Reviewed by Areon on . Detect and Clean a hacked server T0rnkit Tutorial T0rn Rootkit Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence. The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[Dedicated] HostPlate.com - 100Mbps Unmetered and 1Gbps 100TB Dedicated Servers, From ?91 (NL)
By Hostplate in forum ArchiveReplies: 44Last Post: 26th Nov 2011, 08:57 PM -
Detecting and removing cashwhore spammers from your forum
By NewEraCracker in forum Tutorials and GuidesReplies: 21Last Post: 8th Apr 2011, 03:08 PM -
[Shared] FidaHost.com - Cheap proffesional Onshore and Offshore hosting,Virtual Servers
By isa in forum ArchiveReplies: 12Last Post: 10th Jul 2010, 02:18 PM -
Free And Fast Public Rapidleech Server
By EvolutionHackerxz in forum Useful SitesReplies: 7Last Post: 10th Jul 2010, 06:03 AM -
[Buying] professional and clean VB 4 skin (must be coded)
By Uterus Spacecraft in forum Completed TransactionsReplies: 6Last Post: 18th Mar 2010, 09:29 AM
themaCreator - create posts from...
Version 3.24 released. Open older version (or...