[SATLUG] Security breach on my server
jesse at liberto.org
Fri Jan 27 08:53:24 CST 2006
On Friday 27 January 2006 02:15, K. Spoon wrote:
> On Thu, Jan 26, 2006 at 11:17:05PM -0600, John Wigle wrote:
> > If you do not find anything weird in those directories your server is
> > most likely fine. That type of backdoor will only run once when run
> > though the nuke. When you make sure all processes owned by the web user
> > are dead you will have made sure it is not running.
> Eh, maybe. There's a rootkit out there called knark (which I'm sure has
> mutated names a million times since I saw it last) that is basically a
> kernel module that rewrites the syscall table to use wrapper functions
> to handle the syscall.
> http://www.spoonix.org/code/alamo/2001-whitepaper for more info.
This link is dead, but on a similar note, those interested might want to read
grugq's paper on Subversive Dynamic Linking.
> These wrappers in turn filter out anything that the author wishes to
> keep hidden in any file/dir on the system. End result was that system
> utilities like ls and ps could remain untouched, and there was no way
> for the OS to detect the deception. If you knew the name of the
> directory where the stuff was hidden, you could cd into it... but that's
> exactly the sort of thing that script change up -- ie, /dev/.knark soon
> becomes /dev/.deathninjawolfknight's_secret_stash_lolz
> And just to make matters worse, the "rootkit detection" tools that were
> released simply checked for the existence of known rk dirs, which means
> they'd fail to pick up changed or randomly generated ones.
> As a good practice, it's worth rebooting the server into single user
> mode (to prevent init scripts from reloading the module) and doing your
> sweep of the filesystem, checking md5sums, etc. It's also a good idea
> if you can use a statically compiled version of common admin tools to
> avoid compromised shared libs (same attack as knark, just easier to
> detect because they're in userspace). Bonus points if you can yank the
> drive and mount it on a host system (but that isn't always possible).
Even better, pop in a copy of your Knoppix derivative and do as above.
> It's also worth mentioning that the 126.96.36.199 kernel introduces a
> checksum feature for the kernel syscall table... so maybe we'll finally
> have a way to detect such compromises in the next-gen distros.
> Kelley Spoon <kell at spoonix.com>
> Spoonix, LLC http://www.spoonix.com/
> Phone: (210) 587-7664
More information about the SATLUG