标题: Detect and Clean a hacked server T0rnkit Tutorial [打印本页] 作者: 网普科技 时间: 2004-10-13 11:24 AM 标题: Detect and Clean a hacked server T0rnkit Tutorial
Detect and Clean a hacked server T0rnkit Tutorial
T0rn Rootkit
Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.
The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.
I am including this so that you all diag and clean up your hacked server.
First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email
Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps
chkrootkit
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Step 2. /etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
Step 3. top
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.
-- since already in resuce mode, perhaps also ask them to --force install the following rpm's