 | | | Red Hat Updates and SuckIT Rootkit Hits | Red Hat Updates and SuckIT Rootkit Hits 2005-10-07 - By Josh Bressers
Back
> Shaw, Marco wrote:
> >>All:
> >>
> >>Two days ago I ran the latest updates from Red Hat on a ES Rel. 3
> >>server. After the updates were applied I got a hit on the SuckIT root
> >>kit. We investigated that server and it did not appear to be
> >>compromised. The next day we applied the updates to three more RH
> >>servers and those three also reported SuckIT infections. We then ran
> >>Rootkit Hunter on them and they all came back not infected
> >>with SuckIT.
> >>Has anyone else seen any hits on SuckIT after the current updates were
> >>applied? It appears there may be a bug in the SuckIT check after these
> >>Red Hat updates are applied. Thanks, Randy.
>
> Glad I'm not the only one. After the RHEL3 U6 update chkrootkit started
> reporting that the file /sbin/init was infected with the SuckIT rootkit
> on some of our boxes. I did various things to try to determine if this
> was true, I even went as far as booting one of the 'infected' machines
> off the rescue CD and checking the MD5 sum of /sbin/init. I couldn't see
> any sign of infection or suspicious stuff.
>
> Anyone else have this happen?
I just tried this on x86, x86_64 and ia64 with no positive hit. Here is
what chkrootkit 0.45 is looking for:
## Suckit rootkit
expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
Tim,
What architecture are you using, and what is the output of the above
tests when run by hand?
Additionally what version of chkrootkit are you running?
Thanks, Josh
--
Josh Bressers // Red Hat Security Response Team
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|