home   |   about us   |   our network   |   services   |   affiliates   |   contact
 
Services
» Web Hosting
» Reseller Hosting
» Dedicated Servers
» Windows/ASP.net Hosting
» Managed Web Hosting
» Remote Backup / Storage
» Linux VDS
» Windows VDS
 
Support
» Support Desk
» Client Login
» Forums
» FAQs
» Help Files
» Acceptable Use Policy
» Client Testimonials
» Blog
 
Tutorials
» Dedicated Server Tutorial
» Website Optimization
» Search Engine Optimization
» Web Hosting Tutorials
» Web Programming Tutorials
» Networking Tutorials
» Virtual Server Tutorials
» Resources


Detect and Clean a hacked server T0rnkit Tutorial

T0rn Rootkit

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.

I am including this so that you all diag and clean up your hacked server.

First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email

Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps

chkrootkit

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed

Step 2. /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

Step 3. top

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

Step 4. tail /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

--------------------------------------------------------

OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.

Configuration files
<please use cat /path/filename/ to read what the files contain>

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs

--------------------------------------------------------

Now, Lets start the cleaning process:

Step 1.
pico /etc/rc.d/rc.sysinit

remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

Step 2.
reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

that should fix it.

-- since already in resuce mode, perhaps also ask them to --force install the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Step 3.
After the system is up

cd /lib
rm -rf lblip.tk

Step 4.
remove the configuration files given above.

Step 5.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

-- and rpm --force install them

Step 6.
if you see the hosts.h file, it says to hide all IP's from

cat /usr/include/hosts.h
193.60

thus, if you want, you can block all the IP's from 193.60 to your server via iptables.

Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again...

You should be OK!

 

Similar Articles : Compile 2.6.7, 2.6.8, 2.6.8.1, 2.6.9, 2.6.10, 2.6.11.6 Kernel w/module-init-tools, Rkhunter Installation, Detect and Clean a hacked server T0rnkit Tutorial, How to install KISS Firewall, How to Disable Telnet, How to install mod_security for Apache, How to install BFD (Brute Force Detection), How to install APF (Advanced Policy Firewall), E-mail Alert on Root SSH Login, Mask Your Web Server for Enhanced Security, Guide to Chkrootkit - checking for intruders, Creating a Welcome message for SSH logins, Disable Direct Root Login, RootCheck - Root Check, Changing APF log for TDP/UDP drop's
   
 

Quick Links: Debian Dedicated Servers, Direct Deposit Hosting, Unmetered Dedicated Servers, Virtual Dedicated Servers, Windows Server Management, High Traffic Web Hosting - Load Balanced Clusters, Windows 2008 Server Virtual Dedicated Servers

© Copyright 2003-2010
Crucial Paradigm

ABN 97 125 618 662