Bug 33632 - Found rootkit in /rk
Summary: Found rootkit in /rk
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: basesystem   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-03-28 17:36 UTC by Tommy Watt
Modified: 2014-03-17 02:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-16 18:24:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
the "install" script found in /rk (4.12 KB, text/plain)
2001-03-29 14:05 UTC, Tommy Watt
no flags Details
the "tar" file that was included in /rk (740.00 KB, application/octet-stream)
2001-03-29 14:07 UTC, Tommy Watt
no flags Details
contents of /var/log (392.63 KB, application/octet-stream)
2001-03-30 14:12 UTC, Tommy Watt
no flags Details

Description Tommy Watt 2001-03-28 17:36:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; compaq)

I found a root kit in a folder /rk on my system.  My system was completely 
up to date with up2date/RHN.  the files in the folder where: install (a 
script) and ssh.tar.gz
I made the stupid mistake of running the install script.  Now my system 
does not accept incoming telnets.  I looked over the script and it looked 
like it replaced a lot of files, like ps and various other things that 
would prevent me from seeing evidence of this thing on my system.  Not 
sure the name of this, but looks like a worm.  
Kind of getting tired of reformatting due to a lot of recent worm attacks 
(Ramen worm), finally got that to stop but now this.  
Does RedHat have instructions about "hardening" your system to make it 
more secure?  
BTW, I was NOT running BIND.  
If you need more information, please e-mail me at tommylw@qwest.net

Tommy Watt

Reproducible: Didn't try

Comment 1 Bill Nottingham 2001-03-28 17:39:04 UTC
If you still have the script around, do you want to attach it?

In any case, general hardening tips include:

- turn off *ALL* services you don't use
- install a firewall
- use encrypted services wherever possible (i.e., not telnet)

Comment 2 Tommy Watt 2001-03-28 18:40:38 UTC
I will add attachment when I get home.

As far as hardening RedHat, I already turned off all unneeded services and was 
running a firewall.  As for telnet, this is unavoidable because the purpose of 
my system is to provide a public access BBS via telnet.  How does one break 
into a system via telnet?  I mean, what is it's vulnability? 



Comment 3 Bill Nottingham 2001-03-28 20:34:44 UTC
With telnet, all the passwords go over the network unencrypted.

Comment 4 Tommy Watt 2001-03-29 14:05:08 UTC
Created attachment 14103 [details]
the "install" script found in /rk

Comment 5 Tommy Watt 2001-03-29 14:07:01 UTC
Created attachment 14104 [details]
the "tar" file that was included in /rk

Comment 6 Tommy Watt 2001-03-29 14:07:49 UTC
I have included the files found in the /rk directory.  

If you need anything else from my system, let me know.
I don't plan on formatting my system until I know I don't have to worry about 
this again.


Comment 7 Bill Nottingham 2001-03-29 15:34:32 UTC
Do you still have the logs?

Comment 8 Bill Nottingham 2001-03-29 15:35:59 UTC
Also, I'm assuming you still have the machine off the net - if you
haven't reformatted it, leaving it public is certainly a bad idea.

Comment 9 Tommy Watt 2001-03-29 15:54:25 UTC
I still have the logs but won't beable to get them to you until tommorow 
morning.  If there is anything else you can think of, I will get those too.

I did take my server off the internet, and have made no changes to it.

Comment 10 Tommy Watt 2001-03-29 16:06:48 UTC
Also, which exact logs do you want?  Please specify exact filenames or 
directories that you want and I will put them all in a zip file.

Comment 11 Bill Nottingham 2001-03-29 16:11:11 UTC
Everything in /var/log.

Comment 12 Tommy Watt 2001-03-30 14:12:52 UTC
Created attachment 14224 [details]
contents of /var/log

Comment 13 Tommy Watt 2001-03-30 14:13:40 UTC
I attached the /var/log zip file.  Please let me know what you find or if you 
need anything else.



Comment 14 Pekka Savola 2001-03-31 16:17:28 UTC
Well, someone certainly has been trying rpc.statd exploits on you, at least.

Comment 15 Bill Nottingham 2001-04-02 03:39:48 UTC
True. What is the timestamp on the rootkit and install scripts?

One thing to note is that up until you rebooted on March 21, you were
running the 2.2.14 kernel; there are *definite* local exploits for this
kernel, most involving sendmail. It's entirely possible that a local user
could have compromised the system that way. Was there any evidence of other
changes in the system before you ran the root kit install script (which could
have wiped out other traces...)

Comment 16 Tommy Watt 2001-04-02 13:31:34 UTC
I thought everything was OK before I noticed the /rk folder in root.  When I 
first saw this rk folder, I looked in it and saw "install" and "ssh.tar".  Well 
stupid me thought maybe that this was actually supposed to be there, as if I 
installed a openssh update from RHN, but it still needed to be installed.  So I 
ran it.  And then didn't notice that anything was wrong until I tried telneting 
into the system the next day.  Then I got to thinking that maybe that program I 
ran wasn't supposed to be there.  Looked at it more closely and sure enough it 
was not.  I did upgrade the kernel maybe a week or two earlier, but not after I 
saw this on my system.  If this was there before I uggraded the kernel, I had 
no idea it was.  

Does it look like that this happened before I upgraded kernels?  Is there 
anyway I could be more sure about this?  Is there any other information or 
files that you would need to be more sure?



Comment 17 Tommy Watt 2001-04-02 13:37:21 UTC
Oh one other thing, when you said "local user".  What do you mean, a console 
user?  Or someone who has access to logon to a shell via telnet?

Comment 18 Bill Nottingham 2001-04-02 15:26:37 UTC
'local user' is anyone who has a local account.

Probably the best way to get a good guess as to when this happened
is to check the timestamps on the rk.tar and install.sh files.

Comment 19 Tommy Watt 2001-04-02 17:46:03 UTC
The dates are July 30th, 1998.

Comment 20 Bill Nottingham 2001-04-02 18:32:47 UTC
OK, what's the timestamp on the directory?

Comment 21 Tommy Watt 2001-04-02 20:14:10 UTC
Have to get back to you for that.  Do you have any idea what may of happened?  
I'm really hessitant to reformat and put a server back online without knowing 
what happened.

Comment 22 Tommy Watt 2001-04-03 15:30:15 UTC
Ok here are the dates for /rk and the files.  Apperently the date I gave you 
before was the date that came up in Windows.  (Strange that they're so 

FEB 28 16:04 /rk
JAN 9 06:56 ssh.tar
JAN 9 07:00 install

This tell you anything?

Comment 23 Tommy Watt 2001-04-05 13:56:56 UTC

Comment 24 Bill Nottingham 2001-04-05 15:00:39 UTC
It's dated when you were still running the older kernel, so it's entirely
possible that the kernel exploit was used by a local user.

The only other relevant log entries from around then were FTP
connections listed in /var/log/secure; unfortunately, the /var/log/messages
posted don't go back far enough.

Comment 25 Tommy Watt 2001-04-05 15:09:05 UTC
As I said before, there are no local users.  Is there anything else I can give 
you that could tell you more?

Comment 26 Bill Nottingham 2001-04-05 15:16:10 UTC
There is *no one* that can run commands on the local system?

What version of wu-ftpd were you running on Feb. 28? (Yes, I know that's
not the easiest thing to answer.)  Do you have any older /var/log/messages*
files than the ones that were in the original tarball?

Comment 27 Tommy Watt 2001-04-05 15:26:42 UTC
i was running the current wu-ftp on that date.  i know this for sure because i 
made sure of it because i kept getting hit with the ramen worm

i didn't delete any log files since i reformatted.  i reformatted about a month 
ago and ran all available updates shortly after.  the only updates that i didnt 
run right away was the current kernel

the only person with shell access is myself

Comment 28 Tommy Watt 2001-04-06 17:26:45 UTC
I think I *MAY* of identified the rootkit.  I did a search on 
www.securityfocus.com, and found a reference to "Romanian rootkit".  The 
program chkrootkit (www.chkrootkit.org) says that it has the ability to detect 
the Romanian rootkit.  The reason why I think this may be it is because the 
install script says that it is made in Romania.  I however, after extensive 
searching, can not find any other information on the Romanian rootkit on the 
internet.  Do you know anything about this?

Comment 29 Tommy Watt 2001-04-09 14:07:46 UTC
I still have not identified this for sure.  The author of chkroot said I should 
talk to you about this.  <shrug>

Could you tell me if RedHat 7.1 is due to be out within the next month?  I 
really don't need to know exactly when, but it'd be nice to know if I should 
format my system now or just wait until 7.1 is out.

Any information would be appreciated!



Comment 30 Bill Nottingham 2001-04-09 14:53:39 UTC
I don't know anything in particular about the 'romanian rootkit' you mention.

I'm sorry, but we really can't comment on release dates.

Comment 31 Tommy Watt 2001-04-09 15:08:32 UTC
OK.  Well do you have any other ideas?  Or should I just reformat and hope this 
doesn't happen again?

Comment 32 Pekka Savola 2001-04-09 16:04:58 UTC
These kind of rootkits are almost always known and fixed if recent security patches have been 
installed.  In this case the culprit has probably been rpc.statd.  

The Romanian rootkit isn't anything really new, as certain rootkit detectors notice it.

After reinstalling and cutting down the services, I'm rather sure this won't happen again.  Unless security
patches are forgotten to be applied..

As for the next release, in the past there has been a rather strong correlation between different release

Comment 33 Tommy Watt 2001-04-09 16:32:51 UTC
What do you mean by "correlation between different release
dates". Do you mean they are released in nearly the same amount of time from 
each other?  

When was 6.1 and 6.2 released?

Comment 34 Tommy Watt 2001-04-12 14:47:21 UTC

Comment 35 Bill Nottingham 2001-04-16 16:40:14 UTC
I can now comment on the 7.1 release date. It's out. :)

Comment 36 Tommy Watt 2001-04-16 18:24:52 UTC
:)  i noticed..  feel free to close this bug out ....

Note You need to log in before you can comment on or make changes to this bug.