Red Hat Bugzilla – Bug 33632
Found rootkit in /rk
Last modified: 2014-03-16 22:20:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; compaq)
I found a root kit in a folder /rk on my system. My system was completely
up to date with up2date/RHN. the files in the folder where: install (a
script) and ssh.tar.gz
I made the stupid mistake of running the install script. Now my system
does not accept incoming telnets. I looked over the script and it looked
like it replaced a lot of files, like ps and various other things that
would prevent me from seeing evidence of this thing on my system. Not
sure the name of this, but looks like a worm.
Kind of getting tired of reformatting due to a lot of recent worm attacks
(Ramen worm), finally got that to stop but now this.
Does RedHat have instructions about "hardening" your system to make it
BTW, I was NOT running BIND.
If you need more information, please e-mail me at email@example.com
Reproducible: Didn't try
If you still have the script around, do you want to attach it?
In any case, general hardening tips include:
- turn off *ALL* services you don't use
- install a firewall
- use encrypted services wherever possible (i.e., not telnet)
I will add attachment when I get home.
As far as hardening RedHat, I already turned off all unneeded services and was
running a firewall. As for telnet, this is unavoidable because the purpose of
my system is to provide a public access BBS via telnet. How does one break
into a system via telnet? I mean, what is it's vulnability?
With telnet, all the passwords go over the network unencrypted.
Created attachment 14103 [details]
the "install" script found in /rk
Created attachment 14104 [details]
the "tar" file that was included in /rk
I have included the files found in the /rk directory.
If you need anything else from my system, let me know.
I don't plan on formatting my system until I know I don't have to worry about
Do you still have the logs?
Also, I'm assuming you still have the machine off the net - if you
haven't reformatted it, leaving it public is certainly a bad idea.
I still have the logs but won't beable to get them to you until tommorow
morning. If there is anything else you can think of, I will get those too.
I did take my server off the internet, and have made no changes to it.
Also, which exact logs do you want? Please specify exact filenames or
directories that you want and I will put them all in a zip file.
Everything in /var/log.
Created attachment 14224 [details]
contents of /var/log
I attached the /var/log zip file. Please let me know what you find or if you
need anything else.
Well, someone certainly has been trying rpc.statd exploits on you, at least.
True. What is the timestamp on the rootkit and install scripts?
One thing to note is that up until you rebooted on March 21, you were
running the 2.2.14 kernel; there are *definite* local exploits for this
kernel, most involving sendmail. It's entirely possible that a local user
could have compromised the system that way. Was there any evidence of other
changes in the system before you ran the root kit install script (which could
have wiped out other traces...)
I thought everything was OK before I noticed the /rk folder in root. When I
first saw this rk folder, I looked in it and saw "install" and "ssh.tar". Well
stupid me thought maybe that this was actually supposed to be there, as if I
installed a openssh update from RHN, but it still needed to be installed. So I
ran it. And then didn't notice that anything was wrong until I tried telneting
into the system the next day. Then I got to thinking that maybe that program I
ran wasn't supposed to be there. Looked at it more closely and sure enough it
was not. I did upgrade the kernel maybe a week or two earlier, but not after I
saw this on my system. If this was there before I uggraded the kernel, I had
no idea it was.
Does it look like that this happened before I upgraded kernels? Is there
anyway I could be more sure about this? Is there any other information or
files that you would need to be more sure?
Oh one other thing, when you said "local user". What do you mean, a console
user? Or someone who has access to logon to a shell via telnet?
'local user' is anyone who has a local account.
Probably the best way to get a good guess as to when this happened
is to check the timestamps on the rk.tar and install.sh files.
The dates are July 30th, 1998.
OK, what's the timestamp on the directory?
Have to get back to you for that. Do you have any idea what may of happened?
I'm really hessitant to reformat and put a server back online without knowing
Ok here are the dates for /rk and the files. Apperently the date I gave you
before was the date that came up in Windows. (Strange that they're so
FEB 28 16:04 /rk
JAN 9 06:56 ssh.tar
JAN 9 07:00 install
This tell you anything?
It's dated when you were still running the older kernel, so it's entirely
possible that the kernel exploit was used by a local user.
The only other relevant log entries from around then were FTP
connections listed in /var/log/secure; unfortunately, the /var/log/messages
posted don't go back far enough.
As I said before, there are no local users. Is there anything else I can give
you that could tell you more?
There is *no one* that can run commands on the local system?
What version of wu-ftpd were you running on Feb. 28? (Yes, I know that's
not the easiest thing to answer.) Do you have any older /var/log/messages*
files than the ones that were in the original tarball?
i was running the current wu-ftp on that date. i know this for sure because i
made sure of it because i kept getting hit with the ramen worm
i didn't delete any log files since i reformatted. i reformatted about a month
ago and ran all available updates shortly after. the only updates that i didnt
run right away was the current kernel
the only person with shell access is myself
I think I *MAY* of identified the rootkit. I did a search on
www.securityfocus.com, and found a reference to "Romanian rootkit". The
program chkrootkit (www.chkrootkit.org) says that it has the ability to detect
the Romanian rootkit. The reason why I think this may be it is because the
install script says that it is made in Romania. I however, after extensive
searching, can not find any other information on the Romanian rootkit on the
internet. Do you know anything about this?
I still have not identified this for sure. The author of chkroot said I should
talk to you about this. <shrug>
Could you tell me if RedHat 7.1 is due to be out within the next month? I
really don't need to know exactly when, but it'd be nice to know if I should
format my system now or just wait until 7.1 is out.
Any information would be appreciated!
I don't know anything in particular about the 'romanian rootkit' you mention.
I'm sorry, but we really can't comment on release dates.
OK. Well do you have any other ideas? Or should I just reformat and hope this
doesn't happen again?
These kind of rootkits are almost always known and fixed if recent security patches have been
installed. In this case the culprit has probably been rpc.statd.
The Romanian rootkit isn't anything really new, as certain rootkit detectors notice it.
After reinstalling and cutting down the services, I'm rather sure this won't happen again. Unless security
patches are forgotten to be applied..
As for the next release, in the past there has been a rather strong correlation between different release
What do you mean by "correlation between different release
dates". Do you mean they are released in nearly the same amount of time from
When was 6.1 and 6.2 released?
I can now comment on the 7.1 release date. It's out. :)
:) i noticed.. feel free to close this bug out ....