Detect and Clean your hacked server!! T0rnkit v8
Around 12 [rooted] servers were passed to me in these 24 hours, all due to the latest CPanel/WHM bug, and after inspection, all servers had the same rootkit in common. [Tornkit v8]
I am including this so that you all diag and clean up your hacked server.
First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
[] Allow cPanel users to reset their password via email
1.
run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps
chkrootkit
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
2.
/etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
3.
top
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
4
tail /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
--------------------------------------------------------
OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.
Configuration files
<please use cat /path/filename/ to read what the files contain>
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor: (located at /lib/lblip.tk)
shdc
shhk.pub
shk
shrs
--------------------------------------------------------
Now, Lets start the cleaning process:
1.
pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
2.
reboot the system
WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it. -- since already in resuce mode, perhaps also ask them to --force install the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
3.
After the system is up
cd /lib
rm -rf lblip.tk
3.
remove the configuration files given above.
4.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
-- and rpm --force install them
5.
if you see the hosts.h file, it says to hide all IP's from
cat /usr/include/hosts.h
193.60
thus, if you want, you can block all the IP's from 193.60 to your server via iptables.
6.
If all goes OK,
please reboot the server, and run chkrootkit again...
You should be OK!
Cheers!
