?
Solved

Linux Redhat Server hacked with T0rn rootkit - No way to modify /etc/rc.d/rc.sysinit

Posted on 2005-03-11
5
Medium Priority
?
1,222 Views
Last Modified: 2013-12-06
Hello,

My client server has been hacked some times ago with the T0rnkit (rootkit).

The procedure to detect it was taken from this page
http://www.crucialparadigm.com/resources/tutorials/secure-server-securing/detect-clean-hacked-server-t0rnkit-tutorial.php

I have 2 problems

1 - the server is on a remote location, and not easily accessible, If I really get into trouble I'll have to ask my host to send a technician to do some Maintenance directly in front of the server (I do not have any physical access to it yet), and since I have not SLA it will probably cost money...

2 - I can't get to modify the /etc/rc.d/rc.sysinit file, I just get the following message :

"/etc/rc.d/rc.sysinit" Can't open file for writing"

Since the restore procedure (as described with the link above) begins with this (followed by a reboot) I'm not getting anywhere, and i've already tried chmod +r on it with no more success.

Do you have any ideas to avoid physical access and doing everything thru an SSH session (I can reboot the server remotely with an APC device)

Red Hat Linux release 7.2 (Enigma)
kernel 2.4.20

Thanks for your help

Bye
0
Comment
Question by:FFT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:veedar
ID: 13525000
Some random thoughts...

Double check you are root and the perms allow writing

Trace your edit attempt with ptrace to see what's happening

Try different editors to write to rc.sysinit perhaps upload a staticly linked editor. Your editors may be compromised.

0
 
LVL 23

Accepted Solution

by:
sciwriter earned 400 total points
ID: 13526650
If the server is compromised with a typical Linux /FS hack, you will HAVE to be sitting in front of it to fix it.  Sorry.
0
 

Author Comment

by:FFT
ID: 13527789
This is looking bad..., anyway a few answers fot what suggested veedar.

I'm root, totally sure about this (tested to create an write files).
About ptrace : bash: ptrace: command not found although i have  /usr/include/sys/ptrace.h, don't know this command, either it needs argument (not pretty clear in man ptrace) or it is not installed and corrupted on the system...

I tried to edit the file with emacs but could you give me an example about a "staticly" linked editor ?

Thanks
0
 
LVL 15

Assisted Solution

by:veedar
veedar earned 600 total points
ID: 13528408
A staticly linked command is one that does not rely on any external files  to operate. It is fully self contained and standalone. You can look in /sbin (stands for static binaries) there will most likely be an editor there.

If not you can compile from source code with options to link libraries staticly. You should compile (or copy from /sbin) the editor you chose from a similar system that is not infected and upload it to your infected machine.

I misled you with  ptrace the command you want is strace not ptrace.

If  you do need to rebuild take a look at centos.org it is a clone of Redhat enterprise.
0
 

Author Comment

by:FFT
ID: 13540453
Ok I splited the points guys, I asked my datacenter to reinstall the server... wih lead to another problem with apache and suexec ! (not related to this topic though but if you're interested : http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21350680.html)

Thanks for your help

Bye
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month8 days, 21 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question