• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1247
  • Last Modified:

Linux Redhat Server hacked with T0rn rootkit - No way to modify /etc/rc.d/rc.sysinit

Hello,

My client server has been hacked some times ago with the T0rnkit (rootkit).

The procedure to detect it was taken from this page
http://www.crucialparadigm.com/resources/tutorials/secure-server-securing/detect-clean-hacked-server-t0rnkit-tutorial.php

I have 2 problems

1 - the server is on a remote location, and not easily accessible, If I really get into trouble I'll have to ask my host to send a technician to do some Maintenance directly in front of the server (I do not have any physical access to it yet), and since I have not SLA it will probably cost money...

2 - I can't get to modify the /etc/rc.d/rc.sysinit file, I just get the following message :

"/etc/rc.d/rc.sysinit" Can't open file for writing"

Since the restore procedure (as described with the link above) begins with this (followed by a reboot) I'm not getting anywhere, and i've already tried chmod +r on it with no more success.

Do you have any ideas to avoid physical access and doing everything thru an SSH session (I can reboot the server remotely with an APC device)

Red Hat Linux release 7.2 (Enigma)
kernel 2.4.20

Thanks for your help

Bye
0
FFT
Asked:
FFT
  • 2
  • 2
2 Solutions
 
veedarCommented:
Some random thoughts...

Double check you are root and the perms allow writing

Trace your edit attempt with ptrace to see what's happening

Try different editors to write to rc.sysinit perhaps upload a staticly linked editor. Your editors may be compromised.

0
 
sciwriterCommented:
If the server is compromised with a typical Linux /FS hack, you will HAVE to be sitting in front of it to fix it.  Sorry.
0
 
FFTAuthor Commented:
This is looking bad..., anyway a few answers fot what suggested veedar.

I'm root, totally sure about this (tested to create an write files).
About ptrace : bash: ptrace: command not found although i have  /usr/include/sys/ptrace.h, don't know this command, either it needs argument (not pretty clear in man ptrace) or it is not installed and corrupted on the system...

I tried to edit the file with emacs but could you give me an example about a "staticly" linked editor ?

Thanks
0
 
veedarCommented:
A staticly linked command is one that does not rely on any external files  to operate. It is fully self contained and standalone. You can look in /sbin (stands for static binaries) there will most likely be an editor there.

If not you can compile from source code with options to link libraries staticly. You should compile (or copy from /sbin) the editor you chose from a similar system that is not infected and upload it to your infected machine.

I misled you with  ptrace the command you want is strace not ptrace.

If  you do need to rebuild take a look at centos.org it is a clone of Redhat enterprise.
0
 
FFTAuthor Commented:
Ok I splited the points guys, I asked my datacenter to reinstall the server... wih lead to another problem with apache and suexec ! (not related to this topic though but if you're interested : http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21350680.html)

Thanks for your help

Bye
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now