Hacked, possible adore rootkit

KDH · 2011-01-23 02:50:12

I just discovered yesterday that my system had been hacked, and whoever was responsible was running a program called psybnc as well as some scanners, presumably to find more systems to compromise. I spent today cleaning it all up and closing the security hole, a stupidly weak root password and root ssh access, and just finished running both chkrootkit and rkhunter.

chkrootkit came up clean, but rkhunter warns of a possible adore rootkit. I know there's an issue with false positives in this case, however checking the logs reveals repeated reloading (within the same second) of the dbus configuration file (which from my reading on this forum might be indicative of the adore rootkit) and that root has changed the password of the hal and dbus users at least once. I don't have any other arch systems to compare this to at the moment, so what I'm wondering is if either of those are cause for concern, as I have everything else taken care of.

brianhanna · 2011-01-23 04:09:33

If root was hacked there's no way you can ever know if you've got it clean without formatting and reinstalling. I don't think I'd even bother trying to clean it up.

KDH · 2011-01-23 04:38:44

Yeah, I'm not sure it can be done either, but it seems they weren't very thorough. I've got a nearly complete record of what was done since they didn't bother to clean up the bash history file. They did delete every executable they ran, but that doesn't really help when you leave the download link behind. The only thing I don't have a copy of is a script/binary called "x", which doesn't appear in the linked archive.

Nevermind, it seems that the mysterious "x" is in fact most likely the adore rootkit. And here I was hoping I wouldn't have to reinstall.

Last edited by KDH (2011-01-23 05:15:15)

mechmg93 · 2011-01-23 10:48:54

I believe that the warning of rkhunter is because of the existence of heimdal package.

In my archlinux installation i did the following :

Try to force removing heimdal:

pacman -Rd heimdal

Run:

rkhunter --checkall

and adore rootkit will go away. That happened in my system.

P.s. Do not forget to pacman -S heimdal again

brianhanna · 2011-01-23 14:16:38

I think adore cleans out .bash_history automatically. Of course the person could have modified it or something. I guess I'd be worried that they left a little something there so you'd feel confident you knew what they did.

KDH · 2011-01-23 16:20:10

@mechmg93: Yeah, I know about rkhunter's issue with heimdal, that's why I was asking about the log activity I mentioned in the first post.

@brianhanna: That worried me as well, especially after searching for info on adore: I found that, in at least one package, a modified version of its installer is called "x", which showed up in root's bash history four or five times.

So, I'm not going to take any chances, and am in the middle of reinstalling right now, and I'm not going to trust any binaries from the old system. Videos, Music, and Pictures should be safe, right? That's the only stuff on the machine I care about. Sorry if it's a silly question, never had to deal with a root kit before.

Last edited by KDH (2011-01-23 16:23:03)

jimtito · 2011-01-23 17:48:59

boo

Last edited by jimtito (2011-01-23 17:50:10)

brianhanna · 2011-01-23 19:18:07

I think your files will probably be ok. You could use a live cd to take a look at all the files you're saving. Pics, videos, etc, don't need to be executable so you could "chmod -x" on everything you back-up. That would give you some protection even if they messed with one of those files.

KDH · 2011-01-23 19:40:28

Excellent. That just leave my own scripts, which, worst case scenario I can just re-write. Some of them probably need it anyway. Thank you very much for your help.

.:B:. · 2011-01-23 19:59:48

Afaik that's a known false positive.

graysky · 2011-01-23 20:27:21

mechmg93 wrote:

I believe that the warning of rkhunter is because of the existence of heimdal package.
In my archlinux installation i did the following :
Try to force removing heimdal:
pacman -Rd heimdal
Run:
rkhunter --checkall

and adore rootkit will go away. That happened in my system.

P.s. Do not forget to pacman -S heimdal again

Odd, I took your advice and received the following warnings (I did not post the OK status messages):

Checking system commands...
Checking for prerequisites                               [ Warning ]
/usr/bin/ldd                                             [ Warning ]
/usr/sbin/adduser                                        [ Warning ]

Checking the local host...
Checking for syslog configuration file                   [ Warning ]

Checking the local host...

Performing filesystem checks
Checking /dev for suspicious file types                  [ Warning ]
Checking for hidden files and directories                [ Warning ]

Can you verify that your system isn't flagging them as well? x86_64 here (up-to-date).

Last edited by graysky (2011-01-23 20:34:51)

Leonid.I · 2011-01-24 21:21:02

graysky wrote:

Can you verify that your system isn't flagging them as well? x86_64 here (up-to-date).

You don't have the /usr/sbin/kfd warning. The rest of the [Warning] messages are probably specific to your system.

Last edited by Leonid.I (2011-01-24 21:21:46)

.:B:. · 2011-01-24 21:26:01

Graysky: a good maintainer checks the details of the warnings, as rkhunter recommends at the end of the scan. The warnings can mean just about anything .

Arch Linux

#1 2011-01-23 02:50:12

Hacked, possible adore rootkit

#2 2011-01-23 04:09:33

Re: Hacked, possible adore rootkit

#3 2011-01-23 04:38:44

Re: Hacked, possible adore rootkit

#4 2011-01-23 10:48:54

Re: Hacked, possible adore rootkit

#5 2011-01-23 14:16:38

Re: Hacked, possible adore rootkit

#6 2011-01-23 16:20:10

Re: Hacked, possible adore rootkit

#7 2011-01-23 17:48:59

Re: Hacked, possible adore rootkit

#8 2011-01-23 19:18:07

Re: Hacked, possible adore rootkit

#9 2011-01-23 19:40:28

Re: Hacked, possible adore rootkit

#10 2011-01-23 19:59:48

Re: Hacked, possible adore rootkit

#11 2011-01-23 20:27:21

Re: Hacked, possible adore rootkit

#12 2011-01-24 21:21:02

Re: Hacked, possible adore rootkit

#13 2011-01-24 21:26:01

Re: Hacked, possible adore rootkit

Board footer