Announcement

Collapse
No announcement yet.

oh shit my linux box has a rootkit!

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
    #1

    oh shit my linux box has a rootkit!

    this isn't good now how do i fix it?
    Code:
    ROOTDIR is `/'
Checking `amd'...                      not found
Checking `basename'...                   not infected
Checking `biff'...                     not found
Checking `chfn'...                     not infected
Checking `chsh'...                     not infected
Checking `cron'...                     not infected
Checking `crontab'...                    not infected
Checking `date'...                     not infected
Checking `du'...                      not infected
Checking `dirname'...                    not infected
Checking `echo'...                     not infected
Checking `egrep'...                     not infected
Checking `env'...                      not infected
Checking `find'...                     not infected
Checking `fingerd'...                    not found
Checking `gpm'...                      not found
Checking `grep'...                     not infected
Checking `hdparm'...                    not infected
Checking `su'...                      not infected
Checking `ifconfig'...                   not infected
Checking `inetd'...                     not infected
Checking `inetdconf'...                   not found
Checking `identd'...                    not found
Checking `init'...                     not infected
Checking `killall'...                    not infected
Checking `ldsopreload'...                  not infected
Checking `login'...                     not infected
Checking `ls'...                      not infected
Checking `lsof'...                     not infected
Checking `mail'...                     not infected
Checking `mingetty'...                   not found
Checking `netstat'...                    not infected
Checking `named'...                     not found
Checking `passwd'...                    not infected
Checking `pidof'...                     not infected
Checking `pop2'...                     not found
Checking `pop3'...                     not found
Checking `ps'...                      not infected
Checking `pstree'...                    not infected
Checking `rpcinfo'...                    not found
Checking `rlogind'...                    not found
Checking `rshd'...                     not found
Checking `slogin'...                    not infected
Checking `sendmail'...                   not infected
Checking `sshd'...                     not infected
Checking `syslogd'...                    not tested
Checking `tar'...                      not infected
Checking `tcpd'...                     not infected
Checking `tcpdump'...                    not infected
Checking `top'...                      not infected
Checking `telnetd'...                    not found
Checking `timed'...                     not found
Checking `traceroute'...                  not found
Checking `vdir'...                     not infected
Checking `w'...                       not infected
Checking `write'...                     not infected
Checking `aliens'...                    no suspect files
Searching for sniffer's logs, it may take a while...    nothing found
Searching for rootkit HiDrootkit's default files...     nothing found
Searching for rootkit t0rn's default files...        nothing found
Searching for t0rn's v8 defaults...             nothing found
Searching for rootkit Lion's default files...        nothing found
Searching for rootkit RSHA's default files...        nothing found
Searching for rootkit RH-Sharpe's default files...     nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/enlightenment/modules/wizard/favorites/.order /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/pymodules/python2.7/.path

Searching for LPD Worm files and dirs...          nothing found
Searching for Ramen Worm files and dirs...         nothing found
Searching for Maniac files and dirs...           nothing found
Searching for RK17 files and dirs...            nothing found
Searching for Ducoci rootkit...               nothing found
Searching for Adore Worm...                 nothing found
Searching for ShitC Worm...                 nothing found
Searching for Omega Worm...                 nothing found
Searching for Sadmind/IIS Worm...              nothing found
Searching for MonKit...                   nothing found
Searching for Showtee...                  nothing found
Searching for OpticKit...                  nothing found
Searching for T.R.K...                   nothing found
Searching for Mithra...                   nothing found
Searching for LOC rootkit...                nothing found
Searching for Romanian rootkit...              nothing found
Searching for Suckit rootkit...               Warning: /sbin/init INFECTED
Searching for Volc rootkit...                nothing found
Searching for Gold2 rootkit...               nothing found
Searching for TC2 Worm default files and dirs...      nothing found
Searching for Anonoying rootkit default files and dirs...  nothing found
Searching for ZK rootkit default files and dirs...     nothing found
Searching for ShKit rootkit default files and dirs...    nothing found
Searching for AjaKit rootkit default files and dirs...   nothing found
Searching for zaRwT rootkit default files and dirs...    nothing found
Searching for Madalin rootkit default files...       nothing found
Searching for Fu rootkit default files...          nothing found
Searching for ESRK rootkit default files...         nothing found
Searching for rootedoor...                 nothing found
Searching for ENYELKM rootkit default files...       nothing found
Searching for common ssh-scanners default files...     nothing found
Searching for suspect PHP files...             nothing found
Searching for anomalies in shell history files...      nothing found
Checking `asp'...                      not infected
Checking `bindshell'...                   not infected
Checking `lkm'...                      chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'...                    not found
Checking `sniffer'...                    lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[1087])
Checking `w55808'...                    not infected
Checking `wted'...                     1 deletion(s) between Sat Aug 10 15:15:45 2013 and Sat Aug 10 09:18:04 2013
Checking `scalper'...                    not infected
Checking `slapper'...                    not infected
Checking `z2'...                      chklastlog: nothing deleted
Checking `chkutmp'...                    chkutmp: nothing deleted
Checking `OSX_RSPLUG'...                  not infected
    Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

    "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

    Excuse me while i do something dangerous


    You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

    Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

    Follow the white rabbit.
    Tags: None
    #2
    Re: oh shit my linux box has a rootkit!

    sorry for double posing but my HDD is failing too.
    Code:
    smartctl 5.43 2012-06-30 r3573 [x86_64-linux-3.8.0-27-generic] (local build)
Copyright (C) 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family:   Seagate Barracuda (SATA 3Gb/s, 4K Sectors)
Device Model:   ST1000DM003-9YN162
Serial Number:  S1D4KTE5
LU WWN Device Id: 5 000c50 0523b2027
Firmware Version: CC9F
User Capacity:  1,000,204,886,016 bytes [1.00 TB]
Sector Sizes:   512 bytes logical, 4096 bytes physical
Device is:    In smartctl database [for details use: -P show]
ATA Version is:  8
ATA Standard is: ATA-8-ACS revision 4
Local Time is:  Wed Aug 14 23:38:34 2013 MDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status: (0x82)	Offline data collection activity
					was completed without error.
					Auto Offline Data Collection: Enabled.
Self-test execution status:   ( 120)	The previous self-test completed having
					the read element of the test failed.
Total time to complete Offline 
data collection: 		( 584) seconds.
Offline data collection
capabilities: 			 (0x7b) SMART execute Offline immediate.
					Auto Offline data collection on/off support.
					Suspend Offline collection upon new
					command.
					Offline surface scan supported.
					Self-test supported.
					Conveyance Self-test supported.
					Selective Self-test supported.
SMART capabilities:      (0x0003)	Saves SMART data before entering
					power-saving mode.
					Supports SMART auto save timer.
Error logging capability:    (0x01)	Error logging supported.
					General Purpose Logging supported.
Short self-test routine 
recommended polling time: 	 (  1) minutes.
Extended self-test routine
recommended polling time: 	 ( 112) minutes.
Conveyance self-test routine
recommended polling time: 	 (  2) minutes.
SCT capabilities: 	    (0x3081)	SCT Status supported.

SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME     FLAG   VALUE WORST THRESH TYPE   UPDATED WHEN_FAILED RAW_VALUE
 1 Raw_Read_Error_Rate   0x000f  117  099  006  Pre-fail Always    -    124470440
 3 Spin_Up_Time      0x0003  097  097  000  Pre-fail Always    -    0
 4 Start_Stop_Count    0x0032  100  100  020  Old_age  Always    -    378
 5 Reallocated_Sector_Ct  0x0033  100  100  036  Pre-fail Always    -    408
 7 Seek_Error_Rate     0x000f  058  057  030  Pre-fail Always    -    73026188078
 9 Power_On_Hours     0x0032  098  098  000  Old_age  Always    -    2067
 10 Spin_Retry_Count    0x0013  100  100  097  Pre-fail Always    -    0
 12 Power_Cycle_Count    0x0032  100  100  020  Old_age  Always    -    365
183 Runtime_Bad_Block    0x0032  100  100  000  Old_age  Always    -    0
184 End-to-End_Error    0x0032  100  100  099  Old_age  Always    -    0
187 Reported_Uncorrect   0x0032  099  099  000  Old_age  Always    -    1
188 Command_Timeout     0x0032  100  098  000  Old_age  Always    -    8590065673
189 High_Fly_Writes     0x003a  100  100  000  Old_age  Always    -    0
190 Airflow_Temperature_Cel 0x0022  065  054  045  Old_age  Always    -    35 (Min/Max 31/41)
191 G-Sense_Error_Rate   0x0032  100  100  000  Old_age  Always    -    0
192 Power-Off_Retract_Count 0x0032  100  100  000  Old_age  Always    -    260
193 Load_Cycle_Count    0x0032  100  100  000  Old_age  Always    -    628
194 Temperature_Celsius   0x0022  035  046  000  Old_age  Always    -    35 (0 18 0 0 0)
197 Current_Pending_Sector 0x0012  100  100  000  Old_age  Always    -    8
198 Offline_Uncorrectable  0x0010  100  100  000  Old_age  Offline   -    8
199 UDMA_CRC_Error_Count  0x003e  200  200  000  Old_age  Always    -    0
240 Head_Flying_Hours    0x0000  100  253  000  Old_age  Offline   -    72889889982319
241 Total_LBAs_Written   0x0000  100  253  000  Old_age  Offline   -    1484676142505
242 Total_LBAs_Read     0x0000  100  253  000  Old_age  Offline   -    1190585618478

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description  Status         Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline    Completed: read failure    80%   2067     187881833
# 2 Short offline    Completed: read failure    50%   2066     187881833
# 3 Short offline    Completed: read failure    80%   2066     187881833

SMART Selective self-test log data structure revision number 1
 SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
  1    0    0 Not_testing
  2    0    0 Not_testing
  3    0    0 Not_testing
  4    0    0 Not_testing
  5    0    0 Not_testing
Selective self-test flags (0x0):
 After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.
    Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

    "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

    Excuse me while i do something dangerous


    You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

    Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

    Follow the white rabbit.

    Comment

      #3
      Re: oh shit my linux box has a rootkit!

      short answer: toss the hdd
      long answer: http://en.wikipedia.org/wiki/Rkhunter

      Comment

        #4
        Re: oh shit my linux box has a rootkit!

        well tests say only 2047h of life left on the drive
        Last edited by goontron; 08-15-2013, 12:24 PM.
        Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

        "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

        Excuse me while i do something dangerous


        You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

        Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

        Follow the white rabbit.

        Comment

          #5
          Re: oh shit my linux box has a rootkit!

          Estimated. Is it backed up?

          Comment

            #6
            Re: oh shit my linux box has a rootkit!

            ^ thats happening right now but it locks up every 90mb
            Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

            "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

            Excuse me while i do something dangerous


            You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

            Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

            Follow the white rabbit.

            Comment

              #7
              Re: oh shit my linux box has a rootkit!

              I'm going to recommend the freezer trick if you can't get your data off the drive. Basically stick it in the freezer for a couple hours, then quickly hook it up and get your data off it before the condensation appears. Some people say it doesn't work, other people say it does. I had it work for me, but my guess is it's a last ditch effort.

              Comment

                #8
                Re: oh shit my linux box has a rootkit!

                I would try Spinrite on it to recover data.

                Comment

                  #9
                  Re: oh shit my linux box has a rootkit!

                  Use Gnu ddrescue to make an image\clone the drive
                  "Tantalum for the brave, Solid Aluminium for the wise, Wet Electrolytic for the adventurous"
                  -David VanHorn

                  Comment

                    #10
                    Re: oh shit my linux box has a rootkit!

                    It may be bit rot causing false HDD failure reports. To test this, you need to wipe the HDD with zeroes.
                    ASRock B550 PG Velocita

                    Ryzen 9 "Vermeer" 5900X

                    32 GB G.Skill RipJaws V F4-3200C16D-32GVR

                    Arc A770 16 GB

                    eVGA Supernova G3 750W

                    Western Digital Black SN850 1TB NVMe SSD

                    Alienware AW3423DWF OLED




                    "¡Me encanta "Me Encanta o Enlistarlo con Hilary Farr!" -Mí mismo

                    "There's nothing more unattractive than a chick smoking a cigarette" -Topcat

                    "Today's lesson in pissivity comes in the form of a ziplock baggie full of GPU extension brackets & hardware that for the last ~3 years have been on my bench, always in my way, getting moved around constantly....and yesterday I found myself in need of them....and the bastards are now nowhere to be found! Motherfracker!!" -Topcat

                    "did I see a chair fly? I think I did! Time for popcorn!" -ratdude747

                    Comment

                      #11
                      Re: oh shit my linux box has a rootkit!

                      Originally posted by RJARRRPCGP View Post
                      It may be bit rot causing false HDD failure reports. To test this, you need to wipe the HDD with zeroes.
                      Thought this was a joke post, but amazingly enough, bit rot is a thing.

                      Still his HDD isn't that old. I doubt it's bit rot.

                      Comment

                        #12
                        Re: oh shit my linux box has a rootkit!

                        Originally posted by RJARRRPCGP View Post
                        It may be bit rot causing false HDD failure reports. To test this, you need to wipe the HDD with zeroes.
                        I've actually had this happen about 4 times now. Wiping the disk fixed it each time. It typically shows up as a few pending sectors that can't be read, but writing new data works fine and can then be read. It seems to happen more often with drives that have higher aerial density, probably because of adjacent patterns interfering.

                        Comment

                          #13
                          Re: oh shit my linux box has a rootkit!

                          Originally posted by cheapie View Post
                          I've actually had this happen about 4 times now. Wiping the disk fixed it each time. It typically shows up as a few pending sectors that can't be read, but writing new data works fine and can then be read. It seems to happen more often with drives that have higher aerial density, probably because of adjacent patterns interfering.
                          That's because the process of doing the zero fill causes the pending sectors to be remapped. If this is happening the drive is faulty.
                          "Tantalum for the brave, Solid Aluminium for the wise, Wet Electrolytic for the adventurous"
                          -David VanHorn

                          Comment

                            #14
                            Re: oh shit my linux box has a rootkit!

                            Originally posted by Agent24 View Post
                            That's because the process of doing the zero fill causes the pending sectors to be remapped. If this is happening the drive is faulty.
                            I seen this happen before, even when I couldn't recall sectors being remapped.
                            ASRock B550 PG Velocita

                            Ryzen 9 "Vermeer" 5900X

                            32 GB G.Skill RipJaws V F4-3200C16D-32GVR

                            Arc A770 16 GB

                            eVGA Supernova G3 750W

                            Western Digital Black SN850 1TB NVMe SSD

                            Alienware AW3423DWF OLED




                            "¡Me encanta "Me Encanta o Enlistarlo con Hilary Farr!" -Mí mismo

                            "There's nothing more unattractive than a chick smoking a cigarette" -Topcat

                            "Today's lesson in pissivity comes in the form of a ziplock baggie full of GPU extension brackets & hardware that for the last ~3 years have been on my bench, always in my way, getting moved around constantly....and yesterday I found myself in need of them....and the bastards are now nowhere to be found! Motherfracker!!" -Topcat

                            "did I see a chair fly? I think I did! Time for popcorn!" -ratdude747

                            Comment

                              #15
                              Re: oh shit my linux box has a rootkit!

                              Originally posted by Agent24 View Post
                              That's because the process of doing the zero fill causes the pending sectors to be remapped. If this is happening the drive is faulty.
                              The reallocated sector count remained at 0. When a sector is marked as "pending", and a write is performed on it, one of two things can happen:

                              a: The write fails, and the sector is remapped. The data is written to a spare sector, and the drive reports success. This causes the pending sector count to decrease, and the reallocated sector count to increase.

                              b: The write succeeds, and the sector is considered good. The pending sector count decreases, and the reallocated sector count does NOT increase. The data remains in the original sector.

                              Comment

                                #16
                                Re: oh shit my linux box has a rootkit!

                                well this looks like a common problem to me http://forums.seagate.com/t5/Desktop...162/m-p/187908 i would say im not alone and that this disk has 4% health left. i'll be lucky to image mint onto a new partition
                                Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

                                "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

                                Excuse me while i do something dangerous


                                You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

                                Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

                                Follow the white rabbit.

                                Comment

                                  #17
                                  Re: oh shit my linux box has a rootkit!

                                  Originally posted by goontron View Post
                                  well this looks like a common problem to me http://forums.seagate.com/t5/Desktop...162/m-p/187908 i would say im not alone and that this disk has 4% health left. i'll be lucky to image mint onto a new partition
                                  ...and that's why I don't like hard drives over 200GB.

                                  Comment

                                    #18
                                    Re: oh shit my linux box has a rootkit!

                                    Why would you make an image when it is infected? Get a new hard drive and install a fresh copy of Linux.

                                    Also, I don't understand why wiping it would fix the 408 reallocated sectors.
                                    Last edited by lti; 08-15-2013, 07:32 PM.

                                    Comment

                                      #19
                                      Re: oh shit my linux box has a rootkit!

                                      Originally posted by lti View Post
                                      Why would you make an image when it is infected? Get a new hard drive and install a fresh copy of Linux.

                                      Also, I don't understand why wiping it would fix the 408 reallocated sectors.
                                      its not infected its a bug see this link http://ubuntuforums.org/showthread.php?t=1680428 so i imaged it with the idea of agent24 but not with GNU ddrescue, with Kurt Garloff ddrescue. and i don't understand why wiping it would fix the sectors ether.
                                      sorry for my poor spelling im typing on my phone.
                                      Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

                                      "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

                                      Excuse me while i do something dangerous


                                      You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

                                      Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

                                      Follow the white rabbit.

                                      Comment

                                        #20
                                        Re: oh shit my linux box has a rootkit!

                                        Originally posted by cheapie View Post
                                        The reallocated sector count remained at 0. When a sector is marked as "pending", and a write is performed on it, one of two things can happen:

                                        a: The write fails, and the sector is remapped. The data is written to a spare sector, and the drive reports success. This causes the pending sector count to decrease, and the reallocated sector count to increase.

                                        b: The write succeeds, and the sector is considered good. The pending sector count decreases, and the reallocated sector count does NOT increase. The data remains in the original sector.
                                        I haven't yet come across a drive that did 'b' - perhaps as you said, it's the high areal density issue. Personally I wouldn't trust the drive after either case though.

                                        But then of course, you can never trust any drive. Only thing to do is backup, and then backup again!
                                        "Tantalum for the brave, Solid Aluminium for the wise, Wet Electrolytic for the adventurous"
                                        -David VanHorn

                                        Comment

                                        Previous 1 2 3 template Next
                                        Working...