Hi all! I've found undetected rootkit. It looks like some modification of SHV4/SHV5. (Checked with Rootkit Hunter 1.2.9).
Unfortunetely I've removed some part of its files, but some remains (attached). Rootkit was installed in /etc/inittab as a call to: /usr/sbin/ttyload This is simple shell script, calling two daemons: /sbin/ttyload -q >/dev/null 2>&1 /sbin/ttymon >/dev/null 2>&1 The file /sbin/ttyload is a modified ssh daemon, listening on port 974: ttylod --help sshd version 2.0.13 [i686-unknown-linux] Usage: _ttyload [options] Options: -f file Configuration file (default /usr/lib/libsh/sshd_config) -d Debugging mode -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) -h file File from which to read host key (default: /lib/libsh.so/shhk) -V str Remote version string already read from the socket There is also some set of files in /lib/libsh.so -rwxr-xr-x 1 root root 677184 2009-08-16 00:02 bash -rw-r--r-- 1 root root 493 2009-08-16 00:02 shdcf -rw-r--r-- 1 root root 525 2009-07-10 16:24 shhk -rw-r--r-- 1 root root 329 2009-07-10 16:24 shhk.pub -rw-r--r-- 1 root root 512 2009-08-17 22:37 shrs shdcf is config file: Port 974 ListenAddress 0.0.0.0 HostKey /lib/libsh.so/shhk RandomSeed /lib/libsh.so/shrs ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes IgnoreRhosts yes StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd no KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords yes UseLogin no IdleTimeout 30m CheckMail no I had no time to analyze ttymon yet. ttyload creates executable with random name in /tmp, runs it as a service and deletes file. You can find it in proc like: /proc/3205/exe -> /tmp/<random-name> (deleted) I suggest to add to rkhunter a search for daemons running from deleted files. I think, that it could be also a good idea, to add to rkhunter some kind of portscan, which will look for services like sshd or telnetd. It is at least suspected if there are few different ssh daemons running on one machine. -- Jaroslaw Tabor <ja...@srv.pl> -- Jarek <ja...@poczta.srv.pl> ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users