I'm trying to understand this a little better:
- The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.
++++++++++++
[negative so no problem and rkhunter didn't find it - forget it]
++++++++++++++++++++
- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1.
max@max-desktop:/lib$ ls -l init
total 36
-rw-r--r-- 1 root root 1801 2010-05-09 18:12 fstab
-rwxr-xr-x 1 root root 9824 2010-03-30 20:17 readlink
drwxr-xr-x 2 ??root root 40 2010-08-17 09:54 rw
-rw-r--r-- 1 root root 2847 2009-09-08 06:58 splash-functions-base
-rwxr-xr-x 1 root root 1830 2010-08-13 12:26 upstart-job
-rw-r--r-- 1 root root 5791 2009-09-08 06:58 usplash-fsck-functions.sh
-rw-r--r-- 1 root root 571 2009-09-08 06:58 vars.sh
max@max-desktop:/lib$
+++++++++++++++
link count is 1 & 2? means? If infected will be all 1?
+++++++++++++++++++=
Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.
- Rooted systems send usernames and passwords to other compromised machines using TCP port 55, so if you keep records of network connections, traffic to destination port TCP/55 merits further investigation.
Bookmarks