This tutorial is for system admins and will run you through how to Detect and Clean a hacked cPanel server with T0rnkit

T0rn Rootkit

 

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.

I am including this so that you all diag and clean up your hacked server.

First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email

Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps

chkrootkit

Checking `ifconfig’… INFECTED
Checking `login’… INFECTED
Checking `pstree’… INFECTED
and also:
Checking `lkm’… You have X process hidden for ps command
Warning: Possible LKM Trojan installed

Step 2. /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

Step 3. top

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

Step 4. tail /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

——————————————————–

OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.

Configuration files

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs

——————————————————–

Now, Lets start the cleaning process:

Step 1.
pico /etc/rc.d/rc.sysinit

remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

Step 2.
reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your’s is the case and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

that should fix it.

— since already in resuce mode, perhaps also ask them to –force install the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Step 3.
After the system is up

cd /lib
rm -rf lblip.tk

Step 4.
remove the configuration files given above.

Step 5.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

— and rpm –force install them

Step 6.
if you see the hosts.h file, it says to hide all IP’s from

cat /usr/include/hosts.h
193.60

thus, if you want, you can block all the IP’s from 193.60 to your server via iptables.

Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again…

You should be OK!

Facebook Comments

More Stuff

What you missed in cybersecurity this week It’s been a busy week — it’s tough to keep up with all the cybersecurity news. We’ve collected some of the biggest cybersecurity stories from the week...
Building a Secure Data Center that You Can Carry in a Backpack wit... Mobile data centers in the field help modern military forces stay connected and execute their missions. Cubic Mission Solutions works with VMware to d...
Updates to VM Compatibility and VMware Tools with vSphere 6.7 Upda... Note: vSphere 6.7 Update 2 was recently announced and will soon be generally available as an update and download. With VMware Tools version 10.0 VMwar...
How to Find and Install Software Applications in Fedora Linux There are countless software packages are available to install on Fedora Linux distribution from the repository provided by Fedora project. You can al...
Spread the love

Posted by News Monkey