Remove T0rnkit v8

Tornkit is a rootkit which lets an intruder have unrestricted access to your dedicated server. This guide will help you remove it.


Remove T0rnkit v8



*NOTE* This is a HUGE step “INTO” your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8

If you have not already done so do this step first.
-Login to WHM as root
-Click Tweak Settings and please remove the tick from
[ ] Allow cPanel users to reset their password via email

1. Login to your server via SSH

2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.

You will see some INFECTED lines/files. It should also report hidden processes.

Here’s an example of partial output.

Checking `ifconfig’… INFECTED
Checking `login’… INFECTED
Checking `pstree’… INFECTED
and also:
Checking `lkm’… You have X process hidden for ps command

Warning: Possible LKM Trojan installed

3. Type: /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [FAILED] Starting kernel logger: [ OK ]

4. Type: top

You may/will then see:

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

5. Type: /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


Configuration files

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)

/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt, ifconfig, find, ls, slocate, tks, tksb, top, tkpnetstat, pg, syslogd, sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs


Now, Lets start the cleaning process:

1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

2. reboot the system

WARNING: 2 servers got their kernel removed after reboot.

If your’s does this too and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

That should fix it.

— since already in resuce mode, perhaps also ask them to –force install the following rpm’s

procps*.rpm

psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

3. After the system is up

Type: cd /lib
Type: rm -rf lblip.tk

3. Remove the configuration files given above.

4. Type: cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net

search for the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm

sysklogd*.rpm

— and rpm –force install them

5. if you see the hosts.h file, it says to hide all IP’s from

Type: cat /usr/include/hosts.h
193.60

If you want, you can block all the IP’s from 193.60 to your server via iptables.

Or if you have you can add them to the Deny File.

6. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.

Spread the love
blank