Archive for November, 2010

So you got rooted by SHV4 / SHV5 rootkit…

Wednesday, November 17th, 2010

Best symptom that you have SHV4/5 is that you start getting “Unknown HZ value! (#) Assume 100.” messages from top/ps.

More on this at:

rkhunter can help you “confirm” such situation too. Additionally run “chkrootkit” as well.

Now, the question, how you get rid of those.
Many forum/article/etc. on the web will likely say that you do a clean install. Meanwhile undoubtly that’s the best, you might be in a situation where that cannot be accomplished (easily), and/or you need fast (maybe temporary) remedy.

“Best” information I found was at:

So, the rootkit REPLACES – at least, but not limited to – the following commands at their appropriate location (/bin, /sbin, /usr/bin, etc): find, ifconfig, ls, md5sum, netstat, ps, pstree, top, dir, slocate, lsof […]

It also installs and runs /sbin/ttymon and /sbin/ttyload.
Since “ps” is replaced, you won’t be able to list them, though they would likely be running.
You can blindly issue a “killall ttymon” and “killall ttyload” to try to get rid of those process, but anyway you would need a “proper” ps to get information whether they’re killed and if not, try killing by process ID [kill -9 #].

You can get a “ps” from an identical or at least close linux system, or check /usr/lib/libsh/.backup – as the “decent” rootkit makes backups of the “clean” commands there.

After getting rid of the running process[es], lsattr -i -a the suspicious files (if you have the .backup directory, start with the named those), then replace them from either the .backup or from another identical system.

Move/backup/delete the following directories/files:

Check and delete “new”/unneeded entries from:
/etc/passwd and /etc/shadow [like psadmin, default, userx, sysadmin – also delete/move home directories of those, some might have .ssh/authorized.keys]
/root/.ssh/authorized.keys and known_hosts

Change administrator account’s passwords… [And anything you suspect to be leaked and important…]

And of course try to find the cause/way how you got hacked and make sure it won’t happen again.
Based on the creaton time of the directories, you might get a clue when the rooting happened, and check syslog, daemon.log, auth.log, etc. for clues.

Recent hacks could be related to proftpd exploit:
This is/was supposely fixed in version 1.3.3c of proptfp [Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925 ] – and likely backported to earlier version in your distribution, check changelog for package.
Debian changelog for reference:

In case of vulnerable profptd, stop the daemon – and kill all process containing the word proftpd, there will be some…
Download and install the new package.

You might check proftp’s log “just for the fun”, you should see such mix of entries like:
“client sent too-long command, ignoring”, then
“ProFTPD terminating (signal 11)”, then
“FTP session closed.”.
Likely more of these. Then repeated open/closes.

If you see such messages in your log – and not yet hacked -, then update proftpd ASAP to avoid getting SHV4/SHV5 or anything else…