Boot from your install cd in rescue mode. (Enter "linux rescue" when booting.) It will/should tell you how to chroot to your root partition. Run passwd. exit to reboot. This will get you running, however you should think seriously about keeping a compromised system. There is no telling what the hacker did while he was logged in as root. Any hacker worth his black hat will install a root kit or two and some hidden backdoors as well as other surprises. My policy is to immediately format any system that has been hacked. If you want to preserve evidence for possible forensic analysis, buy a new drive and send the compromised one to someone who knows this business. I've never worked for a company that wanted to attempt prosecution, we just wanted to know what happened and how to prevent it in the future. My $0.02. -Michael >>> gmalsack@classic.net 10/21/02 09:45AM >>> Hi All, Some one with nothing better to do hacked into one of my mom & pop customers FTP server using a program called SucKIT. In case you haven't heard of this before, I highly recommend looking it up at phrack.org and learning about it. I've even uploaded the README file if you would like. It talks about ways to safeguard yourself from this type of attack. Anyways, can anyone tell me how to change the root password back to what it was? So we can log in and get things fixed? Thanks... Greg ++++++++++++++++++ SucKIT README File ++++++++++++++++++++++++++++++++ SucKIT v1.3b, (c) 2002 by sd <sd@cdi.cz> & devik <devik@cdi.cz> +-------------------------------------------------------------+ Code: by sd, with a lot of help from devik <devik@cdi.cz> Concepts: by Silvio Cesare - /dev/kmem, devik - kmalloc & IDT http://phrack.org/p58/phrack-09 Tested: by hundreds of script kiddos around the globe :) Targets: i386-Linux boxen, kernels 2.2.x, 2.4.x without security patches/modules. Downloads: http://sd.g-art.nl/sk The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free) You could find details about technical background in 'src' directory. Compiling +-------+ To configure parameters (where is your home, which suffix will hide files, and of course, access password) must be given before compiling by: $ make skconfig Then you could compile the all of stuff by: $ make You will get a file, probably called 'inst' in current directory. It's a script you upload to target box, exec it and then try to remotely login to that host using './login' and password you supplied in skconfig. FAQ +-+ Q: When I try to load suckit, it will segfault with kernel oops, wtf ? A: Fire up gdb and send me a bug report where is problem :) Q: How I can login to machine running suckit from my Win95 ? A: Dunno, btw, I'm interested in how many people ported suckit to cygwin :) Q: How I can make suckit to run automatically each reboot of machine ? A: The generic way (as the install script does) is to rename /sbin/init to /sbin/init<hidesuffix>, and place sk binary instead of /sbin/init, so suckit will get resident imediatelly after boot. However, when it will get resident, all of such changes will be stealthed ;) If you can't fiddle with /sbin/init, you still can place binary to somewhere into /etc/rc.d/rc3.d/S##<hidesuffix> or such. Q: When I make some pid invisible, it still appears in `ps` and `top` listing, what's wrong ? A: Filtering out /proc records is only for non-suckit, regular, users. That means, it doesn't affect you when your shell is invisible. *KEEP IN THE MIND* that suckit doesn't twist informations in system for you, it does only for rest of the world :P Q: How I can beat rootkits of such kind ? A: There is many ways today. You should remove writing ability from /dev/kmem (which will might make some lowlevel software angry, Xfree, for example) in conjuction with disabling LKM support. Or load some anti-lkm LKM (that doesn't work when sk alread installed), such as StMichael (yes, this module can beat us :) Also note that best thing to do is simple; don't allow kids to enter your servers ;p Q: I recompiled sk and it loses contact with kernel instance running somewhere, what I could do ? A: Please! Use ONE binary at the time! Each iteration of skconfig will generate unique version which can not be used with any later nor further iterations![btw, that will crash at the time anyway] Q: Loggin' to machine takes a lot of time, how to speed up this process ? A: Ports on given box were filtered, and client is waiting for TCP handshake, so you have to specify explicitly destination port, f.e. ./login -h your.loved.box.cz -d 80 dns (53), www(80) ssh(22) is the probably most good choices. Q: I want to execute some init script each boot of a box, what I should do ? A: Create shell script called '.rc' in your sk home directory. Take into account that it will get executed imediately with sk (=init), so putting sleep 300 there would be good idea before doing something. Q: Where sniffer puts it's logs ? A: ~/.sniffer, note that this file *must* be at least 222, coz sniffed pids writes to this file with their [e]uid. Distribution, future versions and such bullshit +---------------------------------------------+ As SucKIT took a good success in script-kiddo community, I decided to continue in this project. All suckit versions, from the oldest to the current one you could find at: http://sd.g-art.nl/sk Of course, any code, flames, ideas, patches, "bug-reports", loveletters, pr0n, passwordz and other feedback will be appreciated at sd@cdi.cz Thanks +----+ I would like thank to: - alin@mido.ro, lstat() bugfix, interesting discussions on new features ;) - devik <devik@cdi.cz> For the most important contributions to this code, moral, mental, material support ;) - mqe <mqe@bboy.com> For catching the bugs, ideas about encryption, and other feedback. - coolvibe <coolvibe@hackerheaven.org> and rest of the g-art.nl guys Shell account, hosting the site ... - thement, fis, destruct_ ... For betatesting all of my rootkit creations ;) and to a lot of other IRC people who givena:) Q: How I can make valuable comments/ideas in field of this code. btw, if you will get lucky, you could, reach me in realtime with any feedback on IRCNet unless I am not away. Last words +--------+ What to say there ? If you still didn't get what the hell is all of this about, you're probably reading bad file, maybe, you downloaded bad tar archive. By the way, I got some sort of funny "feedback" from "security experts"/admins or such getrewted people. They claims, that I or devik are those evil h4x0r3rs who compromised theyr machines. NO! We're coders and we'll take NO RESPONSABILITY what someone else did with our code. As always, Have fun! -sd -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
