trojan - removal problems

Anders Karlsson trudheim at gmail.com
Thu Jan 26 10:57:50 UTC 2006 

On 1/26/06, Billy Verreynne (JW) <VerreyB at telkom.co.za> wrote:
> A file handle (which is what a socket handle also is) is owned by a
> process image in the kernel.. unless I'm mistaken?

True.

> Thus with netstat/lsof you should be able to uncover the Unix PID(s)
> of the trojan. Once you have that you can use that to track down the
> executable image on disk that was loaded as the process image into the
> kernel. Assuming of course that it has not injected/rootkit'ed actual
> valid process executables (or even shared libs - which is what I would
> aim for if I was writing a backdoor).

Only if the trojan has not replaced those tools with new ones that
hides its own pid's etc. rootkits often tweak things like lsof, fuser,
ps, ls etc to hide themselves. This is also possible to do with a
kernel module that rewrites system calls. Once loaded, you can not see
it with lsmod, any system calls will be altered to disguise certain
directories, PID's etc.

Once a box is rooted, reinstall is the only available option. Even
data from the server should be treated as contaminated.

> Another idea.. MD5 checksums. These should be available for valid o/s
> executables. You can do a comparison. Or why not force re-install the
> Ubuntu packages you believe is infected? That should remove and
> replace the infected file(s) .

That is what tools like AIDE and tripwire is for. They are only good
if installed and set up when the server was built though. Adding them
as an afterthought is no good. Te box could already have been
compromised.

> Also, disable all services. Even networking. Boot into console mode
> (why does Debian not treat init level 3 as multi-user non-X and level
> 5 as multi-user X?) to make sure that the absolute bare minimum is
> running.
>
> Then enable services manually one by one using netstat/lsof/ps to keep
> track of what processes are started and what they do.

Services not used should not be running by default. And the standard
ubuntu installs has precious little running. Any servers installed
later by administrator should be properly secured before let lose on
the net. Common practise.

If a system has been compromised, pull it off the net, isolate it, use
a LiveCD to do forensics, then blatt the box.

Just my €0.02,

--
Anders Karlsson <trudheim at gmail.com>

More information about the ubuntu-users mailing list