dedicated server help
web hosting guides
dedicated server home dedicated server forums dedicated server reviews dedicated resources partners dedicated server resources contact dedicated servers

dedicated server guides
Getting Started
General Tutorials
cPanel Tutorials
Security Center
Name Servers
Server Monitoring
Server Backups
Hosting Interviews
Web Hosting News
Reviews
For Fun
Linux Tutorials
Hosting Articles
Web Hosting Tutorials
 
 
 
web hosting tutorials
About Us
RSS Feed
Disclaimer
Site Map

 

Remove T0rnkit v8

Last Updated: November 30, 1999

*NOTE* This is a HUGE step "INTO" your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8

If you have not already done so do this step first.
-Login to WHM as root
-Click Tweak Settings and please remove the tick from
[ ] Allow cPanel users to reset their password via email

1. Login to your server via SSH

2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.
You will see some INFECTED lines/files. It should also report hidden processes.



Here's an example of partial output.

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed

3. Type: /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

4. Type: top

You may/will then see:

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

5. Type: /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q



Configuration files



/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}


Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt, ifconfig, find, ls, slocate, tks, tksb, top, tkpnetstat, pg, syslogd, sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs



Now, Lets start the cleaning process:


1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


2. reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your's does this too and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

That should fix it.

-- since already in resuce mode, perhaps also ask them to --force install the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

3. After the system is up

Type: cd /lib
Type: rm -rf lblip.tk

3. Remove the configuration files given above.

4. Type: cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

-- and rpm --force install them


5. if you see the hosts.h file, it says to hide all IP's from

Type: cat /usr/include/hosts.h
193.60

If you want, you can block all the IP's from 193.60 to your server via iptables.
Or if you have you can add them to the Deny File.

6. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.

cpanel tutorials
cPanel Resources
Dedicated Servers