imported_TheLinuxGuy
New member
Hi,
Heres a quick and dirty how-to on removing the t0rnV8 rootkit, seen commonly with this CPanel exploit. How to prevent your self?
Login into WHM as the root account, go to tweak settings, turn off "Allow cPanel users to reset their password via email"
If you want to make sure your safe run this:
How to know you have been hit?
1. the most common thing you will see is when you run ls you will see this,
2. Next try restarting syslog
Some info on what the rootkit installs/does:
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor which is located at /lib/lblip.tk:
shdc
shhk.pub
shk
shrs
Lets remove this bugger
Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to:
Remove them, this is the backdoor they installed. Addtionally run
Reinstall, needed binarys ( you will need to search for these you can also install from WHM ):
Remove their files:
cd /lib
rm -rf lblip.tk
rm -rf /usr/include/file.h
rm -rf /usr/include/proc.h
rm -rf /lib/lidps1.so
rm -rf /usr/include/hosts.h
rm -rf /usr/include/log.h
rm -rf /dev/sdr0
rm -rf /lib/ldd.so
Recompile your kernel, make sure you do this.
Reboot the server.
Run CHkrootkit again.
USE THIS AT YOUR OWN RISK, WE ARE NOT REPONSEABLE FOR ANY MISHAPS. THIS IS NOT TO BE CONSIDERED A REPLACEMENT FOR A REFORMAT BUT IT WILL WORK FINE
If needed binarys from a clean rh9 from /bin /usr/bin
http://www.rack911.com/files/bin9.tar.gz
http://www.rack911.com/files/userbin9.tar.gz
If needed binarys from a clean RHE from /bin /usr/bin
http://www.rack911.com/files/binrhe.tar.gz
http://www.rack911.com/files/userbinrhe.tar.gz
Heres a quick and dirty how-to on removing the t0rnV8 rootkit, seen commonly with this CPanel exploit. How to prevent your self?
Login into WHM as the root account, go to tweak settings, turn off "Allow cPanel users to reset their password via email"
If you want to make sure your safe run this:
How to know you have been hit?
1. the most common thing you will see is when you run ls you will see this,
2. Next try restarting syslog
Some info on what the rootkit installs/does:
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor which is located at /lib/lblip.tk:
shdc
shhk.pub
shk
shrs
Lets remove this bugger
Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to:
Remove them, this is the backdoor they installed. Addtionally run
Reinstall, needed binarys ( you will need to search for these you can also install from WHM ):
Remove their files:
cd /lib
rm -rf lblip.tk
rm -rf /usr/include/file.h
rm -rf /usr/include/proc.h
rm -rf /lib/lidps1.so
rm -rf /usr/include/hosts.h
rm -rf /usr/include/log.h
rm -rf /dev/sdr0
rm -rf /lib/ldd.so
Recompile your kernel, make sure you do this.
Reboot the server.
Run CHkrootkit again.
USE THIS AT YOUR OWN RISK, WE ARE NOT REPONSEABLE FOR ANY MISHAPS. THIS IS NOT TO BE CONSIDERED A REPLACEMENT FOR A REFORMAT BUT IT WILL WORK FINE
If needed binarys from a clean rh9 from /bin /usr/bin
http://www.rack911.com/files/bin9.tar.gz
http://www.rack911.com/files/userbin9.tar.gz
If needed binarys from a clean RHE from /bin /usr/bin
http://www.rack911.com/files/binrhe.tar.gz
http://www.rack911.com/files/userbinrhe.tar.gz
hehe
) but if you are able to create how-tos for that and you have a number that will help people, I can set you up as an admin on the script so you can add your own content etc.
