Head Over Heels / SucKIT
July 24, 2003, 11:45 amDamn you, Jesse. You got that damn Tears for Fears song in my head.
There was more than the usual level of excitement this morning. I started doing some work for one of my clients and I noticed an unusual file, /tmp/inst. I almost deleted it, but then did a quick less and saw a buncha escape codes and then at the bottom it was copying a file over /sbin/init.
Obviously, this is not good.
So I googled some of the text in the file and came up with some hack sites, listing this as the installation script for a root kit called SucKIT. According to the SucKIT readme:
It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server.
Great.
I found out the rootkit was installed on the client's test and production boxes. I called them and said what was up and then called the company that colocates/manages the box.
When the client first started using the colocation facility, we had a meeting and they said they would be responsible for the hardware and OS. But the guy on the phone said that they weren't responsible for security updates, just software support. WTF?! That sucks. It's a redhat box (which I hate) and now I'm supposed to be responsible for its administration and security? The last thing I want to be responsible for is becoming RedHat proficient. Nasty.
Now I need to figure out how a user got the file copied there and how they executed it. I also have to update my password for all my accounts, which is no trivial task.
It could be worse. The cracker/script kiddie could've done some serious damage.