Home    Scripts    Utilities     Softwares     Awards     Contact Me
Linux
Command Summary
File Permisions
Users/Groups
Partitions/FileSystems
SSH
IPTables
Apache
MD5 Checksum
MySQL
Bind
DjbDNS
CronD
Qmail
Vpopmail
Courier-IMAP
SpamAssassin
ClamAV
CVS
OpenVPN
PLESK
Setting up USB Wireless Modem HUAWEI ETS2551
RootKits
SHV4
T0rnKit
Flea
F**Kit
Networking
RedHat
Mandrake
Debian
Fedora
SlackWare
Gentoo
SUSE
Centos
FreeBSD
Encodings
Base64
QuotedPrintable
UU
URL
Encryption
RSA
BlowFish
DES
Tripple DES
2 Key Triple DES
SSL
Certificate Parser
CSR Parser

SHV4 RootKit


IMPORTANT: This rootkit reset the timestamps of the files after replacing them. So dont try to detect it with the modified date of files.

Symtomps


  • tar and ps command are giving "Segmentation Faults"
  • ls command showing below lines at top of its output
    ls: unrecognized prefix: do
    ls: unparsable values for LS_COLORS environment variable
  • ldconfig print error related to libext-2.so.7
  • If you copy a fresh ls or ps command to your server, It will start giving segmentation faults.

    Confirm the presence of SHV4

  • Look for a directory /lib/security
  • Look for a file /lib/lidps1.so
  • Compare the output of ls --version and ps --version with same output on another server with same OS. It will be different
  • Look for a file /usr/include/file.h
  • strace the ls command and you will see it is accessing /usr/include/file.h

    Ok I think enough evidence

    Full SHV4 Finger Prints

    Advanced users click here to see full installation script of sshv4 rootkit
    click here to see the list of files included in this original rootkit
    It replace these command files
     /usr/bin/dir
    /sbin/ifconfig
    /usr/sbin/lsof
    /usr/bin/slocate
    /sbin/syslogd
    /usr/sbin/sshd
     /bin/login
    /usr/bin/md5sum
    /bin/ps
    /usr/bin/find
    /bin/ls
    /bin/netstat
    /usr/bin/pstree
    /usr/bin/top

    It can add these commands
    /bin/tkp
    /bin/sz
    /bin/tksb
    /bin/tks
    /bin/pg
    /bin/encrypt

    It also add these files
     /usr/include/file.h (for file hiding, if you strace ls then you will see ls is using it)
    /usr/include/proc.h (for ps proc hiding)
    /lib/lidps1.so (for pstree hiding)
    /usr/include/hosts.h (for netstat and net-hiding)
    /usr/include/log.h (for log hiding)
    /lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
    /dev/sdr0 (systems md5 checksum)
    /lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
    /lib/libpbproc.a
    /lib/libproc.so -> libproc.so.2.0.6
    /lib/libproc.so.2.0.6
    /lib/security
    /lib/security/.config
    /lib/security/.config/ssh
    /lib/libext-2.so.7 (This is actually their MD5 hashed backdoor password
    /lib/security/.config/ssh/ have their full backdoor sshd configuration
    /usr/sbin/xntps (/etc/rc.d/rc.sysinit is modified to start this thing on reboot)



    • SourceForge.net Logo









    All trade marks are property of respective owners
    All rights reserved 2003-2007, Openpages.info, Multan, Pakistan
              Contact Me