Re: [Full-Disclosure] Removing ShKit Root Kit

[Ron DuFresne <dufresne@winternet.com>]

Unless you have tripwire or some other signature records of the binaries
and all conf's for the system, you are best off to wipe and reinstall this
system from scratch. Even if you *do* have tripwire and md5 hashes of all
files on the system, you most likely will find it quicker yo wipe and
reinstall the system from scratch.  With the added step in all reinstall
cases of this type, to patch the holes that allowed toe comepromise to
take place *prior* in reconnecting tot eh dangerous env from whence it was
compromised.

Thanks,

Ron DuFresne

On Sun, 21 Dec 2003, Chris wrote:

> Can anyone reccomend some links or useful information for removing the
> "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
> owned by a client of mine.
>
> "Searching for ShKit rootkit default files and dirs... Possible ShKit
> rootkit installed" <== chkrootkit output
>
> I have only read limited information on this rootkit from a honeypot
> report where it was used, no cleaning information. Ive googled a bunch
> of times, dont go out of your way to answer this, the box will be redone
> anyway. Im just curious to find out what this rootkit is about, not even
> packetstorm has a copy to look at :)
>
> Thanks,
>
> ChrisR-
> http://www.cr-secure.net
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html