HPE Community
Operating System - HP-UX
1834628 Members
3546 Online
110069 Solutions
New Discussion

Re: Help needed on HP-UX 10.20

 
Alvin Wong_3
New Member

‎09-04-2003 05:38 PM

‎09-04-2003 05:38 PM

Help needed on HP-UX 10.20

Hi,

I would like to request for help on HP UX 10.20. I have recently ran
chkrootkit on it and found that there was an alert for Suckit rootkit
where /sbin/init has been infected. What is the recommended plan of
action here? Do i replace it with a new init? and where do i get the new
init from?
Anyone has recommendations or links to information where i can clean the
system of the rootkit?
Thanks in advance.
0 Kudos
Reply
8 REPLIES 8
Tim Adamson_1
Honored Contributor

‎09-04-2003 05:57 PM

‎09-04-2003 05:57 PM

Re: Help needed on HP-UX 10.20

What was the exact message you received?

Maybe it has inadvertently been modified in some way and can easily be fixed.


Tim
Yesterday is history, tomorrow is a mystery, today is a gift. That's why it's called the present.
0 Kudos
Reply
Rob_132
Regular Advisor

‎09-04-2003 06:29 PM

‎09-04-2003 06:29 PM

Re: Help needed on HP-UX 10.20

Maybe this link will help (?).

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x417550011d20d6118ff40090279cd0f9,00.html

You've got me interested, so I'll poke around a bit more and post back if I learn anything.

Good luck in the mean time!

Rob
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-04-2003 06:36 PM

‎09-04-2003 06:36 PM

Re: Help needed on HP-UX 10.20

There is this wonderful tool called Ignite.

It lets you use make_recovery or better yet make_tape_recovery to make backups.

If you have a corrupt file of some kind, you can stick the tape in the tape drive, boot the box, and boot off the tape, and restore the system back clean.

If there is not real data on the box, you can reinstall the operating system.

Even if there are not Ignite backups available, I suggest you start making them after you fix the box.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Tim Adamson_1
Honored Contributor

‎09-04-2003 06:36 PM

‎09-04-2003 06:36 PM

Re: Help needed on HP-UX 10.20

I just installed and ran chkrootkit and received the same result. I am fairly certain my system has not been infected but will check anyway and let you know.


Tim
Yesterday is history, tomorrow is a mystery, today is a gift. That's why it's called the present.
0 Kudos
Reply
Alvin Wong_3
New Member

‎09-04-2003 06:54 PM

‎09-04-2003 06:54 PM

Re: Help needed on HP-UX 10.20

Hi,

Thanks for the prompt response. Well it is worrying as i found the same rootkit in my other linux boxes and i know for sure that the linux boxes were compromised. I could find the rootkit sk and running it gave me a shell where i could see .sniffer with the passwords that were collected when passwd ran.

Initial analysis of the HP UX seemed to show that there hasn't been any further changes, just that running chkrootkit throws up /sbin/init warnings for Suckit rootkit. It could be a false alarm, hopefully it is but because of the same rootkit detected in linux boxes in this week. I think i can ill afford to be relaxed about the issue.

Thanks.
0 Kudos
Reply
Tim Adamson_1
Honored Contributor

‎09-04-2003 10:55 PM

‎09-04-2003 10:55 PM

Re: Help needed on HP-UX 10.20

From what I can find out, I think you are fine and I can provide a way to verify anyway.

Here are my findings:

The chkrootkit does a strings on /sbin/init and egreps for HOME

strings /sbin/init | egrep HOME

On HP-UX 10.20:

# strings /sbin/init | egrep HOME
HOME=
# echo $?
0

and if return status is 0, then status=INFECTED


On linux:

bash-2.05$ strings /sbin/init | egrep HOME
bash-2.05$ echo $?
1


From the chkrootkit script:

# Return Codes
INFECTED=0
NOT_INFECTED=1
NOT_TESTED=2
NOT_FOUND=3


Tim.
Yesterday is history, tomorrow is a mystery, today is a gift. That's why it's called the present.
0 Kudos
Reply
Alvin Wong_3
New Member

‎09-04-2003 11:40 PM

‎09-04-2003 11:40 PM

Re: Help needed on HP-UX 10.20

Thanks for your help,

I believe that the chkrootkit is giving a false alarm as well for every HP-UX 10.20 install, including fresh ones. I couldn't find any flaw which points to the rootkit being present in the system unlike my linux boxes. Probably have to notify the developers of chkrootkit about this flaw.

Regards,
Alvin
0 Kudos
Reply
Tim Adamson_1
Honored Contributor

‎09-05-2003 12:21 AM

‎09-05-2003 12:21 AM

Re: Help needed on HP-UX 10.20

Glad to hear that.

Forgot to tell you how to determine the true details of the file:

I ran an swlist as follows:

# swlist -l file | grep init | grep -v init.d

That will give some filesets where the /sbin/init file lives (OS-Core/ and PHxx_nnnnnn). Sorry I can't be more specific but I forgot to record it.

Now check out the INFO file for those products (aim for the latest patch fileset)

# cd /var/adm/sw/products/

Work your way through the INFO file until you come across your file and check the permissions, ownership and cksum etc.

You could also run a swverify but for me, so much stuff failed it wasn't funny. It is a test server.


Tim.
Yesterday is history, tomorrow is a mystery, today is a gift. That's why it's called the present.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.