Chris wrote: > Can anyone reccomend some links or useful information for removing > the "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat > 8.0 server owned by a client of mine. > > "Searching for ShKit rootkit default files and dirs... Possible > ShKit rootkit installed" <== chkrootkit output > > I have only read limited information on this rootkit from a > honeypot report where it was used, no cleaning information. Ive > googled a bunch of times, dont go out of your way to answer this, > the box will be redone anyway. Im just curious to find out what > this rootkit is about, not even packetstorm has a copy to look at > :)
Hi Chris,
The only real way to recover from a rooted machine is a complete wipe and reinstall, regardless of the rootkit. I definitely wouldn't recommend trying to 'clean' a server, especially using some third-party tool.
I know this isn't what you're looking for (and I'm sure you're aware of the pitfalls associated with trying to secure a rooted box) -- this is more of a heads-up to those just getting their infosec feet wet. I'm imagining hordes of kids out there think that re-securing a rooted box is just a matter of clicking the 'Uninstall ro0tkit...' button.
take care,
Cael
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html