HostOnNet Blog

SHV5 rootkit

I am posting this as this image was in my desktop for years. I want to delete it, so thought of adding it to blog.

In 2006, one of my linux server got hacked. Most will tell you need OS restore when you got hacked. I do not want to restore the OS as its lot of work. So i started with firewall. Blocked all ports other than that of needed services like apache, mail, control panel, etc.. Disabled access to SSH port and allowed only my IP connected to SSH.

Then check the server with rkhunter and chkrootkit and found SHV5 rootkit was installed on the server. So i have installed SHV5 rootkit on my local PC ans study it. Here is a screen shot of my local SHV5 rootkit installation. Then i try uninstall the rootkit on my local pc and verified it really un installed. Then i done the same thing on the server and i monitor it for next few days. Nothing happened, server worked fine for long time. This was caused by an older kernel on the server + some insecure scripts used by the clients.

Posted in Linux

  • How you uninstall the rootkit and even verify that it clean ??

  • admin

    I don’t remember the full uninstall steps now. It got started with adding few lines to /etc/inittab, i removed these lines on my local test insllation and rebooted. After this i could not login to the server with SHV5 rootkit port.

    Running chkrootkit/rkhunter will provide the location of the files in log file, delete that too. I was able to find some files that installed by SHV 5 and delete them.

    I done the same on the server. Actually i want to avoid an OS reload. So i monitor the server next few days. I have upgraded the kernel and i don’t face any hacking after that.