Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
How to find the Rootkit that was used in the Hetzner hack
11 points by moepstar on June 9, 2013 | hide | past | favorite | 2 comments
In the meanwhile, it seems that the BKA (German Federal Criminal Police Office) has lifted their ban on speaking about the issue and Martin Hetzner, the founder of hetzner.de, has issued a statement on how to find the rootkit if it has been planted on a server:

- Use gdb to take a RAM-dump of the SSHD process

- Use strings and grep to find one of the following strings:

key=xxx

dhost=xxx

hbt=3600

sp=xxx

sk=xxx

dip=xxx

The following step-by-step instructions should work for Debian-based systems:

aptitude install gdb

gdb --pid=`ps ax|grep "\/usr\/sbin\/sshd"|cut -d" " -f1`

> gcore

> quit

strings core.XXXXX |grep "key="

If the server's clean, this grep should come up empty.

It seems that as of today it is still unclear how the infection/intrusion has been done in the first place.



I had to use "-f2" instead of "-f1" because "ps ax" showed " 3156 ? Ss 0:00 /usr/sbin/sshd" with a leading space character, probably because by chance my sshd PID was below 10000 and therefore indented


How about this, which is much simpler:

    gdb --pid=$(cat /var/run/sshd.pid)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: