From owner-freebsd-security@FreeBSD.ORG Tue Jul 3 23:08:19 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDF6E1065670 for ; Tue, 3 Jul 2012 23:08:19 +0000 (UTC) (envelope-from sbrabez@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 553DF8FC17 for ; Tue, 3 Jul 2012 23:08:19 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so6632043wgb.31 for ; Tue, 03 Jul 2012 16:08:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=VSf+jOppGGLVXJhsXkyf1h6pE4pHuyDIoQHwHht2d20=; b=ErMP/C5sHuILnEHzcM10zUNd4iLz2/pnT2smoAtWaSKlTT0UoMyasfRabZWqiDbcg0 3n5PzvD9BuvPcKqgun/MIxQkVHHBnbPLQUPP1qkRfm0nHKpi1o1MsL+6nzAe1q9/iAwy B6bSmagwmFkBLzcXgqqmxoouku48NWedGOsodLYhb48bni3i/3d3kg6mCRF/0rQ8Tq2F M4hJ31wEzNjA3s3sBboEZVXz4xPE99+T7lfhYEog7GUL+k3OENbxf1Ux8ZHZ+g+icWIs gsnv9ug0J/TXqANtCtzW3fOtByMap1qfPs/09nNZRqK019bfLG/XTCvPbMa30rouBTGB aktQ== Received: by 10.180.86.226 with SMTP id s2mr35526917wiz.9.1341356895814; Tue, 03 Jul 2012 16:08:15 -0700 (PDT) Received: from freebsd.ifr.lan (bob75-6-82-238-72-219.fbx.proxad.net. [82.238.72.219]) by mx.google.com with ESMTPS id fb20sm40272772wid.1.2012.07.03.16.08.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 03 Jul 2012 16:08:14 -0700 (PDT) Sender: Sofian Brabez Date: Wed, 4 Jul 2012 01:33:27 +0200 From: Sofian Brabez To: =?iso-8859-1?Q?Cl=E9ment?= Lecigne Message-ID: <20120703233327.GA58368@freebsd.ifr.lan> References: <20110830033854.GA1064@faust> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org, Zoran Kolic Subject: Re: turtle rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 23:08:20 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Tue, Aug 30, 2011 at 11:53:12AM +0200, Cl=E9ment Lecigne wrote: > > What do you want? It's just a basic rootkit that hooks some specific > entries inside the sysent table. It can be detected by checking if a > device /dev/turtle2dev exists or by sending an ICMP echo request with > a payload starting with a double '_' and if rootkit is loaded no reply > will be returned. > > [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 > HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes > [main] memlockall(): No such file or directory > Warning: can't disable memory paging! > > --- 127.0.0.1 hping statistic --- > 1 packets tramitted, 0 packets received, 100% packet loss > > These tricks can be implemented inside rkhunter or/and chkrootkit. > It's implemented since rkhunter 1.4.0 [1], and now security/rkhunter port v= ersion [2] is able to detect it during the check scan: % sudo rkhunter --version | head -1 Rootkit Hunter 1.4.0 % sudo rkhunter --list rootkits | grep -i turtle2 trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, % sudo rkhunter --check --sk =2E.. Turtle Rootkit [ Not found ] Btw, the best way to avoid such rootkit is to use sysctl kern.securelevel in order to avoid untrusted kernel modules loading at runtime (but can be bypa= ssed at boot time...) Regards [1] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHAN= GELOG?revision=3D1.226&view=3Dmarkup [2] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D471258+0+current/cvs-all -- Sofian Brabez --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/zgUYACgkQc2NR9CSH5X5NfQCfZ+benj+haRonNBzbraik9wPE KmEAoMx3F/xnN3bzU9jCu1QbqH3YnVJP =u3Op -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--