How to find the Rootkit that was used in the Hetzner hack

11 points by moepstar ↗ HN
In the meanwhile, it seems that the BKA (German Federal Criminal Police Office) has lifted their ban on speaking about the issue and Martin Hetzner, the founder of hetzner.de, has issued a statement on how to find the rootkit if it has been planted on a server:

- Use gdb to take a RAM-dump of the SSHD process

- Use strings and grep to find one of the following strings:

key=xxx

dhost=xxx

hbt=3600

sp=xxx

sk=xxx

dip=xxx

The following step-by-step instructions should work for Debian-based systems:

aptitude install gdb

gdb --pid=`ps ax|grep "\/usr\/sbin\/sshd"|cut -d" " -f1`

> gcore

> quit

strings core.XXXXX |grep "key="

If the server's clean, this grep should come up empty.

It seems that as of today it is still unclear how the infection/intrusion has been done in the first place.

2 comments

[ 1.9 ms ] story [ 16.2 ms ] thread
I had to use "-f2" instead of "-f1" because "ps ax" showed " 3156 ? Ss 0:00 /usr/sbin/sshd" with a leading space character, probably because by chance my sshd PID was below 10000 and therefore indented
How about this, which is much simpler:

    gdb --pid=$(cat /var/run/sshd.pid)