How to find the Rootkit that was used in the Hetzner hack
In the meanwhile, it seems that the BKA (German Federal Criminal Police Office) has lifted their ban on speaking about the issue and Martin Hetzner, the founder of hetzner.de, has issued a statement on how to find the rootkit if it has been planted on a server:
- Use gdb to take a RAM-dump of the SSHD process
- Use strings and grep to find one of the following strings:
key=xxx
dhost=xxx
hbt=3600
sp=xxx
sk=xxx
dip=xxx
The following step-by-step instructions should work for Debian-based systems:
aptitude install gdb
gdb --pid=`ps ax|grep "\/usr\/sbin\/sshd"|cut -d" " -f1`
> gcore
> quit
strings core.XXXXX |grep "key="
If the server's clean, this grep should come up empty.
It seems that as of today it is still unclear how the infection/intrusion has been done in the first place.
2 comments
[ 1.9 ms ] story [ 16.2 ms ] thread