

How to find the Rootkit that was used in the Hetzner hack - moepstar

In the meanwhile, it seems that the BKA (German Federal Criminal Police Office) has lifted their ban on speaking about the issue and Martin Hetzner, the founder of hetzner.de, has issued a statement on how to find the rootkit if it has been planted on a server:<p>- Use gdb to take a RAM-dump of the SSHD process<p>- Use strings and grep to find one of the following strings:<p>key=xxx<p>dhost=xxx<p>hbt=3600<p>sp=xxx<p>sk=xxx<p>dip=xxx<p>The following step-by-step instructions should work for Debian-based systems:<p>aptitude install gdb<p>gdb --pid=`ps ax|grep &quot;\&#x2F;usr\&#x2F;sbin\&#x2F;sshd&quot;|cut -d&quot; &quot; -f1`<p>&gt; gcore<p>&gt; quit<p>strings core.XXXXX |grep &quot;key=&quot;<p>If the server&#x27;s clean, this grep should come up empty.<p>It seems that as of today it is still unclear how the infection&#x2F;intrusion has been done in the first place.
======
atesti
I had to use "-f2" instead of "-f1" because "ps ax" showed " 3156 ? Ss 0:00
/usr/sbin/sshd" with a leading space character, probably because by chance my
sshd PID was below 10000 and therefore indented

------
stevekemp
How about this, which is much simpler:

    
    
        gdb --pid=$(cat /var/run/sshd.pid)

