Original here: http://blog.evilcoder.net/remove-linux-shv5-rootkit/
remove linux shv5 rootkit
Posted on by Alex Gabriel
I have made this small bash script for those who need it. Many peoples that have found their machines hacked have reinstalled Linux operating system because they didn’t know how to remove it.
This script will remove known infected files and reinstall them with valid ones , kill rootkit
Requirements
Debian
apt-get with working sources
root access
CentOS
yum with working rpm’s
root access
Here it is.
#!/bin/bash
echo "SHV Rootkit checker by alex [at] evilcoder.net"
if [ $# -ne 1 ]
then
echo "This is a SHV5 rootkit remover"
echo "This script is released as it is and i can't be held responsable for any damages"
echo "This script has been tested on Debian , Ubuntu and CentOS servers "
echo "You must agree with that"
echo "Usage : $0 yes"
exit 1
fi
if [ "$1" != "yes" ];
then
echo "You should agree"
exit 1
elif [ "$1" == "yes" ];
then
echo "Thanks"
fi
#checking Linux type
OS=`cat /etc/issue|cut -d " " -f 1 | head -1`
if [ -d "/usr/lib/libsh" ];
then
echo "We have SHV rootkit"
else
echo "You don't have shv5 installed"
exit 1
fi
echo "System Check"
if [ "$OS" == "Debian" ];
then
echo "We have Debian"
echo "Removing immutable from infected files"
chattr -sia /bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/bin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
apt-get update >>/dev/null
apt-get -y install --reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
elif [ "$OS" == "Ubuntu" ];then
echo "We have Ubuntu"
echo "Removing immutable from Ubuntu known infected files"
chattr -sia /bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/bin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
apt-get update >>/dev/null
apt-get -y install --reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
elif [ "$OS" == "CentOS" ];then
echo "We got CentOS"
echo "Removing immutable flag from CentOS known infected files"
chattr -sia /usr/bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/sbin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
yum -y reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
fi
fi
IF you want a professional rootkit removal without loosing anything on your server contact me using link from top menu.
Download bash file :
http://blog.evilcoder.net/shv5-rootkit-remover/
Hope this helps
