Subject: | |
From: | |
Reply To: | |
Date: | Tue, 29 Jul 2014 17:23:48 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
One of our servers has Malware on it and it hammers the eth0.
using /sbin/ifconfig you look at a few thousand reads and 3 G of transmits.
Transmits roll up at about 0.3 G every 2 seconds.
What keeps this bound is that the AT&T network it is tied to is only good for
about 200K up load and 1.5 meg down load.
If you look in /boot you will find two linked files named IptabLes and
IptabLex. Once you kill off these processes listed in ps -aux then you can
connect to Internet again.
Search on Google using 'IptabLes' and 'IptbLex' If you do not use single
quotes all the upper case gets replaced with lower case and you do not find
anything.
In our case data was added to the /etc/host table
pointing to a 127.0.0.0xxxxxxx. The xxxxxx are a company in China.
We ran a couple of malware detectors and none of them flagged it.
When you search for 'IptabLes" you will find a very detailed description of
where the file are and what they contain.
Removing these files fixes the problem for a few hours. In our case it starts
after 12 PM during lunch. EST. and ever so many hours.
I have looked at cron and cron.hourly etc and do not find anything suspicious.
In my case I am looking for a date stamp of 22 May 2014. This is when this
network crashed. We unplug this server from switch and the network is back
up and running.
This box is a quad core AMD and ps -aux tells us that it is using 33 % of CPU
time, a 1G card, the switch is a 1G and slow network of 200 K upload and it
just quits. You have to remove all the programs and a few hours later its
back.
If process is not started by cron then how else would launch a program that
can reload the files. Some appear to be assembled, some are python, and
some are html (guess).
This box has about 2 T Bytes of engr files on it. We removed SL 5.10 and
reformatted the disk, reinstalled 5.10 and it worked very well for a a few
weeks, it came back. I need to find out where the main program is and blow
it away. I would assume that it has multiple copies of itself. ??? but
where.
Is it contained in a OS file? as some others viruses where the file contains
the orrig in the first 4096 bytes and the next block is the virus, and the
rest of the file follows at 8096. So if you run something like "cp" the
virus spread to all file in /bin.
If this were on a fast network - everything you own would be sent to China.
Any Ideas ??
I didn't rewrite what is contained in the web page but just directed you to
it. I don't think I would use a box in secure environment to examine this, I
am just skeptical of everything I see anymore.
If anyone is interested I will share the details.
Thank You
Larry Linder
|
|
|