SCIENTIFIC-LINUX-USERS Archives

July 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Malware 3
From:
Nico Kadel-Garcia <[log in to unmask]>
Reply To:
Nico Kadel-Garcia <[log in to unmask]>
Date:
Wed, 30 Jul 2014 00:27:44 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (36 lines) 
On Tue, Jul 29, 2014 at 10:07 PM, Brandon Vincent
<[log in to unmask]> wrote:
> On Tue, 2014-07-29 at 17:23 -0400, Larry Linder wrote:
>> If anyone is interested I will share the details.
>
> Larry,
>
> Are you running Apache Struts, Apache Tomcat, or Elasticsearch by any
> chance? Please review CVE-2013-2115, CVE-2013-1966, and CVE-2014-3120 to
> see if any of these apply to your system configuration. This type of
> infection is typically due to the aforementioned vulnerabilities.
>
> As for removal, find and remove the following files with the system
> offline:
>
> /boot/.IptabLes
> /boot/.IptabLex
> /usr/.IptabLes
> /usr/.IptabLex
> /etc/rc.d/init.d/IptabLes
> /etc/rc.d/init.d/IptabLex
> /.mylisthb*

Then "rm -rf /" and restore, carefully, a pristine and updated OS with
manual review of any configurations you're re-installing. And go  read
'The Cuckoo's Egg'  for a sense of how little you can trust a
compromised system, and how little you can trust law enforcement to be
of any help.

Once someone is in as root, they can manipulate your basic system
libraries, including the ones used to build checksums and audit for
intrusion. Take it offline and *replace* that OS, ASAP, and consider
any passwords used on it to have been compromised.

                   Nico Kadel-Garcia

ATOM RSS1 RSS2