Subject: | |
From: | |
Reply To: | |
Date: | Thu, 31 Jul 2014 13:01:50 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Tuesday 29 July 2014 10:07 pm, Brandon Vincent wrote:
> On Tue, 2014-07-29 at 17:23 -0400, Larry Linder wrote:
> > If anyone is interested I will share the details.
>
> Larry,
>
> Are you running Apache Struts, Apache Tomcat, or Elasticsearch by any
> chance? Please review CVE-2013-2115, CVE-2013-1966, and CVE-2014-3120 to
> see if any of these apply to your system configuration. This type of
> infection is typically due to the aforementioned vulnerabilities.
>
> As for removal, find and remove the following files with the system
> offline:
>
> /boot/.IptabLes
> /boot/.IptabLex
> /usr/.IptabLes
> /usr/.IptabLex
> /etc/rc.d/init.d/IptabLes
> /etc/rc.d/init.d/IptabLex
> /.mylisthb*
>
> Let me know if you have any more questions.
>
> Brandon Vincent
> /boot/.IptabLes->/etc/rc.d/init.d/IptabLes
> /boot/.IptabLex->/etc/rc.d/init.d/IptabLex
once you remove them they just become a
/boot/.IptabLes
/boot/.Iptablex
We are not running Apache on this box but "mysql" is running.
There were a number of other copies of .mylisthb* on other drives on this
system.
If you removed these files by hand and depending on how fast you removed them
the /boot / IptabLes and /IptabLx were a link to /etc/rc.d/init.d/IptabL If
you removed the link the .IptabLes and ./IptableX appeared. If you did not
use "ls -la" you thought you had them but didn't.
The only way to make sure you got all of them is to remove them in one shot.
Put the files in a script script.
It appears from our vantage point that any fragment could regen the others.
We played a number of games trying to find out what was regenerating the
files.
in /.mylisthb* files were left but set to chmod 000 /.mylisthb*. Once this
was done it could not regenerate its self. Mybe the program checks for a
files existance and not weather it is executable?
I put a copy of what we thought were the bad files in an MS directory under
VMware. To prevent their escape. Plan to examine them with a binary editor
soon.
Look at " http://blog.malwaremustdie.org/" they have a very complete breakdown
of malware but I still have never seen the program that runs to set it up.
All we have done is see the output of the program.
Using "yum" to see what files were installed and what maybe files not in data
base is a good thing to do.
Plan to do this come Friday as we walk out the door. Hopefully we see it come
Monday.
Need to really track this down because our backup's may be infected.
Larry Linder
|
|
|