LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Malware 4
From:	Larry Linder <[log in to unmask]>
Reply To:	Larry Linder <[log in to unmask]>
Date:	Thu, 31 Jul 2014 13:01:50 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

On Tuesday 29 July 2014 10:07 pm, Brandon Vincent wrote:
> On Tue, 2014-07-29 at 17:23 -0400, Larry Linder wrote:
> > If anyone is interested I will share the details.
>
> Larry,
>
> Are you running Apache Struts, Apache Tomcat, or Elasticsearch by any
> chance? Please review CVE-2013-2115, CVE-2013-1966, and CVE-2014-3120 to
> see if any of these apply to your system configuration. This type of
> infection is typically due to the aforementioned vulnerabilities.
>
> As for removal, find and remove the following files with the system
> offline:
>
> /boot/.IptabLes
> /boot/.IptabLex
> /usr/.IptabLes
> /usr/.IptabLex
> /etc/rc.d/init.d/IptabLes
> /etc/rc.d/init.d/IptabLex
> /.mylisthb*
>
> Let me know if you have any more questions.
>
> Brandon Vincent

> /boot/.IptabLes->/etc/rc.d/init.d/IptabLes
> /boot/.IptabLex->/etc/rc.d/init.d/IptabLex
once you remove them they just become a 
/boot/.IptabLes
/boot/.Iptablex

We are not running Apache on this box but "mysql" is running.
There were a number of other copies of .mylisthb* on other drives on this 
system.
If you removed these files by hand and depending on how fast you removed them 
the /boot / IptabLes and /IptabLx were a link to /etc/rc.d/init.d/IptabL  If 
you removed the link the .IptabLes and ./IptableX appeared.   If you did not 
use "ls -la" you thought you had them but didn't.
The only way to make sure you got all of them is to remove them in one shot.  
Put the files in a script  script.
It appears from our vantage point that any fragment could regen the others.  
We played a number of games trying to find out what was regenerating the 
files.
in /.mylisthb* files were left but set to chmod  000  /.mylisthb*.   Once this 
was done it could not regenerate its self.  Mybe the program checks for a 
files existance and not weather it is executable?

I put a copy of what we thought were the bad files in an MS directory under 
VMware.  To prevent their escape.  Plan to examine them with a binary editor 
soon.
Look at " http://blog.malwaremustdie.org/" they have a very complete breakdown 
of malware but I still have never seen the program that runs to set it up.  
All we have done is see the output of the program.
Using "yum" to see what files were installed and what maybe files not in data 
base is a good thing to do.
Plan to do this come Friday as we walk out the door.  Hopefully we see it come 
Monday.
Need to really track this down because our backup's may be infected.
Larry Linder

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV