One site contaminated by r57shell

[aceyzeriat]

I found that shit script on one of the joomla web sites, now I am trying to find if damages have been done to the config, any suggesitons ?

[falko]

You can install chkrootkit and rkhunter to find out if malware has been installed on your Linux system.

[aceyzeriat]

Thanks for the tip

here is the result :

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-1.5.0.10/.autoreg /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.2.R322_v20061114/.options /usr/lib/eclipse/.eclipseextension /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... Warning: `' is linked to another file
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
eth0:0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3816 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
chkutmp: nothing deleted
Press ENTER to exit

[falko]

Did you try rkhunter as well? What's the output?

[aceyzeriat]

Hello Falko

I have tried rkhunter and found some troubles ...
where may I send you the output results for your advice ?


regards,

[falko]

Can you post the output here?

[aceyzeriat]

Hello,

Here is the output of rkhunter
As you can see some commands seem to have been tampered, I need to find the original version for my FC6 and replace them, is there a "state of the art" way to do that or do I just go to RH mirror, download and copy ?

I had to cut the log file to stay under 10,000 characters, I left the most interresting part.

regards,
Arnaud

[10:10:18] Running Rootkit Hunter version 1.3.0 on server
[10:10:18]
[10:10:18] Info: Start date is Mon Dec 31 10:10:18 CET 2007
[10:10:18]
[10:10:18] Checking configuration file and command-line options...
[10:10:18] Info: Detected operating system is 'Linux'
[10:10:18] Info: Found O/S name: Fedora Core release 6 (Zod)
[10:10:18] Info: Command line is /usr/local/bin/rkhunter --check
[10:10:18] Info: Environment shell is /bin/bash; rkhunter is using bash
[10:10:18] Info: Using configuration file '/etc/rkhunter.conf'
[10:10:18] Info: Installation directory is '/usr/local'
[10:10:18] Info: Using language 'en'
[10:10:19] Info: Using '/var/lib/rkhunter/db' as the database directory
[10:10:19] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory
[10:10:19] Info: Using '/usr/lib/qt-3.3/bin /usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin /usr/X11R6/bin /root/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[10:10:19] Info: Using '/' as the root directory
[10:10:19] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[10:10:19] Info: No mail-on-warning address configured
[10:10:19] Info: X will automatically be detected
[10:10:19] Info: Using second color set
[10:10:19] Info: Found the 'diff' command: /usr/bin/diff
[10:10:19] Info: Found the 'file' command: /usr/bin/file
[10:10:19] Info: Found the 'find' command: /usr/bin/find
[10:10:19] Info: Found the 'ifconfig' command: /sbin/ifconfig
[10:10:19] Info: Found the 'ip' command: /sbin/ip
[10:10:19] Info: Found the 'ldd' command: /usr/bin/ldd
[10:10:19] Info: Found the 'lsattr' command: /usr/bin/lsattr
[10:10:19] Info: Found the 'lsmod' command: /sbin/lsmod
[10:10:19] Info: Found the 'lsof' command: /usr/sbin/lsof
[10:10:19] Info: Found the 'mktemp' command: /bin/mktemp
[10:10:19] Info: Found the 'netstat' command: /bin/netstat
[10:10:19] Info: Found the 'perl' command: /usr/bin/perl
[10:10:19] Info: Found the 'ps' command: /bin/ps
[10:10:19] Info: Found the 'pwd' command: /bin/pwd
[10:10:19] Info: Found the 'readlink' command: /usr/bin/readlink
[10:10:19] Info: Found the 'sort' command: /bin/sort
[10:10:19] Info: Found the 'stat' command: /usr/bin/stat
[10:10:19] Info: Found the 'strings' command: /usr/bin/strings
[10:10:19] Info: Found the 'uniq' command: /usr/bin/uniq
[10:10:19] Info: System is using prelinking
[10:10:19] Info: Found the 'prelink' command: /usr/sbin/prelink
[10:10:19] Info: Found the 'sestatus' command: /usr/sbin/sestatus

.....

....

[10:10:33] /usr/bin/file [ OK ]
[10:10:33] /usr/bin/find [ OK ]
[10:10:33] /usr/bin/GET [ Warning ]
[10:10:33] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:10:33] /usr/bin/groups [ Warning ]
[10:10:33] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[10:10:33] /usr/bin/head [ OK ]
[10:10:33] /usr/bin/id [ OK ]
[10:10:34] /usr/bin/kill [ OK ]
[10:10:34] /usr/bin/killall [ OK ]
[10:10:34] /usr/bin/last [ OK ]
[10:10:34] /usr/bin/lastlog [ OK ]
[10:10:34] /usr/bin/ldd [ Warning ]
[10:10:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:10:34] /usr/bin/less [ OK ]
[10:10:34] /usr/bin/links [ OK ]
[10:10:35] /usr/bin/locate [ OK ]
[10:10:35] /usr/bin/logger [ OK ]
[10:10:35] /usr/bin/lsattr [ OK ]
[10:10:35] /usr/bin/lynx [ OK ]
[10:10:35] /usr/bin/md5sum [ OK ]
[10:10:36] /usr/bin/newgrp [ OK ]
[10:10:36] /usr/bin/passwd [ OK ]
[10:10:36] /usr/bin/perl [ OK ]
[10:10:36] /usr/bin/pstree [ OK ]
[10:10:36] /usr/bin/readlink [ OK ]
[10:10:36] /usr/bin/runcon [ OK ]
[10:10:37] /usr/bin/sha1sum [ OK ]
[10:10:37] /usr/bin/size [ OK ]
[10:10:37] /usr/bin/stat [ OK ]
[10:10:37] /usr/bin/strace [ OK ]
[10:10:37] /usr/bin/strings [ OK ]
[10:10:37] /usr/bin/sudo [ OK ]
[10:10:38] /usr/bin/tail [ OK ]
[10:10:38] /usr/bin/test [ OK ]
[10:10:38] /usr/bin/top [ OK ]
[10:10:38] /usr/bin/tr [ OK ]
[10:10:38] /usr/bin/uniq [ OK ]
[10:10:38] /usr/bin/users [ OK ]
[10:10:39] /usr/bin/vmstat [ OK ]
[10:10:39] /usr/bin/w [ OK ]
[10:10:39] /usr/bin/watch [ OK ]
[10:10:39] /usr/bin/wc [ OK ]
[10:10:39] /usr/bin/wget [ OK ]
[10:10:39] /usr/bin/whatis [ Warning ]
[10:10:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:10:39] /usr/bin/whereis [ OK ]
[10:10:40] /usr/bin/which [ OK ]
[10:10:40] /usr/bin/who [ OK ]
[10:10:40] /usr/bin/whoami [ OK ]
[10:10:40] /usr/bin/gawk [ OK ]
[10:10:40] /sbin/chkconfig [ OK ]
[10:10:40] /sbin/depmod [ OK ]
[10:10:41] /sbin/ifconfig [ OK ]
[10:10:41] /sbin/ifdown [ Warning ]
[10:10:41] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:10:41] /sbin/ifup [ Warning ]
[10:10:41] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[10:10:41] /sbin/init [ OK ]
[10:10:41] /sbin/insmod [ OK ]
[10:10:41] /sbin/ip [ OK ]
[10:10:42] /sbin/kudzu [ OK ]
[10:10:42] /sbin/lsmod [ OK ]
[10:10:42] /sbin/modinfo [ OK ]
[10:10:42] /sbin/modprobe [ OK ]
[10:10:42] /sbin/nologin [ OK ]
[10:10:42] /sbin/rmmod [ OK ]
[10:10:43] /sbin/runlevel [ OK ]
[10:10:43] /sbin/sulogin [ OK ]
[10:10:43] /sbin/sysctl [ OK ]
[10:10:43] /sbin/syslogd [ OK ]
[10:10:43] /usr/sbin/adduser [ OK ]
[10:10:44] /usr/sbin/chroot [ OK ]
[10:10:44] /usr/sbin/groupadd [ OK ]
[10:10:44] /usr/sbin/groupdel [ OK ]
[10:10:44] /usr/sbin/groupmod [ OK ]
[10:10:44] /usr/sbin/grpck [ OK ]
[10:10:45] /usr/sbin/kudzu [ OK ]
[10:10:45] /usr/sbin/lsof [ OK ]
[10:10:45] /usr/sbin/prelink [ OK ]
[10:10:45] /usr/sbin/pwck [ OK ]
[10:10:46] /usr/sbin/sestatus [ OK ]
[10:10:46] /usr/sbin/tcpd [ OK ]
[10:10:46] /usr/sbin/useradd [ OK ]
[10:10:46] /usr/sbin/userdel [ OK ]
[10:10:46] /usr/sbin/usermod [ OK ]
[10:10:46] /usr/sbin/vipw [ OK ]
[10:10:47] /usr/local/bin/rkhunter [ OK ]
[10:11:31]

....

[till]

If possible, I recommend that you reinstall your server, otherwise you will never be sure that you did not miss a part of the rootkit.

If thats not possible, you can only try to reinstall all core packages from a trusted mirror.

[aceyzeriat]

Hello Till,

I have to admit I am very disappointed by FC6, before that I had an FC4 and it also was corrupted. Do you know a safer distribution ?

regards,

[falko]

There's no "safe" distribution out there. It all depends on how you set up the server. I recommend to install fail2ban/Bockhosts/Denyhosts to stop brute-force attacks.