One site contaminated by r57shell

I found that shit script on one of the joomla web sites, now I am trying to find if damages have been done to the config, any suggesitons ?

 

You can install chkrootkit and rkhunter to find out if malware has been installed on your Linux system.

 

Thanks for the tip

here is the result :

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-1.5.0.10/.autoreg /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.2.R322_v20061114/.options /usr/lib/eclipse/.eclipseextension /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... Warning: `' is linked to another file
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
eth0:0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3816 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
chkutmp: nothing deleted
Press ENTER to exit

 

Did you try rkhunter as well? What's the output?

 

Hello Falko

I have tried rkhunter and found some troubles ...
where may I send you the output results for your advice ?


regards,

 

Can you post the output here?

 

Hello,

Here is the output of rkhunter
As you can see some commands seem to have been tampered, I need to find the original version for my FC6 and replace them, is there a "state of the art" way to do that or do I just go to RH mirror, download and copy ?

I had to cut the log file to stay under 10,000 characters, I left the most interresting part.

regards,
Arnaud

[10:10:18] Running Rootkit Hunter version 1.3.0 on server
[10:10:18]
[10:10:18] Info: Start date is Mon Dec 31 10:10:18 CET 2007
[10:10:18]
[10:10:18] Checking configuration file and command-line options...
[10:10:18] Info: Detected operating system is 'Linux'
[10:10:18] Info: Found O/S name: Fedora Core release 6 (Zod)
[10:10:18] Info: Command line is /usr/local/bin/rkhunter --check
[10:10:18] Info: Environment shell is /bin/bash; rkhunter is using bash
[10:10:18] Info: Using configuration file '/etc/rkhunter.conf'
[10:10:18] Info: Installation directory is '/usr/local'
[10:10:18] Info: Using language 'en'
[10:10:19] Info: Using '/var/lib/rkhunter/db' as the database directory
[10:10:19] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory
[10:10:19] Info: Using '/usr/lib/qt-3.3/bin /usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin /usr/X11R6/bin /root/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[10:10:19] Info: Using '/' as the root directory
[10:10:19] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[10:10:19] Info: No mail-on-warning address configured
[10:10:19] Info: X will automatically be detected
[10:10:19] Info: Using second color set
[10:10:19] Info: Found the 'diff' command: /usr/bin/diff
[10:10:19] Info: Found the 'file' command: /usr/bin/file
[10:10:19] Info: Found the 'find' command: /usr/bin/find
[10:10:19] Info: Found the 'ifconfig' command: /sbin/ifconfig
[10:10:19] Info: Found the 'ip' command: /sbin/ip
[10:10:19] Info: Found the 'ldd' command: /usr/bin/ldd
[10:10:19] Info: Found the 'lsattr' command: /usr/bin/lsattr
[10:10:19] Info: Found the 'lsmod' command: /sbin/lsmod
[10:10:19] Info: Found the 'lsof' command: /usr/sbin/lsof
[10:10:19] Info: Found the 'mktemp' command: /bin/mktemp
[10:10:19] Info: Found the 'netstat' command: /bin/netstat
[10:10:19] Info: Found the 'perl' command: /usr/bin/perl
[10:10:19] Info: Found the 'ps' command: /bin/ps
[10:10:19] Info: Found the 'pwd' command: /bin/pwd
[10:10:19] Info: Found the 'readlink' command: /usr/bin/readlink
[10:10:19] Info: Found the 'sort' command: /bin/sort
[10:10:19] Info: Found the 'stat' command: /usr/bin/stat
[10:10:19] Info: Found the 'strings' command: /usr/bin/strings
[10:10:19] Info: Found the 'uniq' command: /usr/bin/uniq
[10:10:19] Info: System is using prelinking
[10:10:19] Info: Found the 'prelink' command: /usr/sbin/prelink
[10:10:19] Info: Found the 'sestatus' command: /usr/sbin/sestatus

.....

....

[10:10:33] /usr/bin/file [ OK ]
[10:10:33] /usr/bin/find [ OK ]
[10:10:33] /usr/bin/GET [ Warning ]
[10:10:33] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:10:33] /usr/bin/groups [ Warning ]
[10:10:33] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[10:10:33] /usr/bin/head [ OK ]
[10:10:33] /usr/bin/id [ OK ]
[10:10:34] /usr/bin/kill [ OK ]
[10:10:34] /usr/bin/killall [ OK ]
[10:10:34] /usr/bin/last [ OK ]
[10:10:34] /usr/bin/lastlog [ OK ]
[10:10:34] /usr/bin/ldd [ Warning ]
[10:10:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:10:34] /usr/bin/less [ OK ]
[10:10:34] /usr/bin/links [ OK ]
[10:10:35] /usr/bin/locate [ OK ]
[10:10:35] /usr/bin/logger [ OK ]
[10:10:35] /usr/bin/lsattr [ OK ]
[10:10:35] /usr/bin/lynx [ OK ]
[10:10:35] /usr/bin/md5sum [ OK ]
[10:10:36] /usr/bin/newgrp [ OK ]
[10:10:36] /usr/bin/passwd [ OK ]
[10:10:36] /usr/bin/perl [ OK ]
[10:10:36] /usr/bin/pstree [ OK ]
[10:10:36] /usr/bin/readlink [ OK ]
[10:10:36] /usr/bin/runcon [ OK ]
[10:10:37] /usr/bin/sha1sum [ OK ]
[10:10:37] /usr/bin/size [ OK ]
[10:10:37] /usr/bin/stat [ OK ]
[10:10:37] /usr/bin/strace [ OK ]
[10:10:37] /usr/bin/strings [ OK ]
[10:10:37] /usr/bin/sudo [ OK ]
[10:10:38] /usr/bin/tail [ OK ]
[10:10:38] /usr/bin/test [ OK ]
[10:10:38] /usr/bin/top [ OK ]
[10:10:38] /usr/bin/tr [ OK ]
[10:10:38] /usr/bin/uniq [ OK ]
[10:10:38] /usr/bin/users [ OK ]
[10:10:39] /usr/bin/vmstat [ OK ]
[10:10:39] /usr/bin/w [ OK ]
[10:10:39] /usr/bin/watch [ OK ]
[10:10:39] /usr/bin/wc [ OK ]
[10:10:39] /usr/bin/wget [ OK ]
[10:10:39] /usr/bin/whatis [ Warning ]
[10:10:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:10:39] /usr/bin/whereis [ OK ]
[10:10:40] /usr/bin/which [ OK ]
[10:10:40] /usr/bin/who [ OK ]
[10:10:40] /usr/bin/whoami [ OK ]
[10:10:40] /usr/bin/gawk [ OK ]
[10:10:40] /sbin/chkconfig [ OK ]
[10:10:40] /sbin/depmod [ OK ]
[10:10:41] /sbin/ifconfig [ OK ]
[10:10:41] /sbin/ifdown [ Warning ]
[10:10:41] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:10:41] /sbin/ifup [ Warning ]
[10:10:41] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[10:10:41] /sbin/init [ OK ]
[10:10:41] /sbin/insmod [ OK ]
[10:10:41] /sbin/ip [ OK ]
[10:10:42] /sbin/kudzu [ OK ]
[10:10:42] /sbin/lsmod [ OK ]
[10:10:42] /sbin/modinfo [ OK ]
[10:10:42] /sbin/modprobe [ OK ]
[10:10:42] /sbin/nologin [ OK ]
[10:10:42] /sbin/rmmod [ OK ]
[10:10:43] /sbin/runlevel [ OK ]
[10:10:43] /sbin/sulogin [ OK ]
[10:10:43] /sbin/sysctl [ OK ]
[10:10:43] /sbin/syslogd [ OK ]
[10:10:43] /usr/sbin/adduser [ OK ]
[10:10:44] /usr/sbin/chroot [ OK ]
[10:10:44] /usr/sbin/groupadd [ OK ]
[10:10:44] /usr/sbin/groupdel [ OK ]
[10:10:44] /usr/sbin/groupmod [ OK ]
[10:10:44] /usr/sbin/grpck [ OK ]
[10:10:45] /usr/sbin/kudzu [ OK ]
[10:10:45] /usr/sbin/lsof [ OK ]
[10:10:45] /usr/sbin/prelink [ OK ]
[10:10:45] /usr/sbin/pwck [ OK ]
[10:10:46] /usr/sbin/sestatus [ OK ]
[10:10:46] /usr/sbin/tcpd [ OK ]
[10:10:46] /usr/sbin/useradd [ OK ]
[10:10:46] /usr/sbin/userdel [ OK ]
[10:10:46] /usr/sbin/usermod [ OK ]
[10:10:46] /usr/sbin/vipw [ OK ]
[10:10:47] /usr/local/bin/rkhunter [ OK ]
[10:11:31]

....

 

If possible, I recommend that you reinstall your server, otherwise you will never be sure that you did not miss a part of the rootkit.

If thats not possible, you can only try to reinstall all core packages from a trusted mirror.

 

Hello Till,

I have to admit I am very disappointed by FC6, before that I had an FC4 and it also was corrupted. Do you know a safer distribution ?

regards,

 

There's no "safe" distribution out there. It all depends on how you set up the server. I recommend to install fail2ban/Bockhosts/Denyhosts to stop brute-force attacks.

 

Hello Falko,

I also found some exploits installed in the backups of the web sites but not in the main web sites !
Seems that my exclusion rules are not properly set up

When I make a safe copy of the web sites I host I usually just make a brutal "cp" in a "backup" directory, seems that apache has access to that sub directory (I thought only document root was accessible).

ideas ?
regards,
Arnaud

 

Do you use vulnerable web applications? Do you use PHP Safe Mode?

 

I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.

Now I believe I will reconsider those web sites and encourage the use of Drupal as CMS instead.


regards,
Arnaud

 

I know this problem, its common with joomla. I had a joomla site on one of the servers that I maintained, the owner of the site did not install all joomla patches immediately when they get released. The website got hacked serveral times and only a strict php setup with safemode on prevented that the hackers were able to break out of the website directory. The last time it was a r57shell too if I remember correctly.

 

Hello Till,

Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?

I have a question concerning perl scripts ...

The server has been used to run perl scripts sending phishing mail
Since none of my sites actually use perl script I brutaly uninstalled mode_perl ... and still attacks have restarted using perl scripts !!

I looked at http://perl.apache.org/docs/2.0/user/config/config.html

To enable mod_perl built as DSO add to httpd.conf:
LoadModule perl_module modules/mod_perl.so
This setting specifies the location of the mod_perl module relative to the ServerRoot setting, therefore you should put it somewhere after ServerRoot is specified.
If mod_perl has been statically linked it's automatically enabled.

How do I know if it has been statically linked ?
Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?

regards,
Arnaud

 

Partially. But this guy did use joomla only for edit the text on some pages.

I dont think that its statically linked in one of the common linux distributions.

Do you have cgi support enabled for the website? Additionally, if php is run without safemode, it can be used to start a perl script even if mod_perl is not loaded.

 

I just had a similar rkhunter report:

this hapened while I was still setting up the serevr, I remember, I couldn't find chkconfig, had to look for the package containing it and install it. would rkhunter --propupd remove this warning? I am sure that was me who caused that warning...

 

Which distribution are you using? How did you install rkhunter?

 

its the perfect debian lenny setup for ispcfg3, didn't want to open a new thread as this topic seemed pretty close.

 

Debian doesn't use /sbin/chkconfig (that's for RedHat-based distros only).
How did you install rkhunter?