I found that shit script on one of the joomla web sites, now I am trying to find if damages have been done to the config, any suggesitons ?
You can install chkrootkit and rkhunter to find out if malware has been installed on your Linux system.
Thanks for the tip here is the result : ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not found Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/firefox-1.5.0.10/.autoreg /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.2.R322_v20061114/.options /usr/lib/eclipse/.eclipseextension /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/10/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/9/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/5/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for anomalies in shell history files... Warning: `' is linked to another file Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) eth0:0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3816 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 chkutmp: nothing deleted Press ENTER to exit
Hello Falko I have tried rkhunter and found some troubles ... where may I send you the output results for your advice ? regards,
Hello, Here is the output of rkhunter As you can see some commands seem to have been tampered, I need to find the original version for my FC6 and replace them, is there a "state of the art" way to do that or do I just go to RH mirror, download and copy ? I had to cut the log file to stay under 10,000 characters, I left the most interresting part. regards, Arnaud [10:10:18] Running Rootkit Hunter version 1.3.0 on server [10:10:18] [10:10:18] Info: Start date is Mon Dec 31 10:10:18 CET 2007 [10:10:18] [10:10:18] Checking configuration file and command-line options... [10:10:18] Info: Detected operating system is 'Linux' [10:10:18] Info: Found O/S name: Fedora Core release 6 (Zod) [10:10:18] Info: Command line is /usr/local/bin/rkhunter --check [10:10:18] Info: Environment shell is /bin/bash; rkhunter is using bash [10:10:18] Info: Using configuration file '/etc/rkhunter.conf' [10:10:18] Info: Installation directory is '/usr/local' [10:10:18] Info: Using language 'en' [10:10:19] Info: Using '/var/lib/rkhunter/db' as the database directory [10:10:19] Info: Using '/usr/local/lib/rkhunter/scripts' as the support script directory [10:10:19] Info: Using '/usr/lib/qt-3.3/bin /usr/kerberos/sbin /usr/kerberos/bin /usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin /usr/X11R6/bin /root/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories [10:10:19] Info: Using '/' as the root directory [10:10:19] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory [10:10:19] Info: No mail-on-warning address configured [10:10:19] Info: X will automatically be detected [10:10:19] Info: Using second color set [10:10:19] Info: Found the 'diff' command: /usr/bin/diff [10:10:19] Info: Found the 'file' command: /usr/bin/file [10:10:19] Info: Found the 'find' command: /usr/bin/find [10:10:19] Info: Found the 'ifconfig' command: /sbin/ifconfig [10:10:19] Info: Found the 'ip' command: /sbin/ip [10:10:19] Info: Found the 'ldd' command: /usr/bin/ldd [10:10:19] Info: Found the 'lsattr' command: /usr/bin/lsattr [10:10:19] Info: Found the 'lsmod' command: /sbin/lsmod [10:10:19] Info: Found the 'lsof' command: /usr/sbin/lsof [10:10:19] Info: Found the 'mktemp' command: /bin/mktemp [10:10:19] Info: Found the 'netstat' command: /bin/netstat [10:10:19] Info: Found the 'perl' command: /usr/bin/perl [10:10:19] Info: Found the 'ps' command: /bin/ps [10:10:19] Info: Found the 'pwd' command: /bin/pwd [10:10:19] Info: Found the 'readlink' command: /usr/bin/readlink [10:10:19] Info: Found the 'sort' command: /bin/sort [10:10:19] Info: Found the 'stat' command: /usr/bin/stat [10:10:19] Info: Found the 'strings' command: /usr/bin/strings [10:10:19] Info: Found the 'uniq' command: /usr/bin/uniq [10:10:19] Info: System is using prelinking [10:10:19] Info: Found the 'prelink' command: /usr/sbin/prelink [10:10:19] Info: Found the 'sestatus' command: /usr/sbin/sestatus ..... .... [10:10:33] /usr/bin/file [ OK ] [10:10:33] /usr/bin/find [ OK ] [10:10:33] /usr/bin/GET [ Warning ] [10:10:33] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable [10:10:33] /usr/bin/groups [ Warning ] [10:10:33] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable [10:10:33] /usr/bin/head [ OK ] [10:10:33] /usr/bin/id [ OK ] [10:10:34] /usr/bin/kill [ OK ] [10:10:34] /usr/bin/killall [ OK ] [10:10:34] /usr/bin/last [ OK ] [10:10:34] /usr/bin/lastlog [ OK ] [10:10:34] /usr/bin/ldd [ Warning ] [10:10:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable [10:10:34] /usr/bin/less [ OK ] [10:10:34] /usr/bin/links [ OK ] [10:10:35] /usr/bin/locate [ OK ] [10:10:35] /usr/bin/logger [ OK ] [10:10:35] /usr/bin/lsattr [ OK ] [10:10:35] /usr/bin/lynx [ OK ] [10:10:35] /usr/bin/md5sum [ OK ] [10:10:36] /usr/bin/newgrp [ OK ] [10:10:36] /usr/bin/passwd [ OK ] [10:10:36] /usr/bin/perl [ OK ] [10:10:36] /usr/bin/pstree [ OK ] [10:10:36] /usr/bin/readlink [ OK ] [10:10:36] /usr/bin/runcon [ OK ] [10:10:37] /usr/bin/sha1sum [ OK ] [10:10:37] /usr/bin/size [ OK ] [10:10:37] /usr/bin/stat [ OK ] [10:10:37] /usr/bin/strace [ OK ] [10:10:37] /usr/bin/strings [ OK ] [10:10:37] /usr/bin/sudo [ OK ] [10:10:38] /usr/bin/tail [ OK ] [10:10:38] /usr/bin/test [ OK ] [10:10:38] /usr/bin/top [ OK ] [10:10:38] /usr/bin/tr [ OK ] [10:10:38] /usr/bin/uniq [ OK ] [10:10:38] /usr/bin/users [ OK ] [10:10:39] /usr/bin/vmstat [ OK ] [10:10:39] /usr/bin/w [ OK ] [10:10:39] /usr/bin/watch [ OK ] [10:10:39] /usr/bin/wc [ OK ] [10:10:39] /usr/bin/wget [ OK ] [10:10:39] /usr/bin/whatis [ Warning ] [10:10:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable [10:10:39] /usr/bin/whereis [ OK ] [10:10:40] /usr/bin/which [ OK ] [10:10:40] /usr/bin/who [ OK ] [10:10:40] /usr/bin/whoami [ OK ] [10:10:40] /usr/bin/gawk [ OK ] [10:10:40] /sbin/chkconfig [ OK ] [10:10:40] /sbin/depmod [ OK ] [10:10:41] /sbin/ifconfig [ OK ] [10:10:41] /sbin/ifdown [ Warning ] [10:10:41] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable [10:10:41] /sbin/ifup [ Warning ] [10:10:41] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable [10:10:41] /sbin/init [ OK ] [10:10:41] /sbin/insmod [ OK ] [10:10:41] /sbin/ip [ OK ] [10:10:42] /sbin/kudzu [ OK ] [10:10:42] /sbin/lsmod [ OK ] [10:10:42] /sbin/modinfo [ OK ] [10:10:42] /sbin/modprobe [ OK ] [10:10:42] /sbin/nologin [ OK ] [10:10:42] /sbin/rmmod [ OK ] [10:10:43] /sbin/runlevel [ OK ] [10:10:43] /sbin/sulogin [ OK ] [10:10:43] /sbin/sysctl [ OK ] [10:10:43] /sbin/syslogd [ OK ] [10:10:43] /usr/sbin/adduser [ OK ] [10:10:44] /usr/sbin/chroot [ OK ] [10:10:44] /usr/sbin/groupadd [ OK ] [10:10:44] /usr/sbin/groupdel [ OK ] [10:10:44] /usr/sbin/groupmod [ OK ] [10:10:44] /usr/sbin/grpck [ OK ] [10:10:45] /usr/sbin/kudzu [ OK ] [10:10:45] /usr/sbin/lsof [ OK ] [10:10:45] /usr/sbin/prelink [ OK ] [10:10:45] /usr/sbin/pwck [ OK ] [10:10:46] /usr/sbin/sestatus [ OK ] [10:10:46] /usr/sbin/tcpd [ OK ] [10:10:46] /usr/sbin/useradd [ OK ] [10:10:46] /usr/sbin/userdel [ OK ] [10:10:46] /usr/sbin/usermod [ OK ] [10:10:46] /usr/sbin/vipw [ OK ] [10:10:47] /usr/local/bin/rkhunter [ OK ] [10:11:31] ....
If possible, I recommend that you reinstall your server, otherwise you will never be sure that you did not miss a part of the rootkit. If thats not possible, you can only try to reinstall all core packages from a trusted mirror.
Hello Till, I have to admit I am very disappointed by FC6, before that I had an FC4 and it also was corrupted. Do you know a safer distribution ? regards,
There's no "safe" distribution out there. It all depends on how you set up the server. I recommend to install fail2ban/Bockhosts/Denyhosts to stop brute-force attacks.
Hello Falko, I also found some exploits installed in the backups of the web sites but not in the main web sites ! Seems that my exclusion rules are not properly set up When I make a safe copy of the web sites I host I usually just make a brutal "cp" in a "backup" directory, seems that apache has access to that sub directory (I thought only document root was accessible). ideas ? regards, Arnaud
I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off. Now I believe I will reconsider those web sites and encourage the use of Drupal as CMS instead. regards, Arnaud
I know this problem, its common with joomla. I had a joomla site on one of the servers that I maintained, the owner of the site did not install all joomla patches immediately when they get released. The website got hacked serveral times and only a strict php setup with safemode on prevented that the hackers were able to break out of the website directory. The last time it was a r57shell too if I remember correctly.
Hello Till, Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ? I have a question concerning perl scripts ... The server has been used to run perl scripts sending phishing mail Since none of my sites actually use perl script I brutaly uninstalled mode_perl ... and still attacks have restarted using perl scripts !! I looked at http://perl.apache.org/docs/2.0/user/config/config.html To enable mod_perl built as DSO add to httpd.conf: LoadModule perl_module modules/mod_perl.so This setting specifies the location of the mod_perl module relative to the ServerRoot setting, therefore you should put it somewhere after ServerRoot is specified. If mod_perl has been statically linked it's automatically enabled. How do I know if it has been statically linked ? Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ? regards, Arnaud
Partially. But this guy did use joomla only for edit the text on some pages. I dont think that its statically linked in one of the common linux distributions. Do you have cgi support enabled for the website? Additionally, if php is run without safemode, it can be used to start a perl script even if mod_perl is not loaded.
I just had a similar rkhunter report: this hapened while I was still setting up the serevr, I remember, I couldn't find chkconfig, had to look for the package containing it and install it. would rkhunter --propupd remove this warning? I am sure that was me who caused that warning...
its the perfect debian lenny setup for ispcfg3, didn't want to open a new thread as this topic seemed pretty close.
Debian doesn't use /sbin/chkconfig (that's for RedHat-based distros only). How did you install rkhunter?