Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine. Thanks in advance, B.J. CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071129/ce144cee/attachment-0005.html>
On 30/11/2007, B.J. McClure <keepertoad at verizon.net> wrote:> > Sad to say one of my file servers was exploited and used to run a > Phishing scam. Have identified subject virus amongst other things. It > appears twice in a virus scan; /sbin/z (which I assume can just be deleted) > and /sys/bus/serio/drivers/atkbd/description. The latter file is also > present in identical uninfected machines. I have been unable to open the > file, even with root privileges, although it appears to be a text file. Any > suggestions on how to proceed appreciated. Guess I could delete it and copy > over the file from an identical machine. >Is SE Linux enabled on your system? If this is an ext2/ext3 filesystem - look at "lsattr" and friends. fuser(1) on that file and/or monitoring it using something base on inotify(7) might reveal which process has it open or uses it. Hope this gives you some useful direction. --Amos -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071130/8bae5b3c/attachment-0005.html>
On Thu, 29 Nov 2007 16:43:44 -0600 "B.J. McClure" <keepertoad at verizon.net> wrote:> Sad to say one of my file servers was exploited and used to run a > Phishing scam.One of the problems with being r00ted is that you can never be sure that you have found all of the stuff that the bad guy left behind. The only way to clean up a system like that is to reformat and set it up again from scratch. Otherwise you're taking a chance that he'll be back again tomorrow doing the same thing, or worse. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
Find out how they got in and make sure that hole is fixed. Do an rpm verify on all installed packages (excluding configs), reinstall the rpms that fail the verify. Find all binaries that are not accountable in rpm and nuke them. Harden your host with selinux and audit, keep audit logs of all changes to binary files and essential configs and make sure the audit logs are immutable. Keep an eye on the system for a while to make sure you haven't missed anything. Keep LVM snapshots of your OS LVs. -Ross -----Original Message----- From: centos-bounces at centos.org <centos-bounces at centos.org> To: CentOS mailing list <centos at centos.org> Sent: Thu Nov 29 17:43:44 2007 Subject: [CentOS] CleanLog.h Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine. Thanks in advance, B.J. CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04 ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071129/30c3d993/attachment-0005.html>
On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:> Sad to say one of my file servers was exploited and used to run a > Phishing scam. Have identified subject virus amongst other things. It > appears twice in a virus scan; /sbin/z (which I assume can just be > deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file > is also present in identical uninfected machines. I have been unable to > open the file, even with root privileges, although it appears to be a > text file. Any suggestions on how to proceed appreciated. Guess I > could delete it and copy over the file from an identical machine. > > Thanks in advance, > B.J. > > CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, > load average: 0.07, 0.08, 0.04Hi Can you tell me which virus scan you are using? Thanks
On 30/11/2007, Alfredo Perez <alfredoj69 at rogers.com> wrote:> Furthermore, this question is for the list > > I have a Centos 5 server running sshd > for me to signon and check my emails. > > I use denyhosts to protect port 22. > > Is there anyother software you people use > to protect your servers.There are a few such programs floating around. Do you confine yourself to CentOS packages? denyhosts is apparently a good one. Personally, I don't use any - once I moved to a non-standard port I've never seen anyone knocking on my SSH server's door. --Amos