On Tue, Jul 29, 2014 at 10:07 PM, Brandon Vincent
<brandon.vinc...@asu.edu> wrote:
> On Tue, 2014-07-29 at 17:23 -0400, Larry Linder wrote:
>> If anyone is interested I will share the details.
>
> Larry,
>
> Are you running Apache Struts, Apache Tomcat, or Elasticsearch by any
> chance? Please review CVE-2013-2115, CVE-2013-1966, and CVE-2014-3120 to
> see if any of these apply to your system configuration. This type of
> infection is typically due to the aforementioned vulnerabilities.
>
> As for removal, find and remove the following files with the system
> offline:
>
> /boot/.IptabLes
> /boot/.IptabLex
> /usr/.IptabLes
> /usr/.IptabLex
> /etc/rc.d/init.d/IptabLes
> /etc/rc.d/init.d/IptabLex
> /.mylisthb*
Then "rm -rf /" and restore, carefully, a pristine and updated OS with
manual review of any configurations you're re-installing. And go read
'The Cuckoo's Egg' for a sense of how little you can trust a
compromised system, and how little you can trust law enforcement to be
of any help.
Once someone is in as root, they can manipulate your basic system
libraries, including the ones used to build checksums and audit for
intrusion. Take it offline and *replace* that OS, ASAP, and consider
any passwords used on it to have been compromised.
Nico Kadel-Garcia
