LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices

Rate this Entry

Rootkit Hunter: IptabLex, IptabLes

Posted 06-14-2014 at 04:17 AM by unSpawn
Updated 06-22-2014 at 04:50 AM by unSpawn (//Added auditing examples)
Tags iptablex

Compromises leaving .IptabLes and .IptabLex binaries (with or without dot) in /, /boot, /etc and or /usr seem to be quite common:
http://ubuntuforums.org/showthread.php?t=2226673
http://www.linuxquestions.org/questi...ns-4175502655/
http://forum.synology.com/enu/viewto...p?f=19&t=85779
http://daivietpda.vn/threads/203145/
http://security.stackexchange.com/qu...s-and-iptablex

More nfo here:
http://remchp.com/blog/?p=163
http://blog.malwaremustdie.org/2014/...-with-elf.html

If Elastic Search is running exposed and with dynamic scripts enabled see:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan
https://www.found.no/foundation/elas...-elasticsearch
http://bouk.co/blog/elasticsearch-rce/
http://www.elasticsearch.org/guide/e...ynamic_scripts


*Should you want to check with Rootkit Hunter, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, then please get Rootkit Hunter from CVS until released officially.

Addendum:
**Since RKH is a passive post-incident tool here are some (more or less) distro-agnostic ways to audit process / file existence to enable early warnings (asserting you run Logwatch or equivalent):

Using Samhain, the continuously-running file system integrity checker (http://www.la-samhna.de/samhain/):
Code:
[ProcessCheck]
ProcessCheckExists=IptabLex
ProcessCheckExists=IptabLes
ProcessCheckExists=flush

With the Audit service (http://people.redhat.com/sgrubb/audit/):
Code:
auditctl -a always,exit -F path=/IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/.IptabLex -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/boot/.IptabLex -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/boot/.IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/boot/IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/tmp/IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/etc/rc.d/init.d/IptabLex -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/etc/rc.d/init.d/IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/var/lib/update-rc.d/IptabLex -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/delallmykkk -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/usr/.IptabLes -F perm=rwx -k IOC_iptablex
auditctl -a always,exit -F path=/usr/IptabLes -F perm=rwx -k IOC_iptablex

Inotifywait using RKH "iptablex" clamscan signature:
Code:
#!/bin/bash --
/path/to/inotifywait -mrq -e create --format '%w%f' /boot /etc /tmp /usr | while read ITEM; do /path/to/clamscan \
--official-db-only=no --database=/path/to/rkhunter/signatures/RKH_iptablex.ldb  -i "${ITEM}"| while read LINE; do 
logger -t clamscan "IOC_iptablex: ${LINE}"; done; done
exit 0

A cron job using the same signature:
Code:
#!/bin/bash --
_TMPFILE=$(/bin/mktemp -p /tmp clamscan.XXXXXXXX); [ -e "${_TMPFILE}" ] && { /path/to/clamscan --official-db-only=no \
--database=/path/to/rkhunter/signatures/RKH_iptablex.ldb  -i -r /boot /etc /tmp /usr -l "${_TMPFILE}"; [ -s "${_TMPFILE}" ] \
&& { cat "${_TMPFILE}" | while read LINE; do logger -t clamscan "IOC_iptablex: ${LINE}"; done; mail -s "${_TMPFILE}" \
some_recipient; }; }; rm -f "${_TMPFILE}"
exit 0
*Note these are examples so YMMV(VM). As always you should understand what you run and why.
Posted in Uncategorized
Views 974 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 10:23 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration