Rootkit Hunter: IptabLex, IptabLes
Posted 06-14-2014 at 04:17 AM by unSpawn
Updated 06-22-2014 at 04:50 AM by unSpawn (//Added auditing examples)
Updated 06-22-2014 at 04:50 AM by unSpawn (//Added auditing examples)
Tags iptablex
Compromises leaving .IptabLes and .IptabLex binaries (with or without dot) in /, /boot, /etc and or /usr seem to be quite common:
http://ubuntuforums.org/showthread.php?t=2226673
http://www.linuxquestions.org/questi...ns-4175502655/
http://forum.synology.com/enu/viewto...p?f=19&t=85779
http://daivietpda.vn/threads/203145/
http://security.stackexchange.com/qu...s-and-iptablex
More nfo here:
http://remchp.com/blog/?p=163
http://blog.malwaremustdie.org/2014/...-with-elf.html
If Elastic Search is running exposed and with dynamic scripts enabled see:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan
https://www.found.no/foundation/elas...-elasticsearch
http://bouk.co/blog/elasticsearch-rce/
http://www.elasticsearch.org/guide/e...ynamic_scripts
*Should you want to check with Rootkit Hunter, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, then please get Rootkit Hunter from CVS until released officially.
Addendum:
**Since RKH is a passive post-incident tool here are some (more or less) distro-agnostic ways to audit process / file existence to enable early warnings (asserting you run Logwatch or equivalent):
Using Samhain, the continuously-running file system integrity checker (http://www.la-samhna.de/samhain/):
With the Audit service (http://people.redhat.com/sgrubb/audit/):
Inotifywait using RKH "iptablex" clamscan signature:
A cron job using the same signature:
*Note these are examples so YMMV(VM). As always you should understand what you run and why.
http://ubuntuforums.org/showthread.php?t=2226673
http://www.linuxquestions.org/questi...ns-4175502655/
http://forum.synology.com/enu/viewto...p?f=19&t=85779
http://daivietpda.vn/threads/203145/
http://security.stackexchange.com/qu...s-and-iptablex
More nfo here:
http://remchp.com/blog/?p=163
http://blog.malwaremustdie.org/2014/...-with-elf.html
If Elastic Search is running exposed and with dynamic scripts enabled see:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan
https://www.found.no/foundation/elas...-elasticsearch
http://bouk.co/blog/elasticsearch-rce/
http://www.elasticsearch.org/guide/e...ynamic_scripts
*Should you want to check with Rootkit Hunter, due to http://rkhunter.cvs.sourceforge.net/....507&r2=1.508& and http://rkhunter.cvs.sourceforge.net/....1&view=markup, then please get Rootkit Hunter from CVS until released officially.
Addendum:
**Since RKH is a passive post-incident tool here are some (more or less) distro-agnostic ways to audit process / file existence to enable early warnings (asserting you run Logwatch or equivalent):
Using Samhain, the continuously-running file system integrity checker (http://www.la-samhna.de/samhain/):
Code:
[ProcessCheck] ProcessCheckExists=IptabLex ProcessCheckExists=IptabLes ProcessCheckExists=flush
With the Audit service (http://people.redhat.com/sgrubb/audit/):
Code:
auditctl -a always,exit -F path=/IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/.IptabLex -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/boot/.IptabLex -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/boot/.IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/boot/IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/tmp/IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/etc/rc.d/init.d/IptabLex -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/etc/rc.d/init.d/IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/var/lib/update-rc.d/IptabLex -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/delallmykkk -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/usr/.IptabLes -F perm=rwx -k IOC_iptablex auditctl -a always,exit -F path=/usr/IptabLes -F perm=rwx -k IOC_iptablex
Inotifywait using RKH "iptablex" clamscan signature:
Code:
#!/bin/bash -- /path/to/inotifywait -mrq -e create --format '%w%f' /boot /etc /tmp /usr | while read ITEM; do /path/to/clamscan \ --official-db-only=no --database=/path/to/rkhunter/signatures/RKH_iptablex.ldb -i "${ITEM}"| while read LINE; do logger -t clamscan "IOC_iptablex: ${LINE}"; done; done exit 0
A cron job using the same signature:
Code:
#!/bin/bash -- _TMPFILE=$(/bin/mktemp -p /tmp clamscan.XXXXXXXX); [ -e "${_TMPFILE}" ] && { /path/to/clamscan --official-db-only=no \ --database=/path/to/rkhunter/signatures/RKH_iptablex.ldb -i -r /boot /etc /tmp /usr -l "${_TMPFILE}"; [ -s "${_TMPFILE}" ] \ && { cat "${_TMPFILE}" | while read LINE; do logger -t clamscan "IOC_iptablex: ${LINE}"; done; mail -s "${_TMPFILE}" \ some_recipient; }; }; rm -f "${_TMPFILE}" exit 0