Scalper worm, Fedora 7
 

After a lengthy process of trying to identify the cause of crc error and coincidental "chkrootkit" report my Clevo laptop was infected with the "scalper" worm, I came to the conclusion that the source of the crc error was incompatible ram. I am still at a loss however, why chkrootkit reported the infection, since the scalper worm affects only BSD and my system is Fedora. The comments below are now for historical reference in case someone else has a similar problem.

Question: How do you get the "scalper" worm written for BSD when you are running Fedora?

Possible answer: Own a laptop computer with a nifty built in webcam you hope to get working. Google the web looking for programs and drivers to make it possible. Download a program in source code that won't compile without other files required to satisfy dependencies. Go looking for the necessary files and download them from the web. Extract and install. Grab a driver too. Oh, did I fail to say some of the files are BSD .rpms? So what, they are rpms and install without any complaint.

Next time you run "chkrootkit", lo and behold - it reports there is a "scalper" worm installed. Maybe. Or, it may have been something else incorrectly identified as the "scalper".

Consequence? Following the next shut-down the computer will not boot. Attempts to use the rescue disk fail. Don't know what to look for anyway. Using the install disks to attempt an "update" don't work either, even though my objective is to simply update the boot configuration. Doesn't work because there is no kernel update required. Shouldn't be some way to force an update or simply change the boot configuration via the install disks. Maybe there is and I'm revealing my ignorance.

Tried a new install without formatting the "home" and "Keepers" file systems to save files I didn't want to lose. Result? The installation always failed at "post configuration" and installation of "grub". Tried using a "System Rescue" CD (not the Fedora 7 rescue CD) to repair the boot and file allocation tables. Unsuccessful.

Employed a "freedos" CD to delete the Linux partitions (consequently losing my aforementioned files - if I can't use a file recovery program to save them, and if they haven't already been written over). They aren't critical files anyway. Just music and such. Running "freedos" from the CD created a DOS partition, reformatted, installed the sys files and "freedos".

Using the "System Rescue" CD (not the Fedora 7 rescue CD), deleted all data in the F.A.T., installed an empty dos F.A.T. and using the utility saved "freedos" into it.

Finally managed using "freedos" to enable one of the two disks to boot up. Maybe I can get Fedora 7 to install now. Pending. Update to follow.

svarmido

Lesson(s)? Lots of them.

The scalper worm is an internet worm that exploits unpatched apache web servers running on BSD. I doubt that it would cause the problems you are seeing now because you are trying to reinstall from read-only media. Unless you have a virus that infects the bios, reformatting and reinstalling will eliminate anything you had before. You may have drive or media problems instead that led you to the wrong conclusion. You might want to post the url of the bsd rpm file that you downloaded so that someone can examine it. Theoretically, if that server was compromised, a hacker might have repackaged an rpm with their own version. It installs binaries after all, but the signature of the rpm will change as a result. So the hacker will also change the signature, but it won't match that from a 3rd party source.

Like jschiwal said: most likely Something Else. From chkrootkit-0.47a:
This shows it'll trip on either a) TCP port 2001 OR b) any files called /tmp/.uua or /tmp/.a . In the case of the TCP port reliance on static port-to-service mappings (Nmap's services file or /etc/services) isn't infallibe. Looking for open files for that PID and Interrogating the service should show more info. If you haven't been running a stale version of Apache then I doubt it'd trip on the /tmp files thing. In any case the chance the probs you're experiencing are linked to anything in the Scalper MO is zilch.

A mere coincidence?
 

chkrootkit reported an installed scalper worm. Then my laptop failed to boot on the next attempt. Subsequent attempts to reinstall Fedora 7 failed at the point where "post-install" and or "grub" install occurred. Once, the new install appeared to have succeeded, but the next boot stopped with nothing appearing but "grub" and a prompt. Accepting there is no correlation between them is hard to do. Unfortunately, deleted partitions and reformatting will make it difficult, but probably not impossible if they have not yet been over-written to identify suspect files. I feel somewhat responsible to try - but admit a lack of motivation. I downloaded the "spca1" driver. I downloaded a gnome conferencing type program similar to Ekiga that required compilation and had lots of dependencies. "conference?" Every attempt at compilation, after downloading and installing a dependency only mentioned a new missing dependency. All missing dependencies were not mentioned at the same time. See this post: http://www.linuxquestions.org/questi...d.php?t=561014. The only other possible variable is I used the "Smart package manager" to update my system and install additional programs during the session prior to the boot failure.

There were no apparent booting issues or other warnings prior to this.

I use Clamav, rkhunter and chkrootkit regularly. I check logs and messages for possible anomalies regularly.

Thanks for your input.

svarmido

Unless Fedora has a program interpreter
/usr/libexec/ld-elf.so.1

this binary was not running. You didn't say the Scalper variant, but I'll assume they use similar dynamic loaders.

Besides this, chkrootkit is known to have frequent false-positives. This variant also opens a "/bin/.log" file (or is coded to).

Some interesting strings:


Your boot troubles are possibly one or more of the following:

• Partition table setup wrong; possibly not marked bootable. Freedos probably does this itself, which would explain its success.
• You didn't write a bootable kernel and/or boot loader to the disk you wanted to boot.
• The boot loader's config was wrong.
• The kernel you wanted to boot the new system off of lacked the compiled-in drivers needed to access the disks and such. Install kernels usually have everything but the kitchen sink compiled in, while the actual kernel you'd use to be the system kernel might lack these drivers.

In any case, it sounds alot like my first Linux installs, when I didn't fully grasp the lay-out Linux needed.

If all else fails, zero the drive and start again.

I doubt you have contracted a boot sector virus. Its more likely you have misconfigured something, or your hard drive was on its way out to start with. Either is fixable with time and a little new knowledge.

crc error
 

Update:

The computer is a D9T, a.k.a. D900T, marketed by several different vendors. Will accommodate two sata drives.

A clarification is in order. After noticing the report by "chkrootkit" that a scalper worm was installed and shutting down my system - my attempt to reboot was not a total failure. I received a message at the time, the only part of which I recalled was *****system halted*****.

Subsequently, after fresh re-installs (only one in the computer at a time) neither of two sata drives, one 80 gig and the other 100 gig to boot beyond this message, "crc error *****system halted*****, I grabbed my HPze4805us to search the net for other instances where this has occurred. 99.99% of them were associated with issues related to Linux installations. I didn't even use Linux or anything related to Linux in my search terms. Tired, defective disks? Overheating? Incompatible memory? One possibility mentioned is a defective .iso image used for installation. Other discussions were about the kernel and boot configurations - Grub and Lilo.

My install went well using an apparently good .iso image and install disk before this happened; and, since there were no changes (I am aware of) to either disk after the original installation - the installation disk and original partition plan are improbable sources for the problem.

Memory? I recently installed 1X2 gigs of Kingston DDR2 ram. There were no immediate problems I can attribute to the ram upgrade.

I removed both upgrade modules and the crc error issue remained. I did not yet try after removing the remaining 512mb module...

Overheating should not be an issue for a computer just turned on and booted...

So, I believe there are only three remaining issues to consider (an over simplification or unjustified optimism?). The just completed update using the smart package manager; other files downloaded, compiled or installed (rpms).

Then there is the chkrootkit thing. While attempting repairs to the F.A.T. using the System Rescue Program (not the rescue program included with the install disk), there was a report that the disk - 100GB showed only 93GB. Recommendation was to check jumpers, etc.... What jumpers? Besides, at that point I had only removed Freedos from the F.A.T. and not yet reformatted and repartitioned the drive.

Would it be unreasonable to suspect a virus or worm has managed to affect both hard drives - and remains installed somewhere on both, consuming disk space?

I wiped the 100GB drive using "shred" before re-installing Fedora 7. This did not resolve the crc error.

One last bit of information. After wiping the drive, I kept the home partition from the last install hoping to save files I prefer not to lose. Consequently, there was some unused space remaining between the boot and home partitions. My plan was to resize the home partition or simply do a new install after having copied the files to a CD. Must the partitions be entirely contiguous?

My bad?

The worst possibility is that the original cause has been compounded by subsequent attempts at resolving the problem.

Ideas and recommendations are welcome.

svarmido

Download the disk manufacturer's diagnostic disks. They will boot independently of an os and run diagnostics on the drives. It would seem unlikely that both disks would fail simultaneously but you never know. It is also possible that the hard drive controller on the motherboard is faulty or the sata cable is faulty (swap out the cable(s) with new ones). These kind of faults give rise to the disks being incorrectly formatted and the file system would also be corrupt and therefore be non-accessable.

more information
 

Thanks.

I'll fetch the manufacturer's drive diagnostic tool and report the results later.

Over the last couple of days I have experienced the same problem trying to install Fedora Core 6, Gentoo from a live CD or Fedora 7. The install either stops at the post install configuration, or if I was lucky enough to get grub installed - still received the crc error, system halted.

Output was:

"sb_read failed reading block 0x79b
unable to read page, block 1e1b3c, size 545f
SQUASHFS error:zlib_inflate returned unexpected result 0xffffffffd, src length 65536, avail_in 0, avail_out 2"

Other errors of this type vary in their output but are of the same type.

Install media checks out o.k.. Anyway, would you receive a crc error, system halted message if a cdrom/dvd drive was failing. I doubt it.

svarmido

Moving over to Software/Hardware Forums....
 

Moving over to Hardware and Software threads. I no longer consider this a security issue - which isn't to say the bios has not been affected by something I downloaded. Much else has been ruled out.

svarmido

It's a process of elimination and thus far you haven't actually eliminated anything. Test all the memory with a LiveCD like Ultimate Boot or System Rescue. Then and only then can you declare "that's not it" and move on to the next possibility.

Moved: This thread (by now) is more suitable in the Hardware forum and has been moved accordingly to help your thread/question get the exposure it deserves.