LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-02-2014, 03:25 PM   #31
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874

Quote:
Originally Posted by swizzchard View Post
disclaimer - linux newb

I also got hit by this on a personal server I run centos 6.5 on. What can I do to resolve? Rebuild my only option?

Is the vulnerability patched?
Rebuild and re-deploy, repair is not an option. Anything that gains root access can change anything on your system. Like swapping out your *bin/*apps* for custom versions that do other things, while still doing much of the expected things.
 
Old 09-17-2014, 03:56 PM   #32
shevegen
Member
 
Registered: May 2004
Distribution: Slackware / GoboLinux / LFS / VoidLinux
Posts: 145

Rep: Reputation: 26
I was recently hit by this or a variation.

I noticed that because my computer was suddenly lagging.

I started htop and noticed weird files that were run.

For instance, the name was:

/etc/gfhjrtfyhuf

But that confused me, because binaries normally are
never in /etc.

When I tried to kill it, a new process spawned up,
with another random-name.

At this point I suddenly realized that this was most
likely an attack.

I did some investigation and also found this forum here.

Now - for anyone who is curious. I got this problem
after I compiled vpnc for slackware. Perhaps this one
is also compromised, I do not know, but those things
started to happen right after I compiled vpnc.

I looked into /usr/bin and noticed that lsof
was recently changed. I suspect this must be a new
binary and not the original.

Another directory was created in particular
/usr/bin/bsd-port

As I run linux, this is a weird name.

Inside there I found the program called agetty
which was also running in htop.

Also, many new files were created in /etc/cron*
and /tmp.

That's how I discovered that.
lsof

Also a directory called /usr/bin/dpkgd was created.

I removed all of this and changed my password too.

Perhaps others may find out more information - the
binary size was about 1.6 MB and unless I misremember
stored itself in at least two locations.
 
Old 09-17-2014, 04:56 PM   #33
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by shevegen View Post
(..) I got this problem after I compiled vpnc for slackware. Perhaps this one is also compromised, I do not know,
I am really sorry your machine got compromised but without knowing the security posture of your machine, without any tangible auditing information it just doesn't do to blame an(y) external cause. Instead investigate.


Quote:
Originally Posted by shevegen View Post
I removed all of this and changed my password too.
We're talking about a root compromise so any attempt at "fixing things" by "cleaning up" is nice but it's wrong.


Quote:
Originally Posted by shevegen View Post
Perhaps others may find out more information - the binary size was about 1.6 MB and unless I misremember stored itself in at least two locations.
A lot of people already did. See for example links in https://www.linuxquestions.org/quest...ptables-36083/.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me my server was hacked ctamayoa Linux - Security 19 11-27-2012 08:29 PM
Server hacked bruxelles2010 Linux - Security 9 11-15-2010 07:23 AM
Server Hacked ??? max_tcs Linux - Security 3 07-28-2007 03:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration