Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I also got hit by this on a personal server I run centos 6.5 on. What can I do to resolve? Rebuild my only option?
Is the vulnerability patched?
Rebuild and re-deploy, repair is not an option. Anything that gains root access can change anything on your system. Like swapping out your *bin/*apps* for custom versions that do other things, while still doing much of the expected things.
I noticed that because my computer was suddenly lagging.
I started htop and noticed weird files that were run.
For instance, the name was:
/etc/gfhjrtfyhuf
But that confused me, because binaries normally are
never in /etc.
When I tried to kill it, a new process spawned up,
with another random-name.
At this point I suddenly realized that this was most
likely an attack.
I did some investigation and also found this forum here.
Now - for anyone who is curious. I got this problem
after I compiled vpnc for slackware. Perhaps this one
is also compromised, I do not know, but those things
started to happen right after I compiled vpnc.
I looked into /usr/bin and noticed that lsof
was recently changed. I suspect this must be a new
binary and not the original.
Another directory was created in particular
/usr/bin/bsd-port
As I run linux, this is a weird name.
Inside there I found the program called agetty
which was also running in htop.
Also, many new files were created in /etc/cron*
and /tmp.
That's how I discovered that.
lsof
Also a directory called /usr/bin/dpkgd was created.
I removed all of this and changed my password too.
Perhaps others may find out more information - the
binary size was about 1.6 MB and unless I misremember
stored itself in at least two locations.
(..) I got this problem after I compiled vpnc for slackware. Perhaps this one is also compromised, I do not know,
I am really sorry your machine got compromised but without knowing the security posture of your machine, without any tangible auditing information it just doesn't do to blame an(y) external cause. Instead investigate.
Quote:
Originally Posted by shevegen
I removed all of this and changed my password too.
We're talking about a root compromise so any attempt at "fixing things" by "cleaning up" is nice but it's wrong.
Quote:
Originally Posted by shevegen
Perhaps others may find out more information - the binary size was about 1.6 MB and unless I misremember stored itself in at least two locations.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.