LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2003, 11:31 PM   #1
osso09
LQ Newbie
 
Registered: Feb 2003
Posts: 4

Rep: Reputation: 0
Angry RH 7.3 Server infected with Linux.Jac.8759 and Linux.RST.B virus


I am a student at a university who has inherited the duties of administering a small web application (LAMP) server at my job. While working with SSH I noticed that many commands (ls, mkdir, pwd) stopped working, producing the message, "Segmentation Error". After some research and file size comparisons with our test server, I realized that we were infected with the Linux.Jac.8759 virus. All infected files were increased in size by 8759 bytes. Shortly after the test server became infected as well.

Problem: Nearly all files in "/bin" and /usr/bin" have been infected. This makes it extremely difficult to navigate and perform simple tasks.

What I've done since: I have tried to clean the files by sharing them through samba and using Symantec Anti-Virus (windows). Not very effective. However it did find the Linux.RST.B virus. I have also tried a cleaner that I found on the internet called vaccine.c. Also ineffective. I forced an install of fileutils which allowed me to navigate thru the shell again. Since I couldn't repair the files I decided to delete them (They are useless now anyway). That is where I stand now.

So I need some help. The last thing I want to do is reformat and start over. The person who wrote the web application used a lot of shortcuts. If I start over I'm afraid that I will never get it running again. I'm kind of stuck now. Is there any way to repair or replace these files? Any help would be greatly appreciated!!
 
Old 11-15-2003, 02:43 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
After a compromise that alters system integrity you should always wipe clean and reinstall. There's no way to tell how extensive the damage is.
 
Old 11-15-2003, 07:20 AM   #3
pablob
Member
 
Registered: Apr 2003
Location: Madrid
Distribution: RHAS, Kubuntu, Solaris, TRU64
Posts: 381

Rep: Reputation: 31
Agree with Chort. Still you can use McAfee(NetworkAssociates) viruscan for linux.
 
Old 11-15-2003, 11:01 AM   #4
nightjar
Member
 
Registered: May 2002
Location: Argentina
Distribution: Mandrake 9.2
Posts: 177

Rep: Reputation: 30
Rav antivirus is also good for linux
 
Old 11-16-2003, 10:35 PM   #5
osso09
LQ Newbie
 
Registered: Feb 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Our IT Department suggested Sophos AntiVirus. Does anyone have any experience with this product? I see that no one has mentioned it yet....
 
Old 11-16-2003, 11:21 PM   #6
tletlup
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat 9.0
Posts: 2

Rep: Reputation: 0
Backup de Web, Format all the rest... dont forget the databse of Mysql o any other one on it.

Never use again the root to make any change that is not realy realy necesary.

Specialy because the Linux.RST.B is a trojan, not realy a virus, it MOST run it so it can start working. If runned by a user, no much problem it stays in the machine... if run by root... well, it creates a backdoor.... you imagin the rest

That is the main problem with windows... the users are always root, onces inside the computer, that virus will munch and spit you out.

Uner nux is a more dificult task

I do recomend Sophos too.
 
Old 11-17-2003, 08:52 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Our IT Department suggested Sophos AntiVirus. Does anyone have any experience with this product? I see that no one has mentioned it yet...
With all due respect, but looking at the way you initially handled recon, you don't know enough of Linux to be able to properly "clean" the box. That would be a fallacy.

Like Chort already suggested you should be focussing on doing a reinstall. Before you do a reinstall I hope you 1. warned the IT dept and anyone who used the box so they can test theirs (since you don't know the infections point of entry) and 2. invalidated any backups made for this box (since you probably don't have the means to verify integrity anyway).
 
Old 11-17-2003, 10:04 AM   #8
osso09
LQ Newbie
 
Registered: Feb 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Obviously if I knew a lot about linux I wouldn't be here. The fact is that I am really just a web designer. The the university (my department actually) doesn't have enough money to hire a bunch of students for all of the the duties that go along with this system. They hire a programmer, and just assume he/she knows how to properly administer the server. For people who don't know anything about computers, it seems like a reasonable assumption. That is why I'm in this position today.

From most of your posts, I've come to realize that the only thing for me to do is to backup what I can and reformat. As for my question about Sophos, I wasn't thinking about using it to "clean" the machine as you say (since I obviously lack the capacity). I should have made it more clear that I plan to install antivirus software after the clean install. I'm just looking for some suggestions/comments.

Thanks for all your help so far. Any other opinions on antivirus software would be greatly appreciated.
 
Old 11-17-2003, 10:41 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Obviously if I knew a lot about linux I wouldn't be here.
I should make it clear I didn't intend to belittle you or question your level of knowledge.
What I care for and am concerned with in these type of cases, is people doing what they think would be "the right thing" which would either 1. not correct the situation in a "proper" way, 2. continue to pose a threat to the (local|inter)network or even worse 3. continue operating a clearly malfuctioning box by "patching up". In general (so may not apply to your case) when what people post looks like dodging responsabilities, stalling or loosing focus I try to "correct" their POV.


That is why I'm in this position today.
And I assure you we'll do anything in our power to help you.


I've come to realize that the only thing for me to do is to backup what I can and reformat.
Yes. Don't backup binaries. Since this is an infected (thus "untrusted") box, make sure backups don't mix with any other. Clearly mark them as "suspect", and move to a safe place. When the time comes to restore configs and data, restore to a safe place, and inspect each config manually.


I should have made it more clear that I plan to install antivirus software after the clean install. I'm just looking for some suggestions/comments.

From the LQ FAQ: Security references, post #3 "Viruses on Linux/GNU, Antivirus software":

"Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.


As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.

Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.

*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.

If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scanner daemon. I'm in limbo about it's compatibility with recent kernels tho.

Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW,
NIST (list of AV vendors),
Clam."


HTH somehow.
 
Old 11-17-2003, 11:35 PM   #10
osso09
LQ Newbie
 
Registered: Feb 2003
Posts: 4

Original Poster
Rep: Reputation: 0
The machine has been disconnected. We start the rebuilding process in about 7 hrs. I thank you all for your responses and unSpawn, for your patience. Wish me luck!
 
Old 11-17-2003, 11:37 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Hmm.. I think luck hasn't got anything to do with it...
Anyway, good luck!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any incident linux was infected with Virus/Worm and crashed? TigerLinux Linux - General 4 10-08-2005 05:59 AM
very unstable, almost virus-infected behaviour akudewan Linux - Newbie 6 03-20-2005 06:39 AM
CD3 FC3 Virus Infected zillah Fedora 5 01-19-2005 01:24 PM
More Than 90% Of Linux Systems Have Never Been Infected By A Virus masand Linux - News 11 10-14-2004 11:29 PM
JAC virus - low threat - but its there CragStar Linux - Security 0 03-14-2002 09:21 AM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration