LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-17-2005, 04:39 PM   #1
Jim Miller
Member
 
Registered: Sep 2001
Posts: 35

Rep: Reputation: 15
_files directory weirdness / possible Lupper infection?


A bit of weirdness showed up on one of my machines, and I'm hoping that someone out there might have some insights:

Two days ago I was upgrading a machine from Fedora Core 2 to Fedora Core 4. Things went more or less well until today when I noticed a directory, /root/_files, that I didn't put there... It contains thirty files, all but one of which look like this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /wp-images/smilies/icon_smile.gif was not found on this server.</p>
<hr>
<address>Apache/2.0.53 (Fedora) Server at www.ro0t.com Port 80</address>
</body></html>

(this one is named "icon_smile" in the directory). Some of the files describe the requested URL as being, e.g., /~jasonw/images/birthday.gif; "jasonw" means nothing to me. The one file that's not like this is a saved webpage from io2technology.com, which probably has nothing to do with anything. Googling the file names reveals that many refer to rather uninteresting bits of porn; together, the files look like a typical script kiddie collection. Ick. (But note that the files themselves aren't there; just these 404-type pages.)

So, now the question becomes where these came from. Possibly-relevant bits of information include:

* The files in question all have ownership of root/root.
* My concern about lupper comes from the fact that I did have awstats 6.1 on the machine (yes, shame on me; it has since been updated). However, the awstats.pl file had been behind an Apache authorization, so random attempts by a lupper worm to access awstats should fail.
* In fact, while there are lots of entries in my server log files showing >>attempts<< to get in with lupper (URLs with attempts to cd into /tmp and so on), none of them returned anything other than 404 or 401.
* I don't have WordPress or any of the other problematic Lupper-related applications on this machine.
* There's no evidence of the usual telltale signs of lupper -- nothing inappropriate in /tmp.
* The timestamp on all the files is Nov 15 at 12:41, which was just about the time that I was doing the upgrade. Perhaps somebody slipped in while during an incomplete part of the update?
* There are no unexpected entries in /etc/passwd or /etc/shadow.

I have since locked up ports 7111 and 7222 with iptables, but I'm still a little creeped out. Aside from keeping a close eye on this, does anyone have any recommendations for what to do here?

Thanks,
Jim Miller
 
Old 11-17-2005, 06:17 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
* My concern about lupper comes from the fact that I did have awstats 6.1 on the machine (yes, shame on me
How long did you run the vulnerable stuff? What other services where running as publicly accessable at the time?


* In fact, while there are lots of entries in my server log files showing >>attempts<< to get in with lupper (URLs with attempts to cd into /tmp and so on), none of them returned anything other than 404 or 401.
None in proximity to Nov 15 at 12:41?


* The timestamp on all the files is Nov 15 at 12:41, which was just about the time that I was doing the upgrade. Perhaps somebody slipped in while during an incomplete part of the update?
It's a possibility. Hard to say w/o details.


Aside from keeping a close eye on this, does anyone have any recommendations for what to do here?
For now stop and then disable any publicly accessable services from starting up automagically until you have properly secured them. Enable logging in your firewall script and close your firewall for any inbound connections from the internet that aren't part of an established connection. For services you need publicly accessable (SSH for instance), for which all updates are in place, and are properly secured (not allowing privileged account logins), set up IP range restrictions (firewall, tcp wrappers) for where authorised ppl ssh in from.

Good to see you been checking things. If you've done the service stuff I'd check the system for files in other locations with the same creation time, any mysterious files in other known temp dirs, any suid binaries in unusual locations, any system logging you got (syslog, firewall), auth files (last, lastb) and any logfiles for services that where running at the time. If that turns up nothing I'd run rpm verify just to be sure. Unfortunately verify won't catch any files or changes outside of it's scope.

If that turns up nothing I'd proceed by adding some basic stuff to the bastion like install an IDS: Snort (or Prelude), a file integrity checker: Aide (or Samhain), a local rootkit/malware checker: Chkrootkit (and preferably Rootkit Hunter as well), a generic system checker: Tiger (or since you run RH-alike maybe LSAT (not the Mixter app: NSAT)) and a logfile filter: Logwatch. Next please fo some basic system hardening, see the LQ FAQ: Security references.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Lupper Worm Capt_Caveman Linux - Security 13 02-27-2006 11:07 AM
Windows virus infection in debian yamakid Linux - Security 1 12-27-2004 07:06 PM
weirdness with log2() spuzzzzzzz Programming 5 08-08-2004 05:45 PM
*sigh* Virus infection.... xodustrance Linux - Newbie 3 07-14-2003 03:21 AM
Bugtraq, mpg123 exploit, P2P network infection unSpawn Linux - Security 0 01-14-2003 07:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration