Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My server IP adress is blocked by SpamHaus SBL list:
Quote:
Glupteba botnet controller @x.x.x.x
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.
Malware botnet controller located at x.x.x.x on port 8000 (using HTTP GET):
hXXp://x.x.x.x/stat?uptime=XXX
Rkhunter return some warnings, but i think all seems to be a false alarm:
Quote:
[12:42:46] /sbin/ifdown [ Warning ]
[12:42:46] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[12:42:46] /sbin/ifup [ Warning ]
[12:42:46] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[12:42:52] /usr/bin/GET [ Warning ]
[12:42:52] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
[12:42:53] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[12:42:53] /usr/bin/perl [ Warning ]
[12:42:53] Warning: The file properties have changed:
[12:42:53] File: /usr/bin/perl
[12:42:53] Current hash: 0d9c3733255f61b43c0cae860023ae2245a44e2d
[12:42:53] Stored hash : 7bbfdc75e46168dc956c3fdcbcf5004db0ab7b96
[12:42:53] Current permissions: 0755 Stored permissions: 0705
[12:42:53] Current gid: 0 Stored gid: 501
[12:42:53] Current size: 13544 Stored size: 13200
[12:42:53] Current file modification time: 1385321543 (24-Nov-2013 20:32:23)
[12:45:07] Checking /dev for suspicious file types [ Warning ]
[12:45:07] Warning: Suspicious file types found in /dev:
[12:45:07] /dev/md/autorebuild.pid: ASCII text
[12:45:07] /dev/md/md-device-map: ASCII text
[12:45:07] /dev/.udev/queue.bin: data
[12:45:07] /dev/.udev/db/block:md0: ASCII text
[12:45:07] /dev/.udev/db/block:md2: ASCII text
[12:45:07] /dev/.udev/db/input:event0: ASCII text
[12:45:07] /dev/.udev/db/block:sda1: ASCII text
[12:45:07] /dev/.udev/db/block:sdb1: ASCII text
[12:45:07] /dev/.udev/db/block:sdd1: ASCII text
[12:45:07] /dev/.udev/db/input:event1: ASCII text
[12:45:07] /dev/.udev/db/input:event2: ASCII text
[12:45:07] /dev/.udev/db/input:mouse1: ASCII text
[12:45:07] /dev/.udev/db/input:event3: ASCII text
[12:45:07] /dev/.udev/db/input:event4: ASCII text
[12:45:07] /dev/.udev/db/block:sdb2: ASCII text
[12:45:07] /dev/.udev/db/block:sda2: ASCII text
[12:45:07] /dev/.udev/db/block:sdc1: ASCII text
[12:45:07] /dev/.udev/db/block:sda: ASCII text
[12:45:07] /dev/.udev/db/block:sdc: ASCII text
[12:45:08] /dev/.udev/db/block:sdd: ASCII text
[12:45:08] /dev/.udev/db/block:sdb: ASCII text
[12:45:08] /dev/.udev/db/net:eth0: ASCII text
[12:45:08] /dev/.udev/db/net:eth1: ASCII text
[12:45:08] /dev/.udev/db/block:md1: ASCII text
[12:45:08] /dev/.udev/db/block:dm-0: ASCII text
[12:45:08] /dev/.udev/db/block:dm-1: ASCII text
[12:45:08] /dev/.udev/db/block:ram10: ASCII text
[12:45:08] /dev/.udev/db/block:ram7: ASCII text
[12:45:08] /dev/.udev/db/block:ram5: ASCII text
[12:45:08] /dev/.udev/db/block:loop4: ASCII text
[12:45:08] /dev/.udev/db/block:ram1: ASCII text
[12:45:08] /dev/.udev/db/block:loop6: ASCII text
[12:45:08] /dev/.udev/db/block:ram9: ASCII text
[12:45:08] /dev/.udev/db/block:loop3: ASCII text
[12:45:08] /dev/.udev/db/block:ram11: ASCII text
[12:45:08] /dev/.udev/db/block:ram3: ASCII text
[12:45:08] /dev/.udev/db/block:ram6: ASCII text
[12:45:08] /dev/.udev/db/block:loop0: ASCII text
[12:45:08] /dev/.udev/db/block:loop5: ASCII text
[12:45:08] /dev/.udev/db/block:ram14: ASCII text
[12:45:08] /dev/.udev/db/block:ram0: ASCII text
[12:45:08] /dev/.udev/db/block:ram4: ASCII text
[12:45:08] /dev/.udev/db/block:ram15: ASCII text
[12:45:08] /dev/.udev/db/block:loop7: ASCII text
[12:45:08] /dev/.udev/db/block:ram12: ASCII text
[12:45:08] /dev/.udev/db/block:ram2: ASCII text
[12:45:08] /dev/.udev/db/block:ram13: ASCII text
[12:45:08] /dev/.udev/db/block:loop1: ASCII text
[12:45:08] /dev/.udev/db/block:loop2: ASCII text
[12:45:08] /dev/.udev/db/block:ram8: ASCII text
[12:45:08] /dev/.udev/db/usb:1-1.2: ASCII text
[12:45:08] /dev/.udev/db/usb:2-1: ASCII text
[12:45:08] /dev/.udev/db/usb:1-1: ASCII text
[12:45:08] /dev/.udev/db/usb:usb2: ASCII text
[12:45:08] /dev/.udev/db/usb:usb1: ASCII text
[12:45:08] /dev/.udev/rules.d/99-root.rules: ASCII text
[12:45:08] Checking for hidden files and directories [ Warning ]
[12:45:08] Warning: Hidden directory found: '/dev/.mdadm'
[12:45:08] Warning: Hidden directory found: '/dev/.udev'
[12:45:08] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /sbin/.cryptsetup.hmac: ASCII text
[12:45:58] Checking version of OpenSSL [ Warning ]
[12:45:58] Warning: Application 'openssl', version '1.0.0', is out of date, and possibly a security risk.
- Check the integrity of all files if you use a Linux distribution with package management,
- inspect any file not under package management,
- find strings in any file. Might use ClamAV with that. Here's a signature for it:
Save as say "/var/tmp/clamtest/RKH_Glupteba.ldb", then run 'clamscan --database=/var/tmp/clamtest/ /path/to/files/'. (Run 'sigtool --datadir=/var/tmp/clamtest --find-sigs=Glupteba | sigtool --debug --decode-sig' to see what the sig contains.)
- instead of doing tcpdump that way capture all traffic to file ("-w /path/to/file"). Afterwards run Snort with a modified "Glupteba CnC Checkin" signature from the Snort "emerging-trojan.rules" rule set of Emerging Threats on the capture file:
Code:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"(modified) ET TROJAN Win32/Glupteba CnC Checkin"; flow:established,to_server; uricontent:"uptime="; uricontent:"&downlink="; uricontent:"&uplink="; uricontent:"&id="; uricontent:"&statpass="; uricontent:"&version="; uricontent:"&features="; uricontent:"&guid="; uricontent:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:trojan-activity; sid:9999999; rev:1;)
- check whatever ports are open with 'lsof -Pwlni',
- read the CERT Intruder Detection Checklist CERT Intruder Detection Checklist and perform the checks.
I made 3 posts, you replied only to the last one, so get on it! ;-p
Sorry, clamscan take a long time.
Quote:
Originally Posted by unSpawn
If you didn't run any updates then that's interesting.
*BTW don't delete files but move them aside as I'd like a copy.
I do not remember that - maybe i have to backup this file and reinstall perl?
Quote:
Originally Posted by unSpawn
- Check the integrity of all files if you use a Linux distribution with package management,
I have CloudLinux Server release 6.4 and Direct Admin. It's possible to check integrity of all files? :/
Quote:
Originally Posted by unSpawn
- inspect any file not under package management,
How to do it?
Code:
df -i
show 2951393 inodes - it's too much files.
Quote:
Originally Posted by unSpawn
Save as say "/var/tmp/clamtest/RKH_Glupteba.ldb", then run 'clamscan --database=/var/tmp/clamtest/ /path/to/files/'. (Run 'sigtool --datadir=/var/tmp/clamtest --find-sigs=Glupteba | sigtool --debug --decode-sig' to see what the sig contains.)
I did it. Result:
Code:
-------------------------------------------------------------------------------
/var/log/httpd/homedir.log.2: RKH_Glupteba-v1.UNOFFICIAL FOUND
- instead of doing tcpdump that way capture all traffic to file ("-w /path/to/file"). Afterwards run Snort with a modified "Glupteba CnC Checkin" signature from the Snort "emerging-trojan.rules" rule set of Emerging Threats on the capture file:
I don't know how install Snort on Centos. Is it required? When I add -X to tcpdump, i've seen in some packet content:
- check whatever ports are open with 'lsof -Pwlni'
"lsof -Pwlni | grep 8000" is empty return. I don't see there any suspicious process, all of them looks OK (all of them: named, directadm, pop3-logi, imap-logi, mysqld, proftpd, httpd, imap, dovecot, spamd, exim, clamd)
Quote:
Originally Posted by unSpawn
- read the CERT Intruder Detection Checklist CERT Intruder Detection Checklist and perform the checks
maybe i have to backup this file and reinstall perl?
Please don't install anything anymore on this machine. Send me an email and we'll talk dropping off files.
Quote:
Originally Posted by bigmen58
I have CloudLinux Server release 6.4 and Direct Admin. It's possible to check integrity of all files?
If it's based on RHEL then you run 'rpm -vV'. See commands below.
Quote:
Originally Posted by bigmen58
How to do it?
Code:
df -i
show 2951393 inodes - it's too much files.
At least run Linux Malware Detect on them. You don't have to install it: just download it, extract the two ClamAV signature databases, move them into your /var/lib/clamav signature database directory and scan. Do keep a log file because files that are clean should be inspected later on anyway.
Quote:
Originally Posted by bigmen58
Code:
/var/log/httpd/homedir.log.2: RKH_Glupteba-v1.UNOFFICIAL FOUND
I shouldn't speculate but if "20131011" is an installation date it seems your machine has been at it since at least October. The fact it's in "/var/log/httpd/homedir.log.2" means the process producing that log file is suspect. In what way I can't tell w/o details. Run a lsof on the process and verify all the files it uses:
*plus check all the files the process has access to.
Quote:
Originally Posted by bigmen58
I don't know how install Snort on Centos. Is it required?
No. Please don't install anything on this machine. Snort should be run from another machine, be it your private workstation or a VM.
Quote:
Originally Posted by bigmen58
"lsof -Pwlni | grep 8000" is empty return. I don't see there any suspicious process, all of them looks OK (all of them: named, directadm, pop3-logi, imap-logi, mysqld, proftpd, httpd, imap, dovecot, spamd, exim, clamd)
Please, I don't want your assessment: I need to verify things myself. So please post proper output:
Run all system and daemon logs through Logwatch (on your workstation or VM) with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" args. (With perl-Date-Manip installed a range can also be expressed like "--range 'between 2012/11/26 and 2012/12/01'": see --range Help). MAC times: 'find / -type f -printf "%T@ %A@ %C@ \"%p\"\n" 2>&1;'.(or find /tmp /var /tmp /usr/tmp -printf "%T@ %A@ %C@ %u %g %m %y \"%p\"\n" 2>&1).
*Piping output through SSH or saving it in /dev/shm may be a substitute for "/path/to/".
Please compress and attach (rename to .txt extension) or pastebin, docs.google or email all output. If file size prohibits attaching it please do not use a public file sharing service but contact me to discuss dropping off output.
Odd. I thought the document contained more checks...
*Should the above show no clues then I'm asking you to first shut down the web service (not server) or at least block external access to the ports using the firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.