My system is infected with a rootkit or something and i trying to find the source of the infection but i can not. I though by doing an upgrade from etch to lenny will help, however the process is halted by an error to upgrade Mysql which i do not want to update for he moment. I found this bot file attached in the tmp folder. i had to put .txt so i can attach it. I posted this in the Debain thread but was adviced to posted in security. I did not know how to move it from there.

Well it doesn't sound like you are too sure about this.... How do you know you are infected? Can you show us logs or proof? What all are you doing and checking to know about this infection?

Cheers,

Josh

file is attached

Attached Files

bot.txt (17.4 KB, 43 views)

this was driving me crazy as the internet connection was saturated and no one could browse the internet, I last suspected the Linux machine,however while watching the switch lights, the Linux machine was very busy, i disconnected and everything is normal. My journey started as I do not have much experience with Linux on top of that, this is a secure machine that is what i though that Linux can not be hacked. After doing so many things from disconnecting the server from the internet to restarting the server every two hours, finally i realized some process when they are running, the server connects to the internet and start the saturation part, the process is httpd,if i stopped everything will be normal again until the script runs again.
I run rkhunter and chkrootkit both they did not detect anything, i modified wget permission, however still the same problem.

hope some could help

Ok, so did you delete it? And please answer the rest of my questions. And note that since you said you have found it in /tmp, it may be nothing. But knowing more information will be beneficial on how you discovered this, what picked it up, and also the actual file name, and if it is running in memory.

Edit - Sorry, didn't see your previous post. What is the file name though? Run "ps aux" and grep it with the filename, and see what all comes up. Is this being run as root by any chance?

Well that script looks like it connects to an irc server and send files. It's possible that by now your passwords have been hacked.

Remove/rename/move that file, kill the process, change passwords.

How you got it is another matter. It could have been through something you installed that was exploited.

i am not sure you posted your answer before mine. the name of the file was just bot, i moved it somewhere else. This file is automatically created each time after a reboot. I provided some information on my previous post, let me know

I would start looking in your cron entries, and if you have updatedb and locate installed, run updatedb, and use locate to try to track down any other duplicates of that file.

Then either there is another (probably also perl) script running, or it's being downloaded via the net.

If you can find a startup file that loads anything suspicious it may help. Other than that all I can think of is a clean reinstall (with new passwords of course).

If you do a clean install, go for a recent version. You say that you upgraded from Etch to Lenny to see if that will help. Etch is unsupported since February 2010, so since then there was no security update for it. That may have helped to infect the machine.
If you run a Linux server that doesn't mean that you don't have to care for security at all, you still have to maintain that system. Even a Linux system is only so secure its administrator makes it to be.

I would suggest a clean install using Squeeze.

Also wouldn't hurt to read Securing Debian Manual - http://www.debian.org/doc/manuals/se...-debian-howto/

I noticed when i do ps aux and found that httpd is the running process and i take that ID and run netstat -A -n -p |grep ID
i found that perl is using it. how can i find that script. how can i find startup files ? Thanks

To the OP: in short the two most common points of entry are vulnerabilities in services (weak passwords) and vulnerabilities in software running on top of the web server. Please note any "advice" to reinstall without suggesting proper analysis is incomplete and premature (and certainly not in line with what we view as responsible incident response) as doing so may seem to remedy the problem but without knowing the point(s) of entry you may unknowingly re-enable it. Additionally altering the file system by deleting files or running commands may thwart investigation. Thinking you can upgrade your way out of a "infected with a rootkit or something" compromise is a serious misjudgment.

That said best step through the CERT Intruder Detection Checklist first (it's old but it's got a usable list of tasks to perform regardless), if unsure please consider using a Live CD during the inspection, and review your logs (preferably copied over to a separate known safe workstation running Logwatch) for anomalies.

A listing of items, unless the machine was rebooted, would be welcome. Please post:
- which services the machine or machines provide (including web-based management panels, statistics, web log, forum, shopping cart, plugins and other software if any),
- which exact software versions and if the software was kept up to date,
- which logging, access restrictions is in place and hardening was performed,
- if there have been earlier breaches or anomalies,
- complete listings of running (piping through SSH or saving in /dev/shm may be a substitute for "/path/to/"):
'( /bin/ps acxfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1 ) > /path/to/data.txt'.
- additionally please post about any audit and auth data, system and daemon logs, setuid root files, user shell histories, cronjobs or service initialization files you've looked at (because possibly something made you change wget access permissions).
Please be as verbose and complete as possible so you can be given advice advice tailored to your specific situation and please keep the machine disconnected from the 'net. BTW, do you have regular backups?

3 members found this post helpful.