LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   New "Shah" Worm (https://www.linuxquestions.org/questions/linux-security-4/new-shah-worm-96913/)

Tom Bozack 09-25-2003 06:00 PM
New "Shah" Worm
 
I was hit by a internet worm today. I'm looking for anyone who has information on what what it does and how to neutralize it. Here's the story:

I have a Mandrake 8.1 system running on an Intel machine. It supports a LAN and uses a modem to access the outside world via ppp demand dialing.

At about 11:45 PDT today I noticed unusual network activity on my system. There was a lot of outbound traffic on ppp that wan not from an previous source. A look at processes showed "scan" running and taking about 40 percent of the CPU. I killed scan, and that stopped the ppp traffic.

After further investigation I found a new user on my system with the username "shah". This user was added at 11:14 AM. All of my rc directories were touched and init.d/functions was apparently modified. Specifically K60atd was touched in all of the rc directories. There was also apparently some change to the iptables rules which I'm trying to track down. I'm sure that there were many more modifications made to my systems. It's generally not functioning properly (for example ls -l says all soft links are broken even though they are not).

t looks like the worm took control of the system possible for the purpose of scanning my system - possibly for passwords. It tried to cover its tracks but left a mess behind.

I'd appreciate advice from anyone who has some insight into this worm.

Thanks,
Tom

unSpawn 09-26-2003 09:50 AM
I don't have info on the worm, but here's what you do:
I. Cut off access: close off your network access.
II. Prevent tampering: inform ppl on the LAN they will have to change their passwords for both local and remote services. Of course remote will have to wait until the box is back up, or they have access at another location (btw, bitchslap anyone who uses his/her own modem in an attempt to evade your ppp line)
III. If
you have got integrity detection: run Aide, Samhain or tripwire, preferably first reboot your box with a Mandy rescue cd (not boot anything *ON* the box, just mount it read-only)
else
reboot your box with a Mandy rescue cd (not boot anything *ON* the box, just mount it read-only) and generate a list of md5sums from the rpm database. Now check the md5sums with md5sum from the cdr. Generate a list with everything on the drives and diff this with the list of file from the rpmdb output. This should show any file not in the db you should check.
VI. If
you got diskspace to spare, preferably on another box, dd the images over
else
at least save /etc and /var
V. Reformat, re-install from scratch and harden the box. There shouldn't be any daemons running *ON* a firewall/router, and if you really need to, harden the whole box.

Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html


HTH

aaron-aardvark 09-26-2003 12:15 PM
Thanks for the advice. I've decided to trash the OS and install Mandrake 9.1 on another drive. I'll then move the /home stuff over and blow the rest away. It looks like /home wasn't touched except for the addition of the "shah" user.

I've needed to upgrade the OS anyway, and this is excellent motivation.

I'd still like to know what this worm was trying to do. I've googled it and didn't find anything that seems to match what I've seen.

Tom

unSpawn 09-26-2003 01:20 PM
aaron-aardvark
Wasn't one LQ account enough?

It looks like /home wasn't touched except for the addition of the "shah" user.
How do you know it wasn't touched? Good: integrity detection, bad: "gut feeling", "I kinda *think* it is", "dunno".

I'd still like to know what this worm was trying to do.
I told you what to start with, see III and VI.

Tom Bozack 09-27-2003 03:18 AM
Thanks for your snarky reply.

I don't know with certainty that /home wasn't touched. I do know that the file modification date/time on all of the files in /home predated the attack. This is not the case for the system files that were touched. The RPM database is no help in this case since /home only has user files of course - not applications or system files. I could compare the files against the last backup, but my main missions is getting a working system again, not playing security investigator.

My comments were simply based on the hope that someone would simply say "hey, I know about this worm, and here what is does". I don't have the time or interest (or talent) to figure it out myself. There are people who do that for a living, and I'm not one of them.

See where it says "newbie" under my name. Lighten up.

Tom

unSpawn 09-27-2003 06:50 AM
I could compare the files against the last backup, but my main missions is getting a working system again, not playing security investigator.
Then by all means follow the default "reformat, reinstall, harden, audit" routine.

/bin/bash 09-27-2003 11:53 AM
See where it says "newbie" under my name. Lighten up.

Tom

I thinks he was joking, see below...

I told you what to start with, see III and VI.

Now that is funny!

unSpawn 09-28-2003 08:30 AM
I thinks he was joking, see below...
I told you what to start with, see III and VI.
Now that is funny!

I don't think I was joking, but that doesn't matter.
What does matter is he skipped major parts of the message.


All times are GMT -5. The time now is 02:02 PM.