LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2003, 07:00 PM   #1
Tom Bozack
LQ Newbie
 
Registered: Dec 2000
Location: Ridgecrest, California
Posts: 25

Rep: Reputation: 15
New "Shah" Worm


I was hit by a internet worm today. I'm looking for anyone who has information on what what it does and how to neutralize it. Here's the story:

I have a Mandrake 8.1 system running on an Intel machine. It supports a LAN and uses a modem to access the outside world via ppp demand dialing.

At about 11:45 PDT today I noticed unusual network activity on my system. There was a lot of outbound traffic on ppp that wan not from an previous source. A look at processes showed "scan" running and taking about 40 percent of the CPU. I killed scan, and that stopped the ppp traffic.

After further investigation I found a new user on my system with the username "shah". This user was added at 11:14 AM. All of my rc directories were touched and init.d/functions was apparently modified. Specifically K60atd was touched in all of the rc directories. There was also apparently some change to the iptables rules which I'm trying to track down. I'm sure that there were many more modifications made to my systems. It's generally not functioning properly (for example ls -l says all soft links are broken even though they are not).

t looks like the worm took control of the system possible for the purpose of scanning my system - possibly for passwords. It tried to cover its tracks but left a mess behind.

I'd appreciate advice from anyone who has some insight into this worm.

Thanks,
Tom
 
Old 09-26-2003, 10:50 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
I don't have info on the worm, but here's what you do:
I. Cut off access: close off your network access.
II. Prevent tampering: inform ppl on the LAN they will have to change their passwords for both local and remote services. Of course remote will have to wait until the box is back up, or they have access at another location (btw, bitchslap anyone who uses his/her own modem in an attempt to evade your ppp line)
III. If
you have got integrity detection: run Aide, Samhain or tripwire, preferably first reboot your box with a Mandy rescue cd (not boot anything *ON* the box, just mount it read-only)
else
reboot your box with a Mandy rescue cd (not boot anything *ON* the box, just mount it read-only) and generate a list of md5sums from the rpm database. Now check the md5sums with md5sum from the cdr. Generate a list with everything on the drives and diff this with the list of file from the rpmdb output. This should show any file not in the db you should check.
VI. If
you got diskspace to spare, preferably on another box, dd the images over
else
at least save /etc and /var
V. Reformat, re-install from scratch and harden the box. There shouldn't be any daemons running *ON* a firewall/router, and if you really need to, harden the whole box.

Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html


HTH
 
Old 09-26-2003, 01:15 PM   #3
aaron-aardvark
LQ Newbie
 
Registered: Sep 2003
Posts: 5

Rep: Reputation: 0
Thanks for the advice. I've decided to trash the OS and install Mandrake 9.1 on another drive. I'll then move the /home stuff over and blow the rest away. It looks like /home wasn't touched except for the addition of the "shah" user.

I've needed to upgrade the OS anyway, and this is excellent motivation.

I'd still like to know what this worm was trying to do. I've googled it and didn't find anything that seems to match what I've seen.

Tom
 
Old 09-26-2003, 02:20 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
aaron-aardvark
Wasn't one LQ account enough?

It looks like /home wasn't touched except for the addition of the "shah" user.
How do you know it wasn't touched? Good: integrity detection, bad: "gut feeling", "I kinda *think* it is", "dunno".

I'd still like to know what this worm was trying to do.
I told you what to start with, see III and VI.
 
Old 09-27-2003, 04:18 AM   #5
Tom Bozack
LQ Newbie
 
Registered: Dec 2000
Location: Ridgecrest, California
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks for your snarky reply.

I don't know with certainty that /home wasn't touched. I do know that the file modification date/time on all of the files in /home predated the attack. This is not the case for the system files that were touched. The RPM database is no help in this case since /home only has user files of course - not applications or system files. I could compare the files against the last backup, but my main missions is getting a working system again, not playing security investigator.

My comments were simply based on the hope that someone would simply say "hey, I know about this worm, and here what is does". I don't have the time or interest (or talent) to figure it out myself. There are people who do that for a living, and I'm not one of them.

See where it says "newbie" under my name. Lighten up.

Tom
 
Old 09-27-2003, 07:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
I could compare the files against the last backup, but my main missions is getting a working system again, not playing security investigator.
Then by all means follow the default "reformat, reinstall, harden, audit" routine.
 
Old 09-27-2003, 12:53 PM   #7
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
See where it says "newbie" under my name. Lighten up.

Tom


I thinks he was joking, see below...

I told you what to start with, see III and VI.

Now that is funny!
 
Old 09-28-2003, 09:30 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
I thinks he was joking, see below...
I told you what to start with, see III and VI.
Now that is funny!


I don't think I was joking, but that doesn't matter.
What does matter is he skipped major parts of the message.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
bash script: using "select" to show multi-word options? (like "option 1"/"o zidane_tribal Programming 7 12-19-2015 02:03 AM
what is "sticky bit mode" , "SUID" , "SGID" augustus123 Linux - General 10 08-03-2012 05:40 AM
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 12:26 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
Can't install "glibmm" library. "configure" script can't find "sigc++-2.0&q kornerr Linux - General 4 05-10-2005 03:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration