LinuxQuestions.org - RH 7.3 Server infected with Linux.Jac.8759 and Linux.RST.B virus

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - RH 7.3 Server infected with Linux.Jac.8759 and Linux.RST.B virus (https://www.linuxquestions.org/questions/linux-security-4/rh-7-3-server-infected-with-linux-jac-8759-and-linux-rst-b-virus-116197/)

RH 7.3 Server infected with Linux.Jac.8759 and Linux.RST.B virus

I am a student at a university who has inherited the duties of administering a small web application (LAMP) server at my job. While working with SSH I noticed that many commands (ls, mkdir, pwd) stopped working, producing the message, "Segmentation Error". After some research and file size comparisons with our test server, I realized that we were infected with the Linux.Jac.8759 virus. All infected files were increased in size by 8759 bytes. Shortly after the test server became infected as well.

Problem: Nearly all files in "/bin" and /usr/bin" have been infected. This makes it extremely difficult to navigate and perform simple tasks.

What I've done since: I have tried to clean the files by sharing them through samba and using Symantec Anti-Virus (windows). Not very effective. However it did find the Linux.RST.B virus. I have also tried a cleaner that I found on the internet called vaccine.c. Also ineffective. I forced an install of fileutils which allowed me to navigate thru the shell again. Since I couldn't repair the files I decided to delete them (They are useless now anyway). That is where I stand now.

So I need some help. The last thing I want to do is reformat and start over. The person who wrote the web application used a lot of shortcuts. If I start over I'm afraid that I will never get it running again. I'm kind of stuck now. Is there any way to repair or replace these files? Any help would be greatly appreciated!!

After a compromise that alters system integrity you should always wipe clean and reinstall. There's no way to tell how extensive the damage is.

Agree with Chort. Still you can use McAfee(NetworkAssociates) viruscan for linux.

Rav antivirus is also good for linux

Our IT Department suggested Sophos AntiVirus. Does anyone have any experience with this product? I see that no one has mentioned it yet....

Backup de Web, Format all the rest... dont forget the databse of Mysql o any other one on it.

Never use again the root to make any change that is not realy realy necesary.

Specialy because the Linux.RST.B is a trojan, not realy a virus, it MOST run it so it can start working. If runned by a user, no much problem it stays in the machine... if run by root... well, it creates a backdoor.... you imagin the rest

That is the main problem with windows... the users are always root, onces inside the computer, that virus will munch and spit you out.

Uner nux is a more dificult task

I do recomend Sophos too.

Our IT Department suggested Sophos AntiVirus. Does anyone have any experience with this product? I see that no one has mentioned it yet...
With all due respect, but looking at the way you initially handled recon, you don't know enough of Linux to be able to properly "clean" the box. That would be a fallacy.

Like Chort already suggested you should be focussing on doing a reinstall. Before you do a reinstall I hope you 1. warned the IT dept and anyone who used the box so they can test theirs (since you don't know the infections point of entry) and 2. invalidated any backups made for this box (since you probably don't have the means to verify integrity anyway).

Obviously if I knew a lot about linux I wouldn't be here. The fact is that I am really just a web designer. The the university (my department actually) doesn't have enough money to hire a bunch of students for all of the the duties that go along with this system. They hire a programmer, and just assume he/she knows how to properly administer the server. For people who don't know anything about computers, it seems like a reasonable assumption. That is why I'm in this position today.

From most of your posts, I've come to realize that the only thing for me to do is to backup what I can and reformat. As for my question about Sophos, I wasn't thinking about using it to "clean" the machine as you say (since I obviously lack the capacity). I should have made it more clear that I plan to install antivirus software after the clean install. I'm just looking for some suggestions/comments.

Thanks for all your help so far. Any other opinions on antivirus software would be greatly appreciated.

Obviously if I knew a lot about linux I wouldn't be here.
I should make it clear I didn't intend to belittle you or question your level of knowledge.
What I care for and am concerned with in these type of cases, is people doing what they think would be "the right thing" which would either 1. not correct the situation in a "proper" way, 2. continue to pose a threat to the (local|inter)network or even worse 3. continue operating a clearly malfuctioning box by "patching up". In general (so may not apply to your case) when what people post looks like dodging responsabilities, stalling or loosing focus I try to "correct" their POV.

That is why I'm in this position today.
And I assure you we'll do anything in our power to help you.

I've come to realize that the only thing for me to do is to backup what I can and reformat.
Yes. Don't backup binaries. Since this is an infected (thus "untrusted") box, make sure backups don't mix with any other. Clearly mark them as "suspect", and move to a safe place. When the time comes to restore configs and data, restore to a safe place, and inspect each config manually.

I should have made it more clear that I plan to install antivirus software after the clean install. I'm just looking for some suggestions/comments.

From the LQ FAQ: Security references, post #3 "Viruses on Linux/GNU, Antivirus software":

"Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.

As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.

Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.

*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.

If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scanner daemon. I'm in limbo about it's compatibility with recent kernels tho.

Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW,
NIST (list of AV vendors),
Clam."

HTH somehow.

The machine has been disconnected. We start the rebuilding process in about 7 hrs. I thank you all for your responses and unSpawn, for your patience. Wish me luck!

Hmm.. I think luck hasn't got anything to do with it...
Anyway, good luck!