Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I encountered a spambot, hitting a port somewhere in the 32xxx range, which had the following modus operandi:
It installed its own rogue /etc/cupsd
When logged on as root and watching it, the system could and would replace this file every few minutes.
Another file of identical size was in /etc/logrotate.d ... a binary copy of the rogue.
Which "bot" is this, and where is it documented?
The rogue file is interesting in part because it contains the word "spam" quite liberally inside its carefully-designed content. Obviously a zombie engine. Not easy to see how long it's been there especially if they were monkeying with logrotate.
Grrr... If your hosting company "helpfully" installs Plesk on your machine, beat them severely with a wet noodle. (Coated in battery acid.)
Last edited by sundialsvcs; 03-13-2012 at 12:48 PM.
No, this was a virtual server from 1&1 Internet. Not only did they pre-install software that was chock full o' bugs, but it also had many "gratuitous" features (including Plesk itself) which I tried to lock down but obviously missed.
Incidentally, the modus operandi was always the same: it installed or reinstalled a rogue /etc/cupsd file, then spawned the listener, and a few seconds later it was dumping spam somewhere. A very freshly installed and updated ClamAV didn't know anything about it. Unfortunately for me, the rogue software was executing as root.
I also noticed that sshd_config permitted GSSAPI authentication although I don't know why. I haven't quite figured out the attack vector it was using, except for noticing the binary file (of exact size and content) in /etc/logrotate.d.
The maddening thing about these "gratuitous installs," of course, is that you really don't know all of what they are doing; all of what has been installed. I am accustomed to installing Linux more-or-less from scratch on a machine that I can actually touch. But when it's a virtual box in Kansas City, that's a little hard to do.
In /etc/passwd there is no one else with a UID of zero.
In /etc/shadow this field does not apply.
Anywhere else to look? Command to use? (System is ancient, centos-5.)
But I wouldn't have put it past these guys to, say, have monkeyed-around with PAM.
Edit: We also know that no successful login attempts are recorded through last although lastb (failed attempts) is as full as ever. So, whatever it is that "refreshes" these files a few minutes after they're removed, that thing is persistent. We also know that it is not constantly active. And, as I said earlier, we know that ClamAV doesn't seem to see anything wrong. (Not even the obviously rogue /etc/cupsd or the obviously bogus file previously mentioned ... which tells you how useful that kind of software actually is ...)
Last edited by sundialsvcs; 03-13-2012 at 08:33 PM.
Is that a webserver? Consider that one (you've seen it on this forum, I'm sure) infected PHP file could spawn a Perl file with the proper rights at any time without the maker even being needed. Nifty but nasty. As soon as the page is called up (by an innocent surfer) the whole ball starts rolling again...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.