Malware alert

Support for security such as Firewalls and securing linux
Post Reply
bobe54
Posts: 2
Joined: 2014/06/18 16:00:42

Malware alert

Post by bobe54 » 2014/06/18 16:13:31

I posted this on an Ubuntu forum as well since that's where I discovered the first reference to it.

I've had the same problem on Centos 6.5. A program /tmp/.flush would delete /usr/sbin/httpd and /usr/sbin/ntpd [maybe others].

After I managed to get wireshark installed, I found there were also two programs in /boot/.IptabLes and /boot/.IptabLex that were flooding my network with packets headed to what appeared to be IP located in China.

These programs were started as services via files in /etc/init.d

This happened on a newly installed server that DID have an ip pinhole open. Whoever got in had root access. [Oddly enough the main server seems unaffected]

Seems more prank-like than malicious: deleting files like httpd and ntpd is bound to get somebody's attention. But the prank extracted its cost in time and $$.

Here's a list of files implicated:
/boot/.IptabLes
/etc/init.d/ptabLes
/usr/bin/btdaemon
/boot/.IptabLex
/etc/init.d/IptabLex
/etc/init.d/bluetoothdaemon
/tmp/.flush

HTH.
Bob


gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Malware alert

Post by gerald_clark » 2014/06/18 22:01:36

Once you have been hacked, there is no way to be certain you have removed all backdoors.
You need to wipe and reinstall.

bobe54
Posts: 2
Joined: 2014/06/18 16:00:42

Re: Malware alert

Post by bobe54 » 2014/06/21 01:10:06

Yuck. Didn't want to reinstall but I did. Guess I'll sleep better.

Post Reply

Return to “CentOS 6 - Security Support”