Mystery script

Support for security such as Firewalls and securing linux
Post Reply
Posts: 1
Joined: 2005/05/18 13:15:39

Mystery script

Post by GordoTheGeek » 2006/03/06 02:39:28

Somehow, a miscreant keeps getting into my 4.2 box and running a script to send out thousands upon thousands of Paypal phishing scam emails. The problem is that I have absolutely NO idea how they're getting in, much less getting root privileges for the script.

The version that I just killed was in /usr/share/man/man7/.x
-rw-r--r-- 1 root root 23 Mar 5 21:06 lastdone.txt
-rw-r--r-- 1 root root 843216 Mar 5 13:27 list.txt
-rw-r--r-- 1 640 613 3868 Feb 11 15:14 message.txt
-rw------- 1 root root 337217 Mar 5 21:06 nohup.out
-rwxr-xr-x 1 640 613 237 Nov 24 19:13 udevd
When it's bring run, it shows up with a ps -aef as 'sh udevd'.

Here's the script contents:

cat list.txt|sort | uniq | tr A-Z a-z >list.txt2
mv list.txt2 list.txt
for mail in `cat list.txt`;do
cat message.txt |sed -e "s/$mail/g" | /usr/sbin/sendmail $mail
echo $mail >lastdone.txt
echo $mail
A snip of list.txt:

message.txt is the usual html format phoney "your account has been suspended" Paypal notice. THe link goes here:

Every time one of these things get run, my machine bogs right down. I've had it show up on a number of machines at work as well. Redhat 9, Fedora 2&3 AND a Centos box. The home machine is sitting behind a Lynksys router, and the only ports coming through are mail, web and ssh.

Help? Anyone? Thanks.

Posts: 4
Joined: 2006/03/11 20:58:41

Re: Mystery script

Post by nfowar » 2006/03/11 21:05:37

If you're running a web server, you should make sure you run no vulnerable php/perl whatever- CGI applications. The next thing to check is if you have user accounts with weak passwords (name == password or similar) that can be exploited via ssh.

Posts: 4
Joined: 2006/02/08 05:23:34

Re: Mystery script

Post by miah » 2006/03/14 16:38:20

If all thats open is ssh, mail, and web, definitely reset your passwords on all of these boxes. If you can, restrict who is allowed to ssh into your systems with iptables. Do your systems usually send mail to the outside? If not, you could setup a iptables rule to limit outgoing packets to remote smtpd to a very low packet per second rate, this wont stop the problem, but it will reduce the amount of spam your sending and maybe cause the person to go elsewhere. You mentioned RH9 as well, personally I would get rid of it, due to lack of updates, I wouldn't run it on anything that needs to be connected to the internet. As allways, make sure your system is up2date, either yum -y update *and reboot if kernel updates are installed* or run up2date -f -u.

Because those files are all owned by root, you know these people have root access to your system. This means that they could have also installed a rootkit, or even backdoored sshd. You should run some simple rpm verifications after booting the system with a rescue cd. You cannot trust anything that the system is reporting to you while it is running with a possibly backdoored kernel. Boot the rescue cd, then chroot into the environment, don't run *anything* other than shell builtins. I've seen rootkits that activate when you run ls, so you need to be very careful. Run something like:

for i in `rpm -qa`; do
rpm -V $i

This will go through each installed rpm and verify the files on the system to the rpm database. You will get lots of stuff printed here, any configuration file you've modified will be shown, any files that you have changed permissions on will be shown, but also any files that have been replaced, modified, backdoored will be shown. It helps but its not the best way to handle this, a host file integrity solution like Samhain or Tripwire is really the way to go. Very likely you will need to reinstall this system. So hopefully you have a recent backup. If not, you need to be *very careful* of anything you copy from that system. html files are likely ok, but do not copy any programs.


Post Reply

Return to “CentOS 4 - Security Support”