Mystery script

Support for security such as Firewalls and securing linux
Post Reply
GordoTheGeek
Posts: 1
Joined: 2005/05/18 13:15:39
Contact:

Mystery script

Post by GordoTheGeek » 2006/03/06 02:39:28

Somehow, a miscreant keeps getting into my 4.2 box and running a script to send out thousands upon thousands of Paypal phishing scam emails. The problem is that I have absolutely NO idea how they're getting in, much less getting root privileges for the script.

The version that I just killed was in /usr/share/man/man7/.x
-rw-r--r-- 1 root root 23 Mar 5 21:06 lastdone.txt
-rw-r--r-- 1 root root 843216 Mar 5 13:27 list.txt
-rw-r--r-- 1 640 613 3868 Feb 11 15:14 message.txt
-rw------- 1 root root 337217 Mar 5 21:06 nohup.out
-rwxr-xr-x 1 640 613 237 Nov 24 19:13 udevd
When it's bring run, it shows up with a ps -aef as 'sh udevd'.

Here's the script contents:
#!/bin/sh
#

cat list.txt|sort | uniq | tr A-Z a-z >list.txt2
mv list.txt2 list.txt
for mail in `cat list.txt`;do
cat message.txt |sed -e "s/Oxffd@yahoo.com/$mail/g" | /usr/sbin/sendmail $mail
echo $mail >lastdone.txt
echo $mail
done
A snip of list.txt:
000001c3bdd7$8b3dfe60$64d2250a@d20.co.edu
000201c1bbcb$f3a1b1a0$cf818693@creighton.edu
000301c3a93a$0356bfc0$b5b2f29f@butler.edu
000401c3a940$aa2cce10$b5b2f29f@butler.edu
000501c3a949$34c3f4b0$b5b2f29f@butler.edu
000601c3a928$d43dc5f0$b5b2f29f@butler.edu
000801c15259$ca6b4840$ee781fa1@uca.edu
000901c3a636$0688f6b0$b5b2f29f@butler.edu
000a01bf5dd8$95cb21e0$bbe9cd80@bio.buffalo.edu
000a01c1bb0c$0722b000$2f808693@creighton.edu
000b01c3ae26$f934c040$b5b2f29f@butler.edu
000d01c1b639$01cd2fe0$cf818693@creighton.edu
001401c1b991$ce1ba800$cf818693@creighton.edu
001401c3aa37$ee64ea20$b5b2f29f@butler.edu
0.01acb00e@mailgw.cc.uga.edu
002201bff7fd$f4fef780$9d103489@ribbontail.ocean.nova.edu
00225947@bigred.unl.edu

message.txt is the usual html format phoney "your account has been suspended" Paypal notice. THe link goes here: http://webmail.cygnusin.com:1/paypal.com/us/cgi-bin/index.php

Every time one of these things get run, my machine bogs right down. I've had it show up on a number of machines at work as well. Redhat 9, Fedora 2&3 AND a Centos box. The home machine is sitting behind a Lynksys router, and the only ports coming through are mail, web and ssh.

Help? Anyone? Thanks.

nfowar
Posts: 4
Joined: 2006/03/11 20:58:41

Re: Mystery script

Post by nfowar » 2006/03/11 21:05:37

If you're running a web server, you should make sure you run no vulnerable php/perl whatever- CGI applications. The next thing to check is if you have user accounts with weak passwords (name == password or similar) that can be exploited via ssh.

miah
Posts: 4
Joined: 2006/02/08 05:23:34
Contact:

Re: Mystery script

Post by miah » 2006/03/14 16:38:20

If all thats open is ssh, mail, and web, definitely reset your passwords on all of these boxes. If you can, restrict who is allowed to ssh into your systems with iptables. Do your systems usually send mail to the outside? If not, you could setup a iptables rule to limit outgoing packets to remote smtpd to a very low packet per second rate, this wont stop the problem, but it will reduce the amount of spam your sending and maybe cause the person to go elsewhere. You mentioned RH9 as well, personally I would get rid of it, due to lack of updates, I wouldn't run it on anything that needs to be connected to the internet. As allways, make sure your system is up2date, either yum -y update *and reboot if kernel updates are installed* or run up2date -f -u.

Because those files are all owned by root, you know these people have root access to your system. This means that they could have also installed a rootkit, or even backdoored sshd. You should run some simple rpm verifications after booting the system with a rescue cd. You cannot trust anything that the system is reporting to you while it is running with a possibly backdoored kernel. Boot the rescue cd, then chroot into the environment, don't run *anything* other than shell builtins. I've seen rootkits that activate when you run ls, so you need to be very careful. Run something like:

for i in `rpm -qa`; do
rpm -V $i
done

This will go through each installed rpm and verify the files on the system to the rpm database. You will get lots of stuff printed here, any configuration file you've modified will be shown, any files that you have changed permissions on will be shown, but also any files that have been replaced, modified, backdoored will be shown. It helps but its not the best way to handle this, a host file integrity solution like Samhain or Tripwire is really the way to go. Very likely you will need to reinstall this system. So hopefully you have a recent backup. If not, you need to be *very careful* of anything you copy from that system. html files are likely ok, but do not copy any programs.

-miah

Post Reply

Return to “CentOS 4 - Security Support”