I posted this on an Ubuntu forum as well since that's where I discovered the first reference to it.
I've had the same problem on Centos 6.5. A program /tmp/.flush would delete /usr/sbin/httpd and /usr/sbin/ntpd [maybe others].
After I managed to get wireshark installed, I found there were also two programs in /boot/.IptabLes and /boot/.IptabLex that were flooding my network with packets headed to what appeared to be IP located in China.
These programs were started as services via files in /etc/init.d
This happened on a newly installed server that DID have an ip pinhole open. Whoever got in had root access. [Oddly enough the main server seems unaffected]
Seems more prank-like than malicious: deleting files like httpd and ntpd is bound to get somebody's attention. But the prank extracted its cost in time and $$.
Here's a list of files implicated:
/boot/.IptabLes
/etc/init.d/ptabLes
/usr/bin/btdaemon
/boot/.IptabLex
/etc/init.d/IptabLex
/etc/init.d/bluetoothdaemon
/tmp/.flush
HTH.
Bob
Malware alert
IptabLex, IptabLes
Compromises leaving .IptabLes and .IptabLex binaries (with or without dot) in /, /boot, /etc and or /usr seem to be quite common:
http://ubuntuforums.org/showthread.php?t=2226673
http://www.linuxquestions.org/questions ... 175502655/
http://forum.synology.com/enu/viewtopic ... 19&t=85779
http://daivietpda.vn/threads/203145/
http://security.stackexchange.com/quest ... d-iptablex
More nfo here:
http://remchp.com/blog/?p=163
http://blog.malwaremustdie.org/2014/05/ ... h-elf.html
If Elastic Search is running exposed and with dynamic scripts enabled see:
http://www.ebel-computing.de/JSPWiki/Wi ... r%20Trojan
https://www.found.no/foundation/elastic ... sticsearch
http://bouk.co/blog/elasticsearch-rce/
http://www.elasticsearch.org/guide/en/e ... ic_scripts
*Should you want to check with Rootkit Hunter, due to http://rkhunter.cvs.sourceforge.net/vie ... &r2=1.508& and http://rkhunter.cvs.sourceforge.net/vie ... iew=markup, then please get Rootkit Hunter from CVS (http://rkhunter.cvs.sourceforge.net/vie ... /?view=tar) until released officially.
http://ubuntuforums.org/showthread.php?t=2226673
http://www.linuxquestions.org/questions ... 175502655/
http://forum.synology.com/enu/viewtopic ... 19&t=85779
http://daivietpda.vn/threads/203145/
http://security.stackexchange.com/quest ... d-iptablex
More nfo here:
http://remchp.com/blog/?p=163
http://blog.malwaremustdie.org/2014/05/ ... h-elf.html
If Elastic Search is running exposed and with dynamic scripts enabled see:
http://www.ebel-computing.de/JSPWiki/Wi ... r%20Trojan
https://www.found.no/foundation/elastic ... sticsearch
http://bouk.co/blog/elasticsearch-rce/
http://www.elasticsearch.org/guide/en/e ... ic_scripts
*Should you want to check with Rootkit Hunter, due to http://rkhunter.cvs.sourceforge.net/vie ... &r2=1.508& and http://rkhunter.cvs.sourceforge.net/vie ... iew=markup, then please get Rootkit Hunter from CVS (http://rkhunter.cvs.sourceforge.net/vie ... /?view=tar) until released officially.
-
gerald_clark
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Malware alert
Once you have been hacked, there is no way to be certain you have removed all backdoors.
You need to wipe and reinstall.
You need to wipe and reinstall.
Re: Malware alert
Yuck. Didn't want to reinstall but I did. Guess I'll sleep better.