Diego Brouard wrote:
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:Hello!I've seen some strange things on my (stable with security-updates) server: the last apt-get update didn't work because gzipsegfaultet. I've copied gzip from another server over the version on this server, but it also crashed. Interesting was that the executable was bigger after the segfault.As you've seen you have been cracked by a "worm", it's called RST.b. In few words, it infect exectable files in /bin and in the current directory from where you are executing an already infected binary. You were infected because of a php bug and the ptrace bug. There are lots of info "googling" internet. You can avoid reinstall the server if you work carefully.
Getting rid of RST.b was relatively easy, just overcopied /bin /sbin /usr/bin and /usr/sbin from another stable server, then installed AntiVir personal edition in DEMO mode (www.antivir.de) - that is enough to detect all infected files, and then copied all infected files from the other server over. There also are some tools that deinfect the binaries if you don't have another server... Removed the "new" root user from passwd and shadow and deleted his homedirectory. I also tried to get rid of all other issues, installed chkrootkit (which works fine with the clean binaries in /bin) and found nothing - interesting was that ifconfig showed PROMISC and chkrootkit didn't detect it. After that I rebooted the server - now the interfaces are not in promisc mode - and changed all passwords. Also did a remote portscan an ALL (tcp&udp) ports and hopefully fixed the upload-hole. (Question: How do I get the interfaces out of PROMISC mode remotely? Cannot do a networking stop/start because I'll be kicked after stop and never get in to start, and I'd not bet my ass that a restart would work on a compromised server...) Also did a apt-get install --reinstall libc6 and some other packages (ssh, ...) and compared md5sums of all files with the md5sums of my remote server. (be careful, if you execute an apt-get <whatever> when /bin/* is still infected the /usr/lib/apt/methods/* also get infected) The server SEEMS to be clean at the moment, but I would not bet my head on this. The next step is to re-define all our security guidelines and check that they are hold by each user on the server. Also we constantly check all our logfiles and do a regular port-scanning and get something that constantly checks all md5sums of all files and insteadly emails all changes. Thanks to all for your help! Since this server is a private one and not owned by a company and is hosted somewhere we cannot get easily to (now, we moved but the server stayed at the old hoster) we have problems to reinstall the server now - but we all know that we REALLY should reinstall or switch it of. regards Markus