Security Experts, help, what is this (bad stuff)?

I have been having what I thought was a formmail exploit on my machine.
know that when I have these spam attacks, I have an unknown process
running and owned by apache that takes up 99% CPU. I killed the process
and did not find it last time. I took sendmail down and won't run it
anymore because of this.

I caught a runaway process from apache again, this evening, eating my
machine, 99% CPU got ready this time, copying logs, top output, and lsof
to files for later analysis before killing the process. This time I was
going to investigate before killing the PID:

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
24263 apache 25 0 188 180 20 R 99.9 0.0 368:38 0 u24

The last time this happened, the command was "perl" and was difficult to
track down. This time it is "u24". Uh oh, I never heard of a u24 command,
this could be very bad. Rootkit did not find anything, I have rootkit
output saved from this time. I tracked down u24 and it was worse than I
thought, I had a new /var/tmp/ directory chock full o' baddies. I killed
the processes right away and shut down apache at once. Before deleting
all of this bad stuff, I tarred and zipped it up for analysis, I have
never heard of this stuff before, I thought that linux "did not get
viruses and trojans". All files in these directories were executable.

Anyway, for you security experts out there, somebody please have a look
and tell me what this is, I already know it is really bad, the machine is
toast, comes down now, and gets wiped for a new distro. No need to tell
me that anymore, totally compromised, but anyway, have a look and ID this
terrible stuff please, some kind of Trojan I think. I tarred it up and
put it on my outsourced server at newsguy for somebody to anylize:

http://www.cinmiester.com/temp/BadStuff.tgz

Warning, these are executable files and could be very harmful, be careful
when opening this mess up for a look! I copied it over to a Windows
machine and opened the tgz file, will give you a dir listing so that you
know what to expect:

---------------------------------------------------------------------
Volume in drive D has no label.
Volume Serial Number is EC4D-EFC9

Directory of D:\Bench\BadStuff

04/30/2005 12:07 AM <DIR> .
04/30/2005 12:07 AM <DIR> ..
04/29/2005 11:47 PM <DIR> .dream
04/29/2005 11:47 PM <DIR> .t
04/29/2005 04:26 PM 172 .vetx.95
04/28/2005 05:41 AM 63,646 dmuh.tgz
11/15/2004 10:15 AM 19,242 r0nin
04/29/2005 11:47 PM <DIR> sendervisa
04/19/2005 07:09 AM 1,417 sendervisa.tgz
4 File(s) 84,477 bytes

Directory of D:\Bench\BadStuff\.dream

04/29/2005 11:47 PM <DIR> .
04/29/2005 11:47 PM <DIR> ..
04/29/2005 10:15 PM 2,168 log
04/29/2005 02:54 AM 0 messages
04/27/2005 04:25 PM 620 muhrc
04/29/2005 02:54 AM 150,576 root
4 File(s) 153,364 bytes

Directory of D:\Bench\BadStuff\.t

04/29/2005 11:47 PM <DIR> .
04/29/2005 11:47 PM <DIR> ..
04/19/2005 04:27 AM 428,508 m
04/10/2005 01:24 AM 148,974 n
04/12/2005 05:44 AM 21,305 p
04/29/2005 04:00 PM 262,144 TTdummyfile
04/12/2005 05:44 AM 26,752 u
04/19/2005 03:53 AM 26,718 u2
04/19/2005 07:12 AM 26,738 u24
7 File(s) 941,139 bytes

Directory of D:\Bench\BadStuff\sendervisa

04/29/2005 11:47 PM <DIR> .
04/29/2005 11:47 PM <DIR> ..
04/19/2005 06:42 AM 3,063 test.txt
04/19/2005 07:04 AM 62,102 users
04/19/2005 05:11 AM 564 visa.txt
3 File(s) 65,729 bytes

Total Files Listed:
19 File(s) 1,244,709 bytes
11 Dir(s) 32,531,484,672 bytes free

---------------------------------------------------------------------

What is this stuff and how did it get here? Some kind of remote VISA card
exploit, no doubt. Yeah I know, the machine comes down, new one, etc. No
need to tell me that anymore. FC3 already downloaded and CDs being burned
for it right now. Thanks for your help.

--
~Ohmster
ohmster at newsguy dot com

"prg" <rdgentry1@cablelynx.com> wrote in news:1114837199.217682.314030
@z14g2000cwz.googlegroups.com:

> [snip]
>
> If you can afford a new drive, DO NOT wipe this drive. It's the only
> evidence available that will help avoid this in the future.

Thanks, will buy new hard drives.

> Be aware that it is _very_ difficult to do computer forensics via
> email. You might want to find someone local (a LUG nearby?) to help
> you out.
>
> tough luck,
> prg

....sigh. Thanks again.

--
~Ohmster
ohmster at newsguy dot com

Ohmster wrote:
> I have been having what I thought was a formmail exploit on my
machine.
> know that when I have these spam attacks, I have an unknown process
> running and owned by apache that takes up 99% CPU. I killed the
process
> and did not find it last time. I took sendmail down and won't run it
> anymore because of this.
>
> I caught a runaway process from apache again, this evening, eating my

> machine, 99% CPU got ready this time, copying logs, top output, and
lsof
> to files for later analysis before killing the process. This time I
was
> going to investigate before killing the PID:
>
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU
COMMAND
> 24263 apache 25 0 188 180 20 R 99.9 0.0 368:38 0 u24
>
> The last time this happened, the command was "perl" and was difficult
to
> track down. This time it is "u24". Uh oh, I never heard of a u24
command,
> this could be very bad. Rootkit did not find anything, I have rootkit

> output saved from this time. I tracked down u24 and it was worse than
I
> thought, I had a new /var/tmp/ directory chock full o' baddies. I
killed
> the processes right away and shut down apache at once. Before
deleting
> all of this bad stuff, I tarred and zipped it up for analysis, I have

> never heard of this stuff before, I thought that linux "did not get
> viruses and trojans". All files in these directories were executable.
>
> Anyway, for you security experts out there, somebody please have a
look
> and tell me what this is, I already know it is really bad, the
machine is
> toast, comes down now, and gets wiped for a new distro. ...

[snip]

If you can afford a new drive, DO NOT wipe this drive. It's the only
evidence available that will help avoid this in the future.

You don't think they won't return as soon as your new setup is going,
do you? After all, they know how to find you and they did it once
already.

This is just a quick note. Will look at your stuff when time permits.

Also, just so you know, your user/passwords for the "family" stuff is
passed in clear text (http basic auth) so they probably have those too
:( I sniffed the wire on my end the other day using "holyroller" and
"biblebelter" (IIRC -- don'd ask why).

Be aware that it is _very_ difficult to do computer forensics via
email. You might want to find someone local (a LUG nearby?) to help
you out.

tough luck,
prg

In comp.os.linux.security Ohmster <notareal@emailaddress.com>:
> I have been having what I thought was a formmail exploit on my machine.
> know that when I have these spam attacks, I have an unknown process
[..]

> terrible stuff please, some kind of Trojan I think. I tarred it up and
> put it on my outsourced server at newsguy for somebody to anylize:

> http://www.cinmiester.com/temp/BadStuff.tgz

[..]

> 11/15/2004 10:15 AM 19,242 r0nin

PsychoPhobia Backdoor is starting...

Looks like what it says, just another backdoor to your system,
you are still running this EOL distro (RH 9) directly connected
to the internet. while it seems obvious, from your contribution
to cms, that you are missing the skills to update/secure the
system.

You should disconnect it from the internet NOW and setup a recent
distro, install all patches, close down anything unneeded and fire
up iptables to deny anything. You shouldn't wonder if your ISP
shuts down your account for good reasons, if your system is
abused to annoy others on the internet with spam and alike.

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 450: Terrorists crashed an airplane into the
server room, have to remove /bin/laden. (rm -rf /bin/laden)

Michael Heiming <michael+USENET@www.heiming.de> wrote in news:8agbk2-
jh4.ln1@news.heiming.de:

> PsychoPhobia Backdoor is starting...

....ugh.

> Looks like what it says, just another backdoor to your system,
> you are still running this EOL distro (RH 9) directly connected
> to the internet. while it seems obvious, from your contribution
> to cms, that you are missing the skills to update/secure the
> system.

Disto is history.

> You should disconnect it from the internet NOW and setup a recent
> distro, install all patches, close down anything unneeded and fire
> up iptables to deny anything. You shouldn't wonder if your ISP
> shuts down your account for good reasons, if your system is
> abused to annoy others on the internet with spam and alike.

Proof enough, it is outta there. Thanks Michael.

--
~Ohmster
ohmster at newsguy dot com

1. You seem to have been acting as a spam source for a visa
phishing site of some sort. There is a list of fake sender's names in there
(users). The spam recipients are dynamically loaded from the spammer, so
you probably won't find them in any of the files.

1a. The good news is that if your server was at 216.77.188.18 (your
posting address), it is a dynamic address so the spam sent out will be
blocked out by many ISP's and firms.

2. Every damn time I have seen r0nin it got in through one of the
many php fiascos (phpNuke and phpBB come to mind most often). They keep
patching php and new php exploits keep appearing. The old r0nin used to
look for the do_brk() exploit in the kernel. Your r0nin seems larger than
the one I last saw. Maybe I remember wrong. I didn't have the time to open
it. Maybe one of the disassembly boys in the group can look at it.

3. The dmuh.tgz file contains the infamous rst.b program. Linux
users should not mess with that file. You also have hacktool (the box
cracker program) and a few other similar gems in there.

4. Although they probably will not find anything new, you should
forward the tgz file with a copy of all your web logs for the last few
months to nccs@fbi.gov for their perusal.

5. Rather than reformatting the disk, I would replace it with a
new disk and save the contaminated disk until you are assured that it has
no evidentiary value.

Mungo <reallydontmail@me.com> wrote in
news:Xns9647E5FBA7927dontmailmecom@63.223.5.246:

Excellent feedback, Mungo.

> 1. You seem to have been acting as a spam source for a visa
> phishing site of some sort. There is a list of fake sender's names in
> there (users). The spam recipients are dynamically loaded from the
> spammer, so you probably won't find them in any of the files.

Yeah it looks that way now.

>
> 1a. The good news is that if your server was at 216.77.188.18
> (your posting address), it is a dynamic address so the spam sent out
> will be blocked out by many ISP's and firms.

Good news.

>
> 2. Every damn time I have seen r0nin it got in through one of
> the many php fiascos (phpNuke and phpBB come to mind most often). They
> keep patching php and new php exploits keep appearing. The old r0nin
> used to look for the do_brk() exploit in the kernel. Your r0nin seems
> larger than the one I last saw. Maybe I remember wrong. I didn't have
> the time to open it. Maybe one of the disassembly boys in the group
> can look at it.

I had phpbb 2.0.6 on the site, had it behind an .htaccess file with basic
auth. Does not look like it was all that secure after all. phpbb most
likely is the culprit, will not be using *that* anymore. For Goddsakes,
they are giving the darned thing away just to exploit phpbb! Look:
http://help.darknet.dk/

>
> 3. The dmuh.tgz file contains the infamous rst.b program.
> Linux users should not mess with that file. You also have hacktool
> (the box cracker program) and a few other similar gems in there.

Ugh, thanks for the report.

> 4. Although they probably will not find anything new, you
> should forward the tgz file with a copy of all your web logs for the
> last few months to nccs@fbi.gov for their perusal.

Hmmm, probably a good idea.

> 5. Rather than reformatting the disk, I would replace it with
> a new disk and save the contaminated disk until you are assured that
> it has no evidentiary value.

Yeah no doubt, will be getting a new hard drive for the machine and a
completely new, up to date distro. You helped a lot, thanks again.

--
~Ohmster
ohmster at newsguy dot com

Ohmster wrote:
> "prg" <rdgentry1@cablelynx.com> wrote in
news:1114837199.217682.314030
> @z14g2000cwz.googlegroups.com:
>
> > [snip]
> >
> > If you can afford a new drive, DO NOT wipe this drive. It's the
only
> > evidence available that will help avoid this in the future.
>
> Thanks, will buy new hard drives.
>
> > Be aware that it is _very_ difficult to do computer forensics via
> > email. You might want to find someone local (a LUG nearby?) to
help
> > you out.
> >
> > tough luck,
> > prg
>
> ...sigh. Thanks again.

My current list of security links that might be of use. I just double
checked them;)

http://www.bastille-linux.org/

http://www.rootkit.nl/projects/rootkit_hunter.html
http://www.chkrootkit.org/

http://www.sleuthkit.org/index.php
http://www.sleuthkit.org/sleuthkit/
http://sleuthkit.sourceforge.net/autopsy/desc.php
http://www.sleuthkit.org/links.php

http://www.linux-forensics.com/links.html

http://www.forensics.nl/toolkits
http://www.intrusions.org/incidents/lists

http://seclists.org/
http://www.insecure.org/
http://www.insecure.org/tools.html

http://www.hackinglinuxexposed.com/articles/
http://www.hackinglinuxexposed.com/about/ << pretty good book

http://www.linuxexposed.com/Articles/Security.html

good luck,
prg

"prg" <rdgentry1@cablelynx.com> writes:



>> never heard of this stuff before, I thought that linux "did not get
>> viruses and trojans". All files in these directories were executable.

No. It is not affected by WINDOWS viruses and trojans. Remember that the
very first mass internet worm was a Unix sendmail worm.

Ohmster wrote:
> I have been having what I thought was a formmail exploit on my
machine.
> know that when I have these spam attacks, I have an unknown process
> running and owned by apache that takes up 99% CPU. I killed the
process
> and did not find it last time. I took sendmail down and won't run it
> anymore because of this.
>
> I caught a runaway process from apache again, this evening, eating my

> machine, 99% CPU got ready this time, copying logs, top output, and
lsof
> to files for later analysis before killing the process. This time I
was
> going to investigate before killing the PID:
>
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU
COMMAND
> 24263 apache 25 0 188 180 20 R 99.9 0.0 368:38 0 u24
>
> The last time this happened, the command was "perl" and was difficult
to
> track down. This time it is "u24". Uh oh, I never heard of a u24
command,
> this could be very bad. Rootkit did not find anything, I have rootkit

> output saved from this time. I tracked down u24 and it was worse than
I
> thought, I had a new /var/tmp/ directory chock full o' baddies. I
killed
> the processes right away and shut down apache at once. Before
deleting
> all of this bad stuff, I tarred and zipped it up for analysis, I have

> never heard of this stuff before, I thought that linux "did not get
> viruses and trojans". All files in these directories were executable.
>
> Anyway, for you security experts out there, somebody please have a
look
> and tell me what this is, I already know it is really bad, the
machine is
> toast, comes down now, and gets wiped for a new distro. No need to
tell
> me that anymore, totally compromised, but anyway, have a look and ID
this
> terrible stuff please, some kind of Trojan I think. I tarred it up
and
> put it on my outsourced server at newsguy for somebody to anylize:
>
> http://www.cinmiester.com/temp/BadStuff.tgz
>
> Warning, these are executable files and could be very harmful, be
careful
> when opening this mess up for a look! I copied it over to a Windows
> machine and opened the tgz file, will give you a dir listing so that
you
> know what to expect:

[snip]

> What is this stuff and how did it get here? Some kind of remote VISA
card
> exploit, no doubt. Yeah I know, the machine comes down, new one, etc.
No
> need to tell me that anymore. FC3 already downloaded and CDs being
burned
> for it right now. Thanks for your help.

Perhaps useful for future use?

http://www.google.com/search?&q=linux+clamav

Went here for ClamAV:
http://www.clamav.net/main.php

Uploaded BadStuff.tgz here:
http://test-clamav.power-netz.de/

Took less than 30 secs to confirm. These are the results:
[q]
COSS v0.1
(clamav online specimen scanner)

File is valid, and was successfully uploaded.

ClamAV Version running:

ClamAV 0.83/861/Sat Apr 30 11:28:52 2005

ClamAV scans the file ...

Clamav-Output:

/tmp/phpZQZUWx: Linux.RST.B FOUND

And found something:
Linux.RST.B

Since clamav already recognizes the content you submitted there is no
reason to resubmit it.
[eq]

Also this code:
http://help.darknet.dk/

The phpBB exploit (?):
* Affected Products * phpBB version 2.0.12 and prior
http://www.frsirt.com/english/advisories/2005/0212
http://www.frsirt.com/exploits/20050...bsession.c.php
http://www.networksecurityarchive.or.../msg00083.html

Appears there's been a recent spike (this one was just handy):
http://www.trendmicro.com/vinfo/viru...ct=S&Period=1y
http://www.trendmicro.com/vinfo/viru...ST%2EB&VSect=T

As Mungo said, this one is nasty :(

Here are the IPs I could quickly find:
http://www.openrbl.org/ip/217/160/253/150.htm
http://www.openrbl.org/ip/195/204/1/130.htm
http://www.openrbl.org/ip/161/53/178/240.htm

And this was domain of one of the logged emails(?)
http://www.flutterby.com/archives/comments/6535.html
Seems they were zapped some time ago -- again?

You might want to email the 4 above and offer some info, eg.,
BadStuff.tgz;)

Good that you did not ignore this like some folks would have.

regards,
prg