![]() |
Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.
|
|
google unix.com
|
|||||||
| Forums | Register | Forum Rules | Links | Albums | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| UNIX for Advanced & Expert Users Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Unable to chmod a file/directory | lyonsd | SUN Solaris | 12 | 04-27-2009 05:08 AM |
| Unable to view files in a particular directory under /opt | its.simron | UNIX for Dummies Questions & Answers | 1 | 05-21-2008 10:02 AM |
| Unable to view files in a particular directory under /opt | its.simron | Linux | 1 | 05-21-2008 09:59 AM |
| Unable to see all file in a current directory | srikanthus2002 | Shell Programming and Scripting | 3 | 09-27-2006 04:07 AM |
| unable to create directory in /apps | jkrotz | UNIX for Dummies Questions & Answers | 2 | 12-31-2003 10:10 PM |
![]() |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
||||
|
Does anybody have a copy of the 'mount' binary which was on these systems? Even a copy from backup is fine. I honestly suspect a rootkit being involved in this issue as I have seen it before. Looks like a number of binaries are involved, mount being one of them (due to how early it is called during bootup).
If you do have a copy from these systems, I would recommend you examine the impacted system's from another good kernel and then look for the binaries. You should find the 'mount' binary, another mount binary with what looks like a hash string appended to the end of the name, and then another empty mount file with another hash appended to the name. This seems to be the indicator that the system truly is infected. Please post the binary to this forum, or PM me if you can supply me with a copy for analysis. I am interested to know if this is the same exact MD5 hash I found or not. Would really like to identify this particular rootkit and get some signatures out there so other people can find it easier. |
|
||||
|
our compromised system
We're having this problem as well, also on RHEL4. Does anyone have an idea of how their machines were compromised initially? We don't want to open up the same vulnerability again. I've attached the three /bin/mount* files we found on the compromised machine. There were other similarly compromised binaries as well, such as touch, basename and cat.
-Tom Moderator's note: I have just approved the attachment so it should now be available for downloading. Download it with caution! It is suspected of being malware. --- Perderabo Last edited by Perderabo; 12-17-2007 at 08:25 PM.. Reason: Approve attachment |
|
||||
|
Rootkit with infected mount binary
Our system are compromised with this rootkit. We followed the recommendation from Hookups and found the mount binary with what looks like a hash string appended to the end. We could not find any infor about this on the internet. If you have any additional information regarding this root kit please let us know. Your help is greatly appreciated.
Daisy |
|
|||||
|
This is not certain to be the same rootkit, this is pretty much standard MO for a rootkit.
This article is helpful on the subject of cleanup and evidence gathering: http://www.honeynet.org/challenge/re...y/evidence.txt |
|
||||
|
The posted binary is not the exact same as md5sums do not match. However, the file size is spot on. Also the same characteristics. Namely, the binary looks to be broken, but still loadable by the linux kernel:
--- [badfile@host badfiles]$ readelf -a ./mount ELF Header: Magic: 7f 45 4c 46 00 00 00 00 00 00 00 00 00 00 00 00 Class: none Data: none Version: 0 OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x1df26054 Start of program headers: 52 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 1 Size of section headers: 0 (bytes) Number of section headers: 0 Section header string table index: 0 There are no sections in this file. There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x1df26000 0x1df26000 0x8453f 0x13e000 RWE 0x1000 There is no dynamic section in this file. There are no relocations in this file. There are no unwind sections in this file. No version information found in this file. [badfile@host badfiles]$ objdump -d ./mount objdump: ./mount: File format not recognized [badfile@host badfiles]$ file ./mount mount: ELF invalid class invalid byte order (SYSV) --- strace as unprivileged user show one system call to 'sysinfo()' with the argument of '0'. It returns an error: --- [badfile@host evil_mount]$ strace ./mount execve("./mount", ["./mount"], [/* 22 vars */]) = 0 sysinfo(0) = -1 EFAULT (Bad address) --- Going to look further into the binary from an analysis workstation I have setup and see if I can get any more information. Cheers, Hookups |
|
||||
|
Does anyone have anymore information on this one, as I seem to have it on one of my servers...
Thanks |
| Sponsored Links | ||
|
|
![]() |
| Bookmarks |
| Tags |
| linux, perl, perl shift, shift, shift perl |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|