version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them
If you are being attacked or infected by malware which uses chattr, I suggest you create a wrapper around (or replace) chattr and log the events.
For example, I once was tracking malware which used curl, so I replaced curl with this:
The reason for this is I want to know deeper what is going on when someone has managed to inject some malware onto a server. So, normally, if I find out the malware uses curl or chattr, for example, I will write a wrapper and log processes like in the example above.
If you follow the "anti malware instructions" they want you to kill everything and start deleting files.
I find it better to "trap and trace" before deleting and killing; especially if you are not running a process which is so critical that the malware is really doing major harm (at the time of discovery).
We used to call this strategy, which I developed in cyber defense two decades ago, as "the blackhole strategy" which means to use information to your advantage and not let any hackers know you are on to them.
In your case, I do not know the criticality of your server, but if it was me; I would write a wrapper which logs as much information as I could and track down the processes which might be calling your process, etc.
In the case of my example code above, I do not exec curl because I already tracked down the malware and finished my analysis and, so I did not not need the binary wrapper, but only logging.
And so, since I do not require curl every day (and a lot of malware uses curl to download other malware), I simply log every time curl is called; and if I need curl in the shell I call it from some obscure name like "neos_curl" which is curl just copied to neo_curl.
You can consider the same or similar strategy for chattr.
In my long-in-the-tooth view of cyber defense, it is best to log, trap and trace hacker and malware versus just deleting and cleaning up quickly. You can gain a lot of knowledge about the malware if you trap and trace the processes, log the traps and traces, all without disrupting the malware process (or you can disrupt if it your risk mitigation policy dictates you must).
You can wrap and log or just log (as in the example above).
Cyber defense is a lot like kung fu - do not let your emotions or fear or anger control the situation. Use logic and the actions of the malware against the malware, keeping your cool and calm, to understand and defeat the malware, on your terms. As for me, I find anger, fear and emotional outbursts a sign of weakness (not strength). In cyber defense, you are in control. Trap and trace the malware and you can know how and when (and from where and perhaps who) it effects your system.
I have a perl script that just does a `du -sk -x` and formats it to look groovy ( the argument can be a directory but usually is like /usr/local/* )
#!/usr/bin/perl
use strict;
use warnings;
my $sizes = `du -x -sk @ARGV | sort -n`;
my $total = 0;
print "MegaBytes Name\n";
for(split... (1 Reply)
We're in the process of testing a mail server that we hope will replace our current one that's being hosted by our ISP. We learned a few things along the way and would like to avoid them if possible. The biggest hurdle is getting around port 25 (SMTP). Our work force is approx 75% consultants who... (1 Reply)
Hi... I want to know whether if there is any alternative for cron.:confused:
I had written a script which checks for all system/application processes every 15 min(placed in cron though). But looks funny - what if cron daemon isn't running!! and expecting that script to update the OUTPUT FILE... (5 Replies)
Hello to all board members!!
I have a problem on a HP-UX system. I should write a script. Therefore I need to search after IP addresses in the output of a command.
On Debian this works: ifconfig | egrep -o "{1,3}\.{1,3}\.{1,3}\.{1,3}"
The script where i need this is not ifconfig, but... (2 Replies)
I usually just browse the forum/google for answers, however I've been stuck on a problem for a number of hours now and I've decided to join up and actually ask I've searched the forum ad naseum in an attempt to find answer to my query, however so far I have been unsuccessful.
I'm no expert... (3 Replies)
Hi Folks...
Is there an alternative for ikecert(SunOS) - man info - "manipulates the machine's on-filesystem public-key certificate databases" in linux?
Can we use pkcs7, pkcs8 or something like that?...
I also came across ssh-keygen and ssh-keygen2...
My best guess is to use ssh-certtool... (0 Replies)
Hi techies ..
This is my first posting hr ..
Am facing a serious performance problem in counting the number of lines in the file. The input files i get will be in some 10 to 15 Gb of size or even sometimes more ..and I will load it to db
I have used wc -l to confirm whether the loader... (14 Replies)
Is there any other editor, installed by 'default' in Sparc Solaris10, besides vi?
I'd like to avoid installing anything new.
If not, how to make vi more user-friendly?
thanks. (8 Replies)
Attempting to recursive chattr directories while excluding a directory, however the command which works with chown does not seem to with chattr
find /mysite/public_html ! -wholename '/mysite/public_html/images' -type d -exec chattr -R +i {} \;
find /mysite/public_html -not -path "*/images*"... (2 Replies)