Hello
im working on "remover script" which try to remove "kthrotlds MINER VIRUS"
in next part of my remover script i have to work on files that it destroyed,
virus use chattr to open and lock files and replace them with malicious content
im looking for a solution to remove chattr and disable this command and use another alternative to lock file, with or without password.
virus has remove files content and replace it with its code, overshadowed files are cron files,
Implementing security personnel practices to prevent future infections
Pure opinion on my part:
The hackers who wrote the exploit have more than probably put it in all kinds of places. You miss one hiding place and your machine is still subject to disruption. You have a VERY small chance of purging everything.
Do this instead:
1. Restore the system to a known good backup
2. Implement security personnel practices to prevent future infections
3. Implement malware prevention code - there are freebies like ClamAV. See ClamavNet
4. Maintain a good periodic backup routine with mass storage devices kept securely out of harm's way.
mm have you read this article? kthrotlds CVE-2019-10149 Exim/cPanel | Server 24/7
its new Bitcoin mining virus and im working hard to remove it and yes, im succeed, and try to write shell script as cleaner script but my problem is "chattr" command which is used by virus.
i need higher lock command or script to lock files to prevent virus from open and lock files with chattr command
Did you update/fix the exim?
Did you check/clean all the root crontab files? /etc/crontab, files in /var/spool/cron/ and /etc/cron.d/ and /etc/cron.{hourly,daily,weekly}/
chattr IS a higher command.
Once a file is made immutable by chattr it cannot be modified by the usual chmod/chown and setfacl commands.
version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
Quote:
Originally Posted by nimafire
version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them
If you are being attacked or infected by malware which uses chattr, I suggest you create a wrapper around (or replace) chattr and log the events.
For example, I once was tracking malware which used curl, so I replaced curl with this:
The reason for this is I want to know deeper what is going on when someone has managed to inject some malware onto a server. So, normally, if I find out the malware uses curl or chattr, for example, I will write a wrapper and log processes like in the example above.
If you follow the "anti malware instructions" they want you to kill everything and start deleting files.
I find it better to "trap and trace" before deleting and killing; especially if you are not running a process which is so critical that the malware is really doing major harm (at the time of discovery).
We used to call this strategy, which I developed in cyber defense two decades ago, as "the blackhole strategy" which means to use information to your advantage and not let any hackers know you are on to them.
In your case, I do not know the criticality of your server, but if it was me; I would write a wrapper which logs as much information as I could and track down the processes which might be calling your process, etc.
In the case of my example code above, I do not exec curl because I already tracked down the malware and finished my analysis and, so I did not not need the binary wrapper, but only logging.
And so, since I do not require curl every day (and a lot of malware uses curl to download other malware), I simply log every time curl is called; and if I need curl in the shell I call it from some obscure name like "neos_curl" which is curl just copied to neo_curl.
You can consider the same or similar strategy for chattr.
In my long-in-the-tooth view of cyber defense, it is best to log, trap and trace hacker and malware versus just deleting and cleaning up quickly. You can gain a lot of knowledge about the malware if you trap and trace the processes, log the traps and traces, all without disrupting the malware process (or you can disrupt if it your risk mitigation policy dictates you must).
You can wrap and log or just log (as in the example above).
Cyber defense is a lot like kung fu - do not let your emotions or fear or anger control the situation. Use logic and the actions of the malware against the malware, keeping your cool and calm, to understand and defeat the malware, on your terms. As for me, I find anger, fear and emotional outbursts a sign of weakness (not strength). In cyber defense, you are in control. Trap and trace the malware and you can know how and when (and from where and perhaps who) it effects your system.
Attempting to recursive chattr directories while excluding a directory, however the command which works with chown does not seem to with chattr
find /mysite/public_html ! -wholename '/mysite/public_html/images' -type d -exec chattr -R +i {} \;
find /mysite/public_html -not -path "*/images*"... (2 Replies)
Is there any other editor, installed by 'default' in Sparc Solaris10, besides vi?
I'd like to avoid installing anything new.
If not, how to make vi more user-friendly?
thanks. (8 Replies)
Hi techies ..
This is my first posting hr ..
Am facing a serious performance problem in counting the number of lines in the file. The input files i get will be in some 10 to 15 Gb of size or even sometimes more ..and I will load it to db
I have used wc -l to confirm whether the loader... (14 Replies)
Hi Folks...
Is there an alternative for ikecert(SunOS) - man info - "manipulates the machine's on-filesystem public-key certificate databases" in linux?
Can we use pkcs7, pkcs8 or something like that?...
I also came across ssh-keygen and ssh-keygen2...
My best guess is to use ssh-certtool... (0 Replies)
I usually just browse the forum/google for answers, however I've been stuck on a problem for a number of hours now and I've decided to join up and actually ask I've searched the forum ad naseum in an attempt to find answer to my query, however so far I have been unsuccessful.
I'm no expert... (3 Replies)
Hello to all board members!!
I have a problem on a HP-UX system. I should write a script. Therefore I need to search after IP addresses in the output of a command.
On Debian this works: ifconfig | egrep -o "{1,3}\.{1,3}\.{1,3}\.{1,3}"
The script where i need this is not ifconfig, but... (2 Replies)
Hi... I want to know whether if there is any alternative for cron.:confused:
I had written a script which checks for all system/application processes every 15 min(placed in cron though). But looks funny - what if cron daemon isn't running!! and expecting that script to update the OUTPUT FILE... (5 Replies)
We're in the process of testing a mail server that we hope will replace our current one that's being hosted by our ISP. We learned a few things along the way and would like to avoid them if possible. The biggest hurdle is getting around port 25 (SMTP). Our work force is approx 75% consultants who... (1 Reply)
I have a perl script that just does a `du -sk -x` and formats it to look groovy ( the argument can be a directory but usually is like /usr/local/* )
#!/usr/bin/perl
use strict;
use warnings;
my $sizes = `du -x -sk @ARGV | sort -n`;
my $total = 0;
print "MegaBytes Name\n";
for(split... (1 Reply)