Alternative for chattr


 
Thread Tools Search this Thread
Special Forums Cybersecurity Alternative for chattr
# 1  
Old 08-24-2019
Alternative for chattr

Hello
im working on "remover script" which try to remove "kthrotlds MINER VIRUS"
in next part of my remover script i have to work on files that it destroyed,
virus use chattr to open and lock files and replace them with malicious content

im looking for a solution to remove chattr and disable this command and use another alternative to lock file, with or without password.
virus has remove files content and replace it with its code, overshadowed files are cron files,
# 2  
Old 08-24-2019
Implementing security personnel practices to prevent future infections

Pure opinion on my part:
The hackers who wrote the exploit have more than probably put it in all kinds of places. You miss one hiding place and your machine is still subject to disruption. You have a VERY small chance of purging everything.
Do this instead:
1. Restore the system to a known good backup
2. Implement security personnel practices to prevent future infections
3. Implement malware prevention code - there are freebies like ClamAV. See ClamavNet
4. Maintain a good periodic backup routine with mass storage devices kept securely out of harm's way.
# 3  
Old 08-25-2019
mm have you read this article?
kthrotlds CVE-2019-10149 Exim/cPanel | Server 24/7
its new Bitcoin mining virus and im working hard to remove it and yes, im succeed, and try to write shell script as cleaner script but my problem is "chattr" command which is used by virus.
i need higher lock command or script to lock files to prevent virus from open and lock files with chattr command
# 4  
Old 08-25-2019
Did you update/fix the exim?
Did you check/clean all the root crontab files? /etc/crontab, files in /var/spool/cron/ and /etc/cron.d/ and /etc/cron.{hourly,daily,weekly}/

chattr IS a higher command.
Once a file is made immutable by chattr it cannot be modified by the usual chmod/chown and setfacl commands.
# 5  
Old 08-25-2019
version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them
# 6  
Old 08-25-2019
Quote:
Originally Posted by nimafire
version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them
If you are being attacked or infected by malware which uses chattr, I suggest you create a wrapper around (or replace) chattr and log the events.

For example, I once was tracking malware which used curl, so I replaced curl with this:

Code:
cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/mystuff.php  $@

Code:
cat  /usr/bin/mystuff.php
<?php
error_reporting(0);
//$ip = $_SERVER['REMOTE_ADDR'];
$ip = '';
$script = '';
$url = '';
if(isset($_SERVER) AND FALSE)
{
$script = $_SERVER['SCRIPT_FILENAME'];
$url  = $_SERVER['REQUEST_URI'];
}
$arg = json_encode($argv);
//error_log(date(DATE_RFC822)." ARGV ".$arg.' SCRIPT '.$script.' URI '.$url. "\n", 3, '/var/log/debug/my_hack_tripper_upper2.log');
error_log(date(DATE_RFC822)." ARGV ".$arg."\n", 3, '/var/log/debugger/my_hack_tripper_upper.log');

?>

The reason for this is I want to know deeper what is going on when someone has managed to inject some malware onto a server. So, normally, if I find out the malware uses curl or chattr, for example, I will write a wrapper and log processes like in the example above.

If you follow the "anti malware instructions" they want you to kill everything and start deleting files.

I find it better to "trap and trace" before deleting and killing; especially if you are not running a process which is so critical that the malware is really doing major harm (at the time of discovery).

We used to call this strategy, which I developed in cyber defense two decades ago, as "the blackhole strategy" which means to use information to your advantage and not let any hackers know you are on to them.

In your case, I do not know the criticality of your server, but if it was me; I would write a wrapper which logs as much information as I could and track down the processes which might be calling your process, etc.


In the case of my example code above, I do not exec curl because I already tracked down the malware and finished my analysis and, so I did not not need the binary wrapper, but only logging.

And so, since I do not require curl every day (and a lot of malware uses curl to download other malware), I simply log every time curl is called; and if I need curl in the shell I call it from some obscure name like "neos_curl" which is curl just copied to neo_curl.

You can consider the same or similar strategy for chattr.

In my long-in-the-tooth view of cyber defense, it is best to log, trap and trace hacker and malware versus just deleting and cleaning up quickly. You can gain a lot of knowledge about the malware if you trap and trace the processes, log the traps and traces, all without disrupting the malware process (or you can disrupt if it your risk mitigation policy dictates you must).

You can wrap and log or just log (as in the example above).

Cyber defense is a lot like kung fu - do not let your emotions or fear or anger control the situation. Use logic and the actions of the malware against the malware, keeping your cool and calm, to understand and defeat the malware, on your terms. As for me, I find anger, fear and emotional outbursts a sign of weakness (not strength). In cyber defense, you are in control. Trap and trace the malware and you can know how and when (and from where and perhaps who) it effects your system.

Hope that bit of knowledge was useful.

Cheers.
These 3 Users Gave Thanks to Neo For This Post:
# 7  
Old 08-27-2019
mm awsome method i havent hear abut it
and a question regard your method,
most od binery are not writable to add this header:
Code:
cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/mystuff.php  $@

like check this:

Code:
[root@server bin]# vi /usr/bin/curl
^?ELF^B^A^A^@^@^@^@^@^@^@^@^@^B^@>^@^A^@^@^@é#@^@^@^@^@^@@^@^@^@^@^@^@^@°\^B^@^@^@^@^@^@^@^@^@@^@8^@    ^@@^@^^^@^]^@^F^@^@^@^E^@^@^@@^@^@^@^@^@^@^@@^@@^@^@^@^@^@@^@@^@^@^@^@^@ø^A^@^@^@^@^@^@ø^A^@^@^@^@^@^@^H^@^@^@^@^@^@^@^C^@^@^@^D^@^@^@8^B^@^@^@^@^@^@8^B@^@^@^@^@^@8^B@^@^@^@^@^@^\^@^@^@^@^@^@^@^\^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^A^@^@^@^E^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@@^@^@^@^@^@|D^B^@^@^@^@^@|D^B^@^@^@^@^@^@^@ ^@^@^@^@^@^A^@^@^@^F^@^@^@`M^B^@^@^@^@^@`Mb^@^@^@^@^@`Mb^@^@^@^@^@Ä^E^@^@^@^@^@^@ð^F^@^@^@^@^@^@^@^@ ^@^@^@^@^@^B^@^@^@^F^@^@^@xM^B^@^@^@^@^@xMb^@^@^@^@^@xMb^@^@^@^@^@<80>^B^@^@^@^@^@^@<80>^B^@^@^@^@^@^@^H^@^@^@^@^@^@^@^D^@^@^@^D^@^@^@T^B^@^@^@^@^@^@T^B@^@^@^@^@^@T^B@^@^@^@^@^@D^@^@^@^@^@^@^@D^@^@^@^@^@^@^@^D^@^@^@^@^@^@^@Påtd^D^@^@^@*,^B^@^@^@^@^@*,B^@^@^@^@^@*,B^@^@^@^@^@t^C^@^@^@^@^@^@t^C^@^@^@^@^@^@^D^@^@^@^@^@^@^@Qåtd^F^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^P^@^@^@^@^@^@^@Råtd^D^@^@^@`M^B^@^@^@^@^@`Mb^@^@^@^@^@`Mb^@^@^@^@^@*^B^@^@^@^@^@^@*^B^@^@^@^@^@^@^A^@^@^@^@^@^@^@/lib64/ld-linux-x86-64.so.2^@^D^@^@^@^P^@^@^@^A^@^@^@GNU^@^@^@^@^@^B^@^@^@^F^@^@^@ ^@^@^@^D^@^@^@^T^@^@^@^C^@^@^@GNU^@qp<9a><92>û@<89>:¹û{®x<8c>ûÏ<96>^X<8f>^C^C^

Moderator's Comments:
Mod Comment Use [icode] tags for small command names or small outputs, not for complete codes please.

Last edited by RavinderSingh13; 09-01-2019 at 02:46 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Chattr recursive exclude directory

Attempting to recursive chattr directories while excluding a directory, however the command which works with chown does not seem to with chattr find /mysite/public_html ! -wholename '/mysite/public_html/images' -type d -exec chattr -R +i {} \; find /mysite/public_html -not -path "*/images*"... (2 Replies)
Discussion started by: carnagel
2 Replies

2. Solaris

vi alternative

Is there any other editor, installed by 'default' in Sparc Solaris10, besides vi? I'd like to avoid installing anything new. If not, how to make vi more user-friendly? thanks. (8 Replies)
Discussion started by: orange47
8 Replies

3. Shell Programming and Scripting

Alternative for wc -l

Hi techies .. This is my first posting hr .. Am facing a serious performance problem in counting the number of lines in the file. The input files i get will be in some 10 to 15 Gb of size or even sometimes more ..and I will load it to db I have used wc -l to confirm whether the loader... (14 Replies)
Discussion started by: rajesh_2383
14 Replies

4. Shell Programming and Scripting

Alternative for ikecert

Hi Folks... Is there an alternative for ikecert(SunOS) - man info - "manipulates the machine's on-filesystem public-key certificate databases" in linux? Can we use pkcs7, pkcs8 or something like that?... I also came across ssh-keygen and ssh-keygen2... My best guess is to use ssh-certtool... (0 Replies)
Discussion started by: ahamed101
0 Replies

5. Shell Programming and Scripting

Using seq (Or alternative)

I usually just browse the forum/google for answers, however I've been stuck on a problem for a number of hours now and I've decided to join up and actually ask I've searched the forum ad naseum in an attempt to find answer to my query, however so far I have been unsuccessful. I'm no expert... (3 Replies)
Discussion started by: gtc
3 Replies

6. HP-UX

alternative for egrep -o on HP-UX

Hello to all board members!! I have a problem on a HP-UX system. I should write a script. Therefore I need to search after IP addresses in the output of a command. On Debian this works: ifconfig | egrep -o "{1,3}\.{1,3}\.{1,3}\.{1,3}" The script where i need this is not ifconfig, but... (2 Replies)
Discussion started by: vostro
2 Replies

7. Shell Programming and Scripting

Alternative to grep

How to find a particular line in a file without using grep? (3 Replies)
Discussion started by: proactiveaditya
3 Replies

8. Shell Programming and Scripting

Alternative for Cron

Hi... I want to know whether if there is any alternative for cron.:confused: I had written a script which checks for all system/application processes every 15 min(placed in cron though). But looks funny - what if cron daemon isn't running!! and expecting that script to update the OUTPUT FILE... (5 Replies)
Discussion started by: reddybs
5 Replies

9. IP Networking

Alternative to Port 25

We're in the process of testing a mail server that we hope will replace our current one that's being hosted by our ISP. We learned a few things along the way and would like to avoid them if possible. The biggest hurdle is getting around port 25 (SMTP). Our work force is approx 75% consultants who... (1 Reply)
Discussion started by: sdotsen
1 Replies

10. Shell Programming and Scripting

du alternative in perl

I have a perl script that just does a `du -sk -x` and formats it to look groovy ( the argument can be a directory but usually is like /usr/local/* ) #!/usr/bin/perl use strict; use warnings; my $sizes = `du -x -sk @ARGV | sort -n`; my $total = 0; print "MegaBytes Name\n"; for(split... (1 Reply)
Discussion started by: insania
1 Replies
Login or Register to Ask a Question