a few days ago (June 19) a server that I manage has suffered an attack.
Analyzing the log I discovered that there were several attempts to access a web scanner called w00tw00t.at.ISC.SANS.DFind
I set the firewall to prevent further visits from this scanner.
The problem is that the server is compromised, however, in the sense that surely someone has gained access to the server and has damaged something.
In fact, everything worked except postfix.
If I tried to start it gives me error:
Code:
root@ns228442:~# /etc/init.d/postfix start
* Starting Postfix Mail Transport Agent postfix
/etc/init.d/postfix: line 39: /bin/sed: cannot execute binary file
root@ns228442:~# sh sed
/bin/sed: /bin/sed: cannot execute binary file
root@ns228442:~# sed
-bash: /bin/sed: cannot execute binary file
root@ns228442:~# sh -c sed
sh: /bin/sed: cannot execute binary file
I tried reinstalling postfix, but was deleted it and also was deleted some modules from plesk, plesk fact now will not start and the sites hosted on the server are not online.
If I try to re-install postfix or plesk always gives me error "can not execute binary file" on some commands, such as "sed" and "tar".
Then analyzing the bin folder I discovered that certainly a number of executables have been compromised, in fact they were modified date of the attack:
Code:
root@ns228442:/var/log# ls -l /bin | grep 'Jun 19'
-rwsr-sr-x 1 root root 20971 Jun 19 07:41 bleah
-rwxr-xr-x 3 root root 35272 Jun 19 07:41 bunzip2
-rwxr-xr-x 3 root root 35272 Jun 19 07:41 bzcat
-rwxr-xr-x 3 root root 35272 Jun 19 07:41 bzip2
-rwxr-xr-x 1 root root 113744 Jun 19 07:41 cp
-rwxr-xr-x 1 root root 14520 Jun 19 07:41 dbus-uuidgen
-rwxr-xr-x 4 root root 18832 Jun 19 07:41 dnsdomainname
-rwxr-xr-x 4 root root 18832 Jun 19 07:41 domainname
-rwxr-xr-x 1 root root 43424 Jun 19 07:41 echo
-rwsr-xr-x 1 root root 35480 Jun 19 07:41 fusermount
-rwxr-xr-x 1 root root 68264 Jun 19 07:41 gzip
-rwxr-xr-x 1 root root 153592 Jun 19 07:41 less
-rwxr-xr-x 1 root root 14600 Jun 19 07:41 lessecho
-rwxr-xr-x 1 root root 49088 Jun 19 07:41 login
-rwxr-xr-x 1 root root 101448 Jun 19 07:41 mv
-rwxr-xr-x 1 root root 39488 Jun 19 07:41 nc.openbsd
-rwxr-xr-x 1 root root 17427 Jun 19 07:41 netstat
-rwxr-xr-x 4 root root 18832 Jun 19 07:41 nisdomainname
-rwxr-xr-x 1 root root 39512 Jun 19 07:41 plymouth
-rwxr-xr-x 1 root root 23304 Jun 19 07:41 run-parts
-rwxr-xr-x 1 root root 73184 Jun 19 07:41 sed
-rwxr-xr-x 1 root root 348784 Jun 19 07:41 tar
-rwxr-xr-x 1 root root 39312 Jun 19 07:41 true
-rwxr-xr-x 1 root root 18808 Jun 19 07:41 ulockmgr_server
-rwsr-xr-x 1 root root 60776 Jun 19 07:41 umount
-rwxr-xr-x 1 root root 118128 Jun 19 07:41 vdir
-rwxr-xr-x 4 root root 18832 Jun 19 07:41 ypdomainname
All these executables listed do not work (give the error indicated).
Code:
root@ns228442:~# ldd /etc/init.d/postfix
not a dynamic executable
root@ns228442:~# ldd /bin/sed
not a dynamic executable
root@ns228442:~# file /bin/sed
/etc/magic, 4: Warning: using regular magic file `/usr/share/misc/magic'
/bin/sed: data
How do I restore these executables damaged?
I await help urgently!
Thank you!
P.S. here is more info that may be useful about the server:
Code:
root@ns228442:/bin# cat /proc/version
Linux version 2.6.38.2-xxxx-std-ipv6-64 (root@kernel-64.ovh.net) (gcc version 4.3.2 (Debian 4.3.2-1.1) ) #2 SMP Thu Aug 25 16:43:23 UTC 2011
root@ns228442:/bin# cat /etc/issue
Ubuntu 10.04.4 LTS \n \l
root@ns228442:/bin# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.4 LTS"
Agreed, you do not 'repair' after your box has been rooted, since anything could have been violated, including the ability of the box to properly analyze or repair itself.
Last edited by Corona688; 06-24-2013 at 01:15 PM..
To reiterate what Corona said, your machine is not trustworthy. Do not believe anything it says.
You cannot trust what ls says because ls itself may have been modified. Even if ls is trustworthy, if the kernel has been modified, then the stat system call that ls uses to obtain file metadata (which includes timestamps) cannot be trusted.
As an aside, your ls command is using modification times to identify compromised executables. Even if ls and the kernel can be trusted, mtimes can be trivially forged with privilege and a system call. While ctimes are not normally forgeable in that way, given root and malicious intent, metadata can be modified arbitrarily.
No rest for the weary, a Revive Ad Server I am responsible for experienced a MySQL injection attack due to a vulnerability uncovered in the past few months. I was busy developing Vue.js code for the forums and thought to myself "I will get around to upgrading to Revive 4.2.0 (supposedly the... (0 Replies)
Hi ,
Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file.
We want to copy a file on multiple servers and run the installation.
Thanks (1 Reply)
Hi Friends,
This is logs of my mail log:
mail for yahoo.com.tw is using up 4001 of 6992 active queue entries : 1 Time(s)
mail for yahoo.com.tw is using up 4001 of 7018 active queue entries : 1 Time(s)
mail for yahoo.com.tw is using up 4001 of 7072 active queue entries : 1 Time(s)
... (1 Reply)
How to copy a binary from one server and paste it to another server?
Please help...
On server A there is a binary with size 0...I need to copy a binary from server B and replace the 0 size binary on Server A.
Kindly Help (3 Replies)
Hi,
I am a newbie to AIX. We have 2 AIX5.3 servers in our environment, I need to transfer some files in Binary mode from one server to another and some files in ASCII mode from one server to another server. Could you please help me as to how I need to do that?
Thanks,
Rakesh (4 Replies)
Hi,
For an automated install, an install script runs locally on the machine being installed on. This "install script" has to install programs that are located on the install server. How can I script this?I (1 Reply)
heloo
today i have DDos Attack in my server
what is the better way to secure my server from DDos Attack
i use CentOS 4&5
i try every firewall and talk to softlayer - iweb i've Tried every possible solutions but I can not find a solution to the problems
Give Me The best way plzz (4 Replies)
Hi All,
I need a solution on my following find command
find ./.. -name '*.file' -print
BTW This gives me the output as belows
./rtlsim/test/ADCONV0/infile/ad0_dagctst.file
./rtlsim/test/ADCONV0/user_command.file
./rtlsim/test/ADCONV0/simv.daidir/scsim.db.dir/scsim.db.file... (2 Replies)
Hi there, i have sun solaris 10 running on X86 system P4 box with ATA harddisk, anyway suddenly its started to try to login to the maintenance mode asking for the root password when i give it its mount the partitions as read only but when i try to run fsck on them i got this error: can't stat... (3 Replies)