New Root Kit Going Around


Recommended Posts

There is a MAJOR Root Kit going around.

It will infect the server at kernel binary level, infected our server on Centos 5 running Cpanel 11 fully updated mind you (it's NOT just limited to CPANEL servers so watch out please!)

Others have been infected on fedora etc, so it's not a distro thing.

Once this is done it will on the fly randomly inject javascript into any site requests that are called. It wont change any user files.

The javascript call looks something like this

<script language='JavaScript' type='text/javascript' src='avabf.js'></script>

The javascript will be random letters like that and will of course not exists. It will be detected as a trojan on some antivirus scanners or if your using IE7

Look like this

http://img296.imageshack.us/my.php?image=errorst5.jpg

Now i might add that ossec rkhunter chkrootkit will not find anything. The rootkit will also be hidden.

Also you will find that once you are infected it wont let you make any folders with numbers. This i might add is the same for SSH logins with root and those from FTP and so on

The exact error will be

mkdir 12345 mkdir: cannot create directory `12345': No such file or directory

From what i have seen really the only effective way to remove it, is to do an OS reload. There is alot of talk about this on WHT under here:

http://www.webhostingtalk.com/showthread.php?t=661900

http://www.webhostingtalk.com/showthread.php?t=651748

http://www.unix.com/unix-advanced-expert-u...ctory-name.html

Link to comment
Share on other sites

You got an OS reload like we were talking about on the IRC, right?

Yes we did, best way to ensure the system is clean.

Also got in someone to help secure the box this time around.

Seems to be hitting a lot of servers and the worrying thing is somehow its replacing system binaries so that it gets loaded on bootup.

At the moment running a kernel (probably a good idea to have a monolithic kernel, i.e no module support) that's patched to prevent writing to the kernel memory space (/dev/kmem? /dev/mem?) seems to stop it from loading although I don't think it stops it being put there just means its unable to load itself on bootup.

From what people over at WHT are saying however once infected and loaded into the system it makes it rather hard to build a new kernel though you have to build the kernel on another machine.and then load it onto the machine.

It's a real nasty piece of work.

http://www.theregister.co.uk/2008/01/11/my..._web_infection/

http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.