What to do and how to boot after virus attack (mihai)?
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated. At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai. I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail). Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper. Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw) Then the server hangs. How can I get the server up again? It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3. I tried to reinstall from CD, but this doesn't work too (options freely translated from German): - New Install Will create new partitions and overwirte my HD!?! - Update existing system Does not boot (same as normal boot from disk) - Start installes system Does not boot (same as normal boot from disk) What can I do? Any hints are welcome. This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash echo "Start Daemon" sleep 1 ./kill cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper sleep 1 wrapper chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper sleep 1 rm -rf mihai.tgz rm -rf mihai echo "Done" --------------------------------------------------------------- Does anybody know this virus? Peter
On Friday 13 June 2003 9:18 am, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
No, it doesn't need to. You can specify on a fs by fs basis which filessytems to reformat. This is _certainly_ what you want. Tell it to reformat all other fs's, BTW, just to be sure.
What can I do? Any hints are welcome.
See above. Make _sure_ to 1. Unplug this box from the 'net until you're ready 2. Never run the box w/o the firewall (you probably already figured this out, though, didn't you?!!) 3. Make _sure_ that you install _all_ security related updates from SuSE 4. Consider updating to SuSE 8.2 -- because it's based on newer code, this list of updates that you'll need to install is smaller. Maybe this incident will give you a good excuse to do that.
Does anybody know this virus?
I don't think that it's a virus; you've been hacked by a script kiddie, probably. I really hope this helps. -Nick
On Fri, 2003-06-13 at 16:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
Neither rc.sysinit nor /usr/(s)bin/wrapper exist in SuSE, I think that virus expected either a red hat or mandrake machine.
It doesn't matter to me if I have to reinstall all software as
I think that's advisable. If your machine has been cracked, you shouldn't trust any executables on it.
long as I don't need to distroy my partitions and, more
How do you mean destroy? You don't have to repartition your machine, but IMHO it's advisable to reformat your system partitions. I hope your data is on their own partitions.
important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
that is the default, but in the "expert" section of the partitioning tool you can select exactly what you want to do, including (if you really want to) to not even reformat.
Does anybody know this virus?
Never heard of it, and a google search doesn't turn up anything immediately obvious. Maybe you should send a post to suse-security and/or bugtraq?
On Friday 13 June 2003 15:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I would move all the data off the machine and reformat everything by doing a clean install. Only way to be sure (see Hicks' conversation with Ripley, Aliens). Then check the data out and move it back onto the disk once you're confident there's nothing in the data files that could have been planted by the nasties. I don't fancy any of the other 'partial' reinstalls at all, because you'd never be certain ... HTH Fergus
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
- Update existing system Does not boot (same as normal boot from disk)
- Start installes system Does not boot (same as normal boot from disk)
What can I do? Any hints are welcome.
This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash
echo "Start Daemon" sleep 1 ./kill
cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper
sleep 1 wrapper
chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper
sleep 1 rm -rf mihai.tgz rm -rf mihai
echo "Done" ---------------------------------------------------------------
Does anybody know this virus?
Peter
-- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: +44 161 834 7961 Fax: +44 161 839 5797 http://www.chethams.org.uk
I am a little puzzled about this attack. To take sendmail, in my system - 8.0 - the permissions and ownership for sendmail are: -r-xr-sr-x 1 root mail As I understand matters, to overwrite sendmail as configured above requires root access, and the directory in which it is kept ( /sbin ) is only root writeable. How can a process gain root access unless it exploits a process or program that runs under root? Was someone able to telnet or ssh in and then switch user to root? Perhaps the experts can enlighten us. Basil Fowler On Friday 13 Jun 2003 14:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
- Update existing system Does not boot (same as normal boot from disk)
- Start installes system Does not boot (same as normal boot from disk)
What can I do? Any hints are welcome.
This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash
echo "Start Daemon" sleep 1 ./kill
cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper
sleep 1 wrapper
chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper
sleep 1 rm -rf mihai.tgz rm -rf mihai
echo "Done" ---------------------------------------------------------------
Does anybody know this virus?
Peter
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, 13 Jun 2003, Peter Gloor wrote: <snip>
This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash
echo "Start Daemon" sleep 1 ./kill
cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper
sleep 1 wrapper
chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper
sleep 1 rm -rf mihai.tgz rm -rf mihai
echo "Done" ---------------------------------------------------------------
Does anybody know this virus?
can't really help on the boot problems, but i would like to clarify one thing. this isn't a virus. you got cracked and this 'mihai' is a rootkit. i'm willing to bet that the 'wrapper' program that got installed is a packet sniffer looking for passwords being passed over the network plaintext (via telnet, ftp, or whatever). it's definately a good idea to re-install the system and be sure to install all security updates relavant to your setup before doing anything else. also make sure that any remote admin work you do is over an encrypted connection (like ssh). the one time i got cracked (on my old slackware box in '96), it was because i was trying to do some admin (was actually getting a couple of security updates) from a client while telnetted in (hadn't heard of ssh yet). my password was picked up by a packet sniffer and a rootkit was installed on my system (although the one that was installed on mine was much more invasive). at first i thought i had found and deleted everything but i started finding other things that weren't quite right, so i re-installed the whole thing and grabbed all the security updates before doing *anything else* over the network. i still try to do as much admin work as possible logged directly onto the machine, but use ssh whenever i have to do so remotely. -- trey
participants (6)
-
Anders Johansson -
Basil Fowler -
Fergus Wilde -
Nick LeRoy -
Peter Gloor -
Trey Gruel