On Friday 13 June 2003 9:18 am, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
No, it doesn't need to. You can specify on a fs by fs basis which filessytems to reformat. This is _certainly_ what you want. Tell it to reformat all other fs's, BTW, just to be sure.
What can I do? Any hints are welcome.
See above. Make _sure_ to 1. Unplug this box from the 'net until you're ready 2. Never run the box w/o the firewall (you probably already figured this out, though, didn't you?!!) 3. Make _sure_ that you install _all_ security related updates from SuSE 4. Consider updating to SuSE 8.2 -- because it's based on newer code, this list of updates that you'll need to install is smaller. Maybe this incident will give you a good excuse to do that.
Does anybody know this virus?
I don't think that it's a virus; you've been hacked by a script kiddie, probably. I really hope this helps. -Nick