[Novalug] Warnings (wasRe: php vulnerability ...)(LONG)

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Mon May 21 11:37:21 EDT 2012


Well then, sounds like you have an Adventure ahead of you!

In theory, you cannot heal an infected system...however, it is possible 
to try. Yum and/or rpm can reinstall packages, altho I forget which 
option that is. Perhaps it's '--reinstall'? Starting with /sbin/init, 
you can find out which package it's in by 'rpm -qf /sbin/init'.

One of the things you really need to replace is md5sum, so that you get 
reliable checksums. Then you can do "rpm -Va".

One thing these rootkits do is set the immutable bit...you cah turn it 
off with "chattr -i files..."

Fix all the clues that these tell you about. Reinstall if still broken.

Good Luck!

JIM

On 5/18/2012 11:04 AM, Beartooth wrote:
> On Thu, 17 May 2012, James Ewing Cottrell 3rd wrote:
>
>> Recently I googled an error message I was seeing. The article said
>> "You're infected...run 'chkrootkit' and 'rkhunter'".
>
> First off, "rpm -q php" got "not installed, both as userid and as root.
> So this may be a whole nother kettle of fish.

try "rpm -qa 'php*'"

>> Google both names, download, and run them. They will tell you if you
>> have one or more of many common infections.
>
> I did not get "you're infected." But after trying both commands ("not
> installed") I did "yum install chkrootkit" and "yum install rkhunter."

When *I* googled a specific error message, the google article told me I 
was infected...that wasn't something chkrootkit or rkhunter told me.

>
> chkrootkit gave me :
>
> Searching for Suckit rootkit...
>
> Warning: /sbin/init INFECTED
>
> rkhunter -c gave me :
>
> Performing file properties checks
> Checking for prerequisites [ Warning ]
>
> Performing trojan specific checks
> Checking for enabled xinetd services [ Warning ]
>
> Checking for passwd file changes [ Warning ]
> Checking for group file changes [ Warning ]
>
>
> System checks summary
> =====================
>
> File properties checks...
> Required commands check failed
> Files checked: 139
> Suspect files: 0
>
> Rootkit checks...
> Rootkits checked : 249
> Possible rootkits: 0
>
> Applications checks...
> All checks skipped
> Rootkit checks...
> Rootkits checked : 249
> Possible rootkits: 0
>
> Applications checks...
> All checks skipped
>
> The system checks took: 12 minutes and 23 seconds
>
> All results have been written to the log file
> (/var/log/rkhunter/rkhunter.log)
>
> One or more warnings have been found while checking the system.
> Please check the log file (/var/log/rkhunter/rkhunter.log)
>
> [root@Hbsk3 ~]#
>
> In the log I found :
>
> [10:03:33] Info: Starting test name 'shared_libs_path'
> [10:03:33] Checking LD_LIBRARY_PATH variable $
> [10:03:33]
> [10:03:33] Info: Starting test name 'properties'
> [10:03:33] Performing file properties checks
> [10:03:33] Warning: Checking for prerequisites $
> [10:03:33] The file of stored file properties$
> [10:03:33] Info: The file properties check will still $
> [10:03:33]
> [10:03:33]
> [10:03:33] Warning: WARNING! It is the users responsib$
> is used, all the files on their system are $
> reliable source. The rkhunter '--check' opt$
> against previously stored values, and repor$
> cannot determine what has caused the change$
>
> [10:03:33] Info: Found file '/sbin/ifdown': it is whit$
> [10:03:33] /sbin/ifup $
> [10:03:33] Info: Found file '/sbin/ifup': it is whitel$
>
> [10:03:36] Info: Found file '/usr/bin/GET': it is whit$
> [10:03:36] /usr/bin/groups $
> [10:03:36] Info: Found file '/usr/bin/groups': it is w$
>
> [10:03:36] Info: Found file '/usr/bin/ldd': it is whit$
>
> [10:03:37] Info: Found file '/usr/bin/whatis': it is w$
>
> [10:08:13] Performing Suckit Rookit additional checks
> [10:08:13] Checking hard link count on '/sbin/init$
> [10:08:13] Checking for hidden file extensions $
> [10:08:13] Running skdet command $
> [10:08:13] Info: Unable to find the 'skdet' command
> [10:08:13] Suckit Rookit additional checks $
>
> [10:08:19] Info: Starting test name 'malware'
> [10:08:19] Performing malware checks
> [10:08:19]
> [10:08:19] Info: Test 'deleted_files' disabled at user$
> [10:08:19]
> [10:08:20] Info: Test 'hidden_procs' disabled at users$
> [10:08:20]
> [10:08:20] Info: Test 'suspscan' disabled at users req$
> [10:08:20]
> [10:08:21] Checking for software intrusions $
> [10:08:21] Info: Check skipped - tripwire not installed
>
> [10:08:21] Checking for enabled xinetd services $
> [10:08:21] Warning: Found enabled xinetd service: /etc$
> [10:08:21] Info: Apache backdoor check skipped: Apache$
> [10:08:21]
> [10:15:05] Info: Starting test name 'hidden_ports'
> [10:15:05] Checking for hidden ports $
> [10:15:05] Info: Unable to find the 'unhide-tcp' comma$
> [10:15:05]
> [10:15:05] Info: Starting test name 'group_accounts'
> [10:15:05] Performing group and account checks
> [10:15:05] Checking for passwd file $
> [10:15:05] Info: Found password file: /etc/passwd
> [10:15:05] Checking for root equivalent (UID 0) acco$
> [10:15:05] Info: Found shadow file: /etc/shadow
> [10:15:05] Checking for passwordless accounts $
> [10:15:05]
> [10:15:05] Info: Starting test name 'group_changes'
> [10:15:05] Checking for group file changes $
> [10:15:05] Warning: Unable to check for group file dif$
> [10:15:05]
> [10:15:53] Info: Test 'apps' disabled at users request.
> [10:15:53] Possible rootkits: 0
> [10:15:53]
> [10:15:53] Applications checks...
> [10:15:53] All checks skipped
>
>
> all those lines about users request did not come from any user I know of.
>
> So is it to worry??
>




More information about the Novalug mailing list