Diese Seite (Version-1) wurde zuletzt am 28-März-2017 14:37 von Administrator geändert.

Du bist nicht autorisiert, diese Seite umzubenennen.

Du bist nicht autorisiert, diese Seite zu löschen.

Versionsgeschichte der Seite

Version Zuletzt geändert Größe Autor Änderungen Kommentar

Links

Eingehende Links Ausgehende Links
VServer Trojan
VServer Trojan

Versionsunterschiede

Unterschiede zwischen Version und .

Zeile 1: 106 Zeilen hinzugefügt.
[{ALLOW view All}]
[{ALLOW edit Authenticated}]
!!IptabLes / IptabLex trojan
! Solved
Update 03.06.2014: The root cause were security holes in the web framework struts ([1|http://www.heise.de/security/meldung/Wichtiges-Sicherheitsupdate-fuer-Apache-Struts-1874093.html],[2|http://www.heise.de/security/meldung/Zero-Day-Luecke-in-Apache-Struts-2-2176605.html]). So generally I have to admin that even Ubuntu 10 seems to be safe and also all Tomcat 7 versions. I now updated struts to version 2.3.14.3 and have no issues anymore.
! Preface
I am fighting for days with this type of trojan on my virtual server hosted at server4you, which is a Ubuntu 10.04 release with kernel 2.6.18.\\
Ok, I know it is quite old, but server4you does not offer newer images and a kernel rebuilt is not possible with vServers.\\
I quit at server4you already, but I am bound to the contract up to Oct 2014.\\
So the strange suggestions found [here|http://askubuntu.com/questions/407457/help-my-server-has-been-hacked-iptables-and-iptablex-in-boot] do not apply for me.
! Diagnosis
Here are the best commands to analyse it:
|ls -la|List all files (also hidden ones) properly in a folder
|ps -ef|List all running processes
|netstat -pan|List all network activities
|lsof|List all open files
|lsof -i tcp:<port>|List all open files for that port
|ss -ap|List all open sockets
You are infected if you see ".IptabLes" or ".IptabLex" in your processes list.\\
(And no, it is not the Linux firewall called "iptables", which is built into the kernel of Linux.)\\
You will also see open connections in your network activities like:
{{{
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 62.75.171.160:41792 59.63.167.168:1001 ESTABLISHED off (0.00/0/0)
tcp 0 0 62.75.171.160:48497 59.63.167.167:1001 ESTABLISHED off (0.00/0/0)
}}}
! What I discovered and what I did
This infection started when I changed my web server from "JBoss 7.01" to "Tomee 1.6 Webprofile", which is a Tomcat 7 inside.
I once had the web server shut down for a day and had no more infections. So I suppose it is web server related (well, or web app related, I suspect Struts).
I write more later, but the status now is, that I am still infected, but I have blocked all traffic from that trojan, so that it is ok for now.
This is my clean and block script:
{{{
#!/bin/sh
# remove malware
rm -f /boot/Ip*
rm -f /boot/.Ip*
rm -f /boot/..Ip*
rm -f /usr/.Ip*
rm -f /tmp/29*
rm -f /.my*
rm -f /etc/rc2.d/S55Ip*
rm -f /etc/rc3.d/S55Ip*
rm -f /etc/rc4.d/S55Ip*
rm -f /etc/rc5.d/S55Ip*
rm -f /var/lib/update-rc.d/IptabLex
rm -f /markus/tomee/bin/getsetup*
# block IPs in firewall
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -s 222.184.0.0/16 -j DROP
iptables -I INPUT -s 222.185.0.0/16 -j DROP
iptables -I INPUT -s 222.186.0.0/16 -j DROP
iptables -I INPUT -s 222.187.0.0/16 -j DROP
iptables -I INPUT -s 222.188.0.0/16 -j DROP
iptables -I INPUT -s 222.189.0.0/16 -j DROP
iptables -I INPUT -s 222.190.0.0/16 -j DROP
iptables -I INPUT -s 222.191.0.0/16 -j DROP
iptables -I INPUT -s 59.0.0.0/8 -j DROP
iptables -I INPUT -s 119.0.0.0/8 -j DROP
iptables -I INPUT -s 162.221.12.0/22 -j DROP
iptables -I INPUT -s 218.0.0.0/8 -j DROP
iptables -I INPUT -s 23.239.192.0/19 -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 64344 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -d 222.184.0.0/16 -j DROP
iptables -I OUTPUT -d 222.185.0.0/16 -j DROP
iptables -I OUTPUT -d 222.186.0.0/16 -j DROP
iptables -I OUTPUT -d 222.187.0.0/16 -j DROP
iptables -I OUTPUT -d 222.188.0.0/16 -j DROP
iptables -I OUTPUT -d 222.189.0.0/16 -j DROP
iptables -I OUTPUT -d 222.190.0.0/16 -j DROP
iptables -I OUTPUT -d 222.191.0.0/16 -j DROP
iptables -I OUTPUT -d 59.0.0.0/8 -j DROP
iptables -I OUTPUT -d 119.0.0.0/8 -j DROP
iptables -I OUTPUT -d 162.221.12.0/22 -j DROP
iptables -I OUTPUT -d 218.0.0.0/8 -j DROP
iptables -I OUTPUT -d 23.239.192.0/19 -j DROP
iptables -P OUTPUT ACCEPT
iptables -L -v -n
}}}
After running this you need to reboot and are clean until.\\
(But I get infected after a while again, which I have not solved yet)
!IPs Under inspection
{{{
23.239.208.127
}}}
Diese Seite (Version-1) wurde zuletzt am 28-März-2017 14:37 von Administrator geändert.Top