IptabLes / IptabLex trojan#
Solved#
Update 03.06.2014: The root cause were security holes in the web framework struts (1,2). So generally I have to admin that even Ubuntu 10 seems to be safe and also all Tomcat 7 versions. I now updated struts to version 2.3.14.3 and have no issues anymore.Preface#
I am fighting for days with this type of trojan on my virtual server hosted at server4you, which is a Ubuntu 10.04 release with kernel 2.6.18.Ok, I know it is quite old, but server4you does not offer newer images and a kernel rebuilt is not possible with vServers.
I quit at server4you already, but I am bound to the contract up to Oct 2014.
So the strange suggestions found here do not apply for me.
Diagnosis#
Here are the best commands to analyse it:
ls -la | List all files (also hidden ones) properly in a folder |
ps -ef | List all running processes |
netstat -pan | List all network activities |
lsof | List all open files |
lsof -i tcp:<port> | List all open files for that port |
ss -ap | List all open sockets |
You are infected if you see ".IptabLes" or ".IptabLex" in your processes list.
(And no, it is not the Linux firewall called "iptables", which is built into the kernel of Linux.)
You will also see open connections in your network activities like:
Proto Recv-Q Send-Q Local Address Foreign Address State Timer tcp 0 0 62.75.171.160:41792 59.63.167.168:1001 ESTABLISHED off (0.00/0/0) tcp 0 0 62.75.171.160:48497 59.63.167.167:1001 ESTABLISHED off (0.00/0/0)
What I discovered and what I did#
This infection started when I changed my web server from "JBoss 7.01" to "Tomee 1.6 Webprofile", which is a Tomcat 7 inside. I once had the web server shut down for a day and had no more infections. So I suppose it is web server related (well, or web app related, I suspect Struts).
I write more later, but the status now is, that I am still infected, but I have blocked all traffic from that trojan, so that it is ok for now. This is my clean and block script:
#!/bin/sh # remove malware rm -f /boot/Ip* rm -f /boot/.Ip* rm -f /boot/..Ip* rm -f /usr/.Ip* rm -f /tmp/29* rm -f /.my* rm -f /etc/rc2.d/S55Ip* rm -f /etc/rc3.d/S55Ip* rm -f /etc/rc4.d/S55Ip* rm -f /etc/rc5.d/S55Ip* rm -f /var/lib/update-rc.d/IptabLex rm -f /markus/tomee/bin/getsetup* # block IPs in firewall iptables -P INPUT ACCEPT iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -s 222.184.0.0/16 -j DROP iptables -I INPUT -s 222.185.0.0/16 -j DROP iptables -I INPUT -s 222.186.0.0/16 -j DROP iptables -I INPUT -s 222.187.0.0/16 -j DROP iptables -I INPUT -s 222.188.0.0/16 -j DROP iptables -I INPUT -s 222.189.0.0/16 -j DROP iptables -I INPUT -s 222.190.0.0/16 -j DROP iptables -I INPUT -s 222.191.0.0/16 -j DROP iptables -I INPUT -s 59.0.0.0/8 -j DROP iptables -I INPUT -s 119.0.0.0/8 -j DROP iptables -I INPUT -s 162.221.12.0/22 -j DROP iptables -I INPUT -s 218.0.0.0/8 -j DROP iptables -I INPUT -s 23.239.192.0/19 -j DROP iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 64344 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 81 -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -I OUTPUT -d 222.184.0.0/16 -j DROP iptables -I OUTPUT -d 222.185.0.0/16 -j DROP iptables -I OUTPUT -d 222.186.0.0/16 -j DROP iptables -I OUTPUT -d 222.187.0.0/16 -j DROP iptables -I OUTPUT -d 222.188.0.0/16 -j DROP iptables -I OUTPUT -d 222.189.0.0/16 -j DROP iptables -I OUTPUT -d 222.190.0.0/16 -j DROP iptables -I OUTPUT -d 222.191.0.0/16 -j DROP iptables -I OUTPUT -d 59.0.0.0/8 -j DROP iptables -I OUTPUT -d 119.0.0.0/8 -j DROP iptables -I OUTPUT -d 162.221.12.0/22 -j DROP iptables -I OUTPUT -d 218.0.0.0/8 -j DROP iptables -I OUTPUT -d 23.239.192.0/19 -j DROP iptables -P OUTPUT ACCEPT iptables -L -v -nAfter running this you need to reboot and are clean until.
(But I get infected after a while again, which I have not solved yet)
IPs Under inspection#
23.239.208.127