Quoting Reynald I. Ngo ([EMAIL PROTECTED]): > @%!@#$% my mail server got compromised with cinik slapper worm. > I'm now currently doing foresics and clean-up... any tips?
Yes. Shut down and rebuild. There's unfortunately no alternative. Please see: http://linuxmafia.com/~rick/linux-info/root-compromise http://linuxmafia.com/~rick/linux-info/forensics The Slapper "Cinik" variant is an automated buffer-overflow attack against an August 2002 bug in OpenSSL running under Apache. (Not intending to add to your woes, but systems that have kept current with security patches will be unaffected -- as will sites that don't use Apache for https, i.e., most sites.) > Currently i noticed it changed my ps, top & netstat... having a time > stamp of 1983. This has nothing to do with the worm, as such. The work of the worm is done when it performs its automated entry via your unpatched, vulnerable https Apache/OpenSSL service, notifies (via e-mail) the person behind the attack that he has another "zombie" host at his disposal, and starts up a daemon that lets your host be instructed to participate in DDoS and other attacks on further victim hosts. More about the ps/top/netstat replacements, below. > Its running its own httpd and it cleaned-up my syslogs... F**k! The "httpd" isn't really an httpd, but is the left-behind worm process that helps the (human) attacker send your host instructions. The evisceration of your system logs was intended to make it less likely you'd notice the compromise of your system. Congratulations on that not working, by the way. Most people don't notice for a very long time. For the same reason, the human attacker, after receiving the worm's notification e-mail, used its backdoor to enter your system and used root access to replace key administrative binaries (ps, netstat, top, etc.) with "trojaned" versions that attempt to hide his system activity from the sysadmin's attention. Typically, these binaries come in a source archive called a "rootkit" (_not_ an attack tool; just a camouflage one) that the attacker manually compiles on your system and then installs, replacing your real admin utilities. One long-term lesson is that any process that's addressable remotely from anywhere in the world (a network daemon) should be a special object of your attention -- _if_ you run that daemon. If you're not sure you need a daemon, switch it off. For those daemons that you _don't_ switch off, make very sure that you stay current on security advisories. If for some reason you can't apply a patch needed to close a remotely exploitable vulnerability, then shut off the vulnerable daemon until you can: Temporarily having a service unavailable may be inconvenient, but it's much less so than having to rebuild from scratch and not even be able to trust your /etc/* files or home-directory dotfiles -- which is what you're going to have to do, now. -- Cheers, When encryption is outlawed, Rick Moen only outlaws will xr2d3fsxd df#$%xx` [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
