Hi there, On Thu, 15 Jun 2017, Michael D. Setzer II wrote:
... seeing a message from systemctl --status=failed that DbSercuritySpt was failing. It is some that in /etc/init.d but just was a shell script that run /tmp/g251 which didn't exist. The was also a selinux and a weird named file in same directory. A recent build system had none of these files. The weird named file, was actually pointing to /usr/bin/samewierdname file that would be 625900 bytes in size. The name of the file would change, and some systems had multiple copies of the files, and the would have the current date. Later I found the crontab had a line that would run a script gcc.sh from the /etc/cron.hourly folder.
It seems almost certain that you're a victim of malicious activity. Perhaps not too surprising in an educational establishment.
... using this process to try to clean the machines, but don't know if there is a better way, or even if this is really going to complete fix the issue.
Maybe you can get copies of the files and run them by something like Jotti's Malware Scan: https://virusscan.jotti.org/
I also noticed that the lsof ps and netstat programs seemed to have been modififed. rkhunter probable saw that ...
It's just the sort of thing it's looking for. :)
I did this on one system, and it seemed to get rid of the problem, but it has just been a short time. Was hoping this list would have the best answers for really fixing this, or at least pointing me to a resouce that can.
Malicious authors will often use a variety of tricks to achive what's called "persistence", in other words preventing the legitimate user's attempts to remove the malicious software from succeeding. Sometimes you'll find them all, sometimes not. If you don't then you will most likely have to start over. Maybe not a waste of time as you'll have learned something about the threat. Deleting all the files which happen to be of a certain size seems slightly risky to me. My view is that the surest way to fix things is aggressive; wipe discs, complete re-install from known good original software. I would want to find out more about the malicious software. You will probably be able to find a description of it and what it does from the scanners listed at jotti.org or similar, and that should lead to a satisfactory solution which can probably be somewhat automated for recovery of all your systems. It should be possible to do something which will prevent a repeat of the incident, I would want to find how the malicious software managed to get in, perhaps there's some known vulnerability, and fix that so it can't happen again. Perhaps one of your students is guilty, you might be able to finger the culprit. -- 73, Ged. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
