Thanks for the reply. Will have to look at it in more detail. The files with
that
size all have strange name that appear to be a mix of random characters,
and all have the current date and time. First had it list all the files, to
make
sure, and then had it delete. So far it doesn't seem to have come back, but
will have to wait. I keep the machines fully updated, and run the rkhunter, so
not clear how it could have gotten in, but students do have access to root
account. Machines are behind a campus firewall, and my classroom firewall,
and most ports are block by our MIS. Only the notice that it failed had me
look at it. Have no issues with systems.
Was looking to see if there was already a program or script or process to find
this partiticular setup. Stuff I found, isn't complete, and it seems this
DbSecuritySpt goes back to 2014??
Thanks again.
On 15 Jun 2017 at 7:21, G.W. Haywood wrote:
Date sent: Thu, 15 Jun 2017 07:21:37 +0100 (BST)
From: "G.W. Haywood" <rkhun...@jubileegroup.co.uk>
To: "Michael D. Setzer II" <mi...@guam.net>
Copies to: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] Question about DbSecuritySpt (not
sure if it
is a rootkit or something else).
> Hi there,
>
> On Thu, 15 Jun 2017, Michael D. Setzer II wrote:
>
> > ... seeing a message from systemctl --status=failed that DbSercuritySpt
> > was failing. It is some that in /etc/init.d but just was a shell script
> > that run
> > /tmp/g251 which didn't exist. The was also a selinux and a weird named file
> > in same directory. A recent build system had none of these files. The weird
> > named file, was actually pointing to /usr/bin/samewierdname file that would
> > be 625900 bytes in size. The name of the file would change, and some
> > systems had multiple copies of the files, and the would have the current
> > date.
> > Later I found the crontab had a line that would run a script gcc.sh from the
> > /etc/cron.hourly folder.
>
> It seems almost certain that you're a victim of malicious activity. Perhaps
> not too surprising in an educational establishment.
>
> > ... using this process to try to clean the machines, but don't know if there
> > is a better way, or even if this is really going to complete fix the issue.
>
> Maybe you can get copies of the files and run them by something like Jotti's
> Malware Scan:
>
> https://virusscan.jotti.org/
>
> > I also noticed that the lsof ps and netstat programs seemed to have been
> > modififed. rkhunter probable saw that ...
>
> It's just the sort of thing it's looking for. :)
>
> > I did this on one system, and it seemed to get rid of the problem, but it
> > has
> > just been a short time.
> >
> > Was hoping this list would have the best answers for really fixing
> > this, or at least pointing me to a resouce that can.
>
> Malicious authors will often use a variety of tricks to achive what's
> called "persistence", in other words preventing the legitimate user's
> attempts to remove the malicious software from succeeding. Sometimes
> you'll find them all, sometimes not. If you don't then you will most
> likely have to start over. Maybe not a waste of time as you'll have
> learned something about the threat. Deleting all the files which
> happen to be of a certain size seems slightly risky to me. My view is
> that the surest way to fix things is aggressive; wipe discs, complete
> re-install from known good original software.
>
> I would want to find out more about the malicious software. You will
> probably be able to find a description of it and what it does from
> the scanners listed at jotti.org or similar, and that should lead to
> a satisfactory solution which can probably be somewhat automated for
> recovery of all your systems. It should be possible to do something
> which will prevent a repeat of the incident, I would want to find how
> the malicious software managed to get in, perhaps there's some known
> vulnerability, and fix that so it can't happen again. Perhaps one of
> your students is guilty, you might be able to finger the culprit.
>
> --
>
> 73,
> Ged.
+----------------------------------------------------------+
Michael D. Setzer II - Computer Science Instructor
Guam Community College Computer Center
mailto:mi...@guam.net
mailto:msetze...@gmail.com
Guam - Where America's Day Begins
G4L Disk Imaging Project maintainer
http://sourceforge.net/projects/g4l/
+----------------------------------------------------------+
http://setiathome.berkeley.edu (Original)
Number of Seti Units Returned: 19,471
Processing time: 32 years, 290 days, 12 hours, 58 minutes
(Total Hours: 287,489)
BOINC@HOME CREDITS
ABC 16613838.513356 | EINSTEIN 133913302.288695
ROSETTA 60333252.687309 | SETI 104587492.242787
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
