> >>Kk, here is what I've got so far: >> >>My system seems to be infected by some kind of trojan/worm/virus called >>Unix/Hacktop, wich does (for what I'm seeing) some kind of scanport via >>ssh (22). >>I found some related info saying that the intruder could be using a >>security flaw from AWSTATS + Apache to get a valid root bash session >>over port 80. >> >>Now the intruder created a few files, infected some others and is using >>this scanport. I stopped the scanport by blocking the output of ssh in >>my iptables and could be able to erase some virus related files. >> >>Now I want to know just 2 things: >> >>First, how can I be sure that it all happened because of the awstats >>security flaw? > > > No way to be 100% certain, but examing your access log for funny calls > to your awstats cgi would be a good way to start. > Awstats has some known security holes, that permit to upload an execute binarys. > >>Second, how could I completely remove this Unix/Hacktop from my system >>(Linux RedHat9 k2.4) ? > > > Technically, this is impossible without a clean reinstall. The > hacker/cracker could have replaced anything and everything. He could > have replaced the "rm" binary so that it never deletes files that he > placed there. He could have replaced "ls" so it doesn't show those > files. He could have replaced iptables so that it allows in his IP no > matter what you configure. > > But since most hackers aren't that smart, you might have some luck if > you can figure out what root kit was used and undo the damage. But as > you mentioned, this isn't the best list to find help with that. > Not completely impossible.. but could get real hard. Anyways, as Joshua pointed. Most "hackers" (so called by themselves.. when they are really more like a "script kiddie") arent that smart. So, you could try to search for problems using standar rpm utility (rpm -VVV procps fileutils rpm perl util-linux , etc) and find replaced rpm's. Do a port scan.. etc. If you are not that familiar with sanitizing a compromised machine, your best chance, is reinstalling the system. good luck ;) --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|