aerospacemango Posted August 31, 2010 Report Posted August 31, 2010 So, for the second time in a matter of weeks, our whole network is brought to a halt by................... KSWAP! Now, having spent a lot of time over this, here is the advice that was sent to me, over how to deal with it! > The exploit > > or compromise running on this system is likely to > be an irc bot. Can > > you please alert the person who is > > > responsible, for its security to > > patch/upgrade, remove the > > irc > process and secure their system. > > Usual point of entry with these > machines, are weak ssh > > passwords and > > Web applications that have > not been kept up to date with > > security > > fixes. > > > > = Unix > System owners = > > A favourite place for hiding the > > bot(s) is in > /tmp/ > > and in /var/tmp/ or /dev/shm/ or in a users /home/ > directory > > sometimes it may be hidden like /tmp/". ."/ or > > > similar. > > > > The bot files can usually be found by running these > one > > line > > commands as the root user. > > > > find / -exec grep -l > "undernet" > > {} + > > find / -exec grep -l "sybnc" {} + > > find / > -name "*.set" | perl > > -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq > > > find / -name "inst" | perl > > -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | > uniq > > > > netstat -tanp > > lsof -i > > tcp: > > > > > *netstat looking for connections to remote port > > 6667 or the > > > range of ports between 6660-7000 once you find the port > > you > > can > use the command, lsof -i tcp:portnumber to determine > > which > > > process/user it is running under, and terminate it. I hope that if anyone else gets this, this info will help! Apparently, it gets into the system by VNC, so always make sure that you close your VNC tunnel!
kmount Posted August 31, 2010 Report Posted August 31, 2010 Did the person who told you it was an exploit have more information than just "kswap" ? It is likely to be something (anything) else that is using lots of resources and you're crunching up the swap space and possibly running out. (which may or may not be an exploit but I've yet to see an irc bouncer (psybnc) bring a whole system to its knee's)) It would be helpful to see what's in "top" and also what specification the system is and what it's doing.
powdarrmonkey Posted September 7, 2010 Report Posted September 7, 2010 prevention: don't use VNC tunnels in an insecure way... edit: that goes for SSH tunnels too. And anything else.
aerospacemango Posted September 7, 2010 Author Report Posted September 7, 2010 prevention: don't use VNC tunnels in an insecure way... edit: that goes for SSH tunnels too. And anything else. Indeed! But, the problem with VNC is that it only needs to be open for a second, and they can be in. For reference, it was on our moodle server, which is running linux. This means that the use of the folder name "." or ".." makes it very difficult to find/ get rid of! Our systems developer went on and sorted it.
kmount Posted September 7, 2010 Report Posted September 7, 2010 I hope he sorted it with a rebuild, once a box has been rooted I wouldn't trust it within an inch of its life especially not if it's talking to your user directory.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now