Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine.
Thanks in advance, B.J.
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04
On 30/11/2007, B.J. McClure keepertoad@verizon.net wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine.
Is SE Linux enabled on your system? If this is an ext2/ext3 filesystem - look at "lsattr" and friends. fuser(1) on that file and/or monitoring it using something base on inotify(7) might reveal which process has it open or uses it.
Hope this gives you some useful direction.
--Amos
On Thu, 29 Nov 2007 16:43:44 -0600 "B.J. McClure" keepertoad@verizon.net wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam.
One of the problems with being r00ted is that you can never be sure that you have found all of the stuff that the bad guy left behind. The only way to clean up a system like that is to reformat and set it up again from scratch.
Otherwise you're taking a chance that he'll be back again tomorrow doing the same thing, or worse.
On Thu, Nov 29, 2007 at 04:43:44PM -0600, B.J. McClure wrote:
Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine.
Thanks in advance, B.J.
CentOS 5.0, Linux 2.6.18-8.1.15.el5 x86_64 16:26:48 up 10:46, 1 user, load average: 0.07, 0.08, 0.04
Hi Can you tell me which virus scan you are using?
Thanks
-
Alfredo Perez -
Amos Shapira -
B.J. McClure -
Frank Cox