store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Dec 17, 2014 10:21 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 38 posts ]  Go to page Previous  1, 2, 3
Author Message
 Post subject: Re: GootKit
Unread postPosted: Sat Mar 10, 2012 1:46 am 
Offline
Forum User
Forum User

Joined: Wed Mar 07, 2012 7:53 pm
Posts: 7
Location: Singapore
Here's my script

/root/removepl.php
<?
while (true)
{
sleep(1);
system("/bin/mv /var/www/vhosts/*/cgi-bin/* /root/compromisedfolder/");
}
?>

call it :
php-cli /root/removepl.php &

it will keep running

the tmp files created will only be there if the gootkit successfully run, otherwise it will be clean.

Cheers.


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sat Mar 10, 2012 2:27 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 280
What about legitimate files? We still have many customers with shopping carts that use perl.


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sat Mar 10, 2012 10:16 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
If you're using the dazuko module in ASL, just set it up to monitor /var/www/vhosts. This would intecept the gootkit malware regardless of how it was added to the system and will block it and only it. So legitimate files will continue to work, but this kit wont even be able to run (or be saved to the file system if they try to reinstall it).


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sat Mar 10, 2012 10:25 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Please see this url to turn on the dazuko module in ASL:

https://www.atomicorp.com/wiki/index.php/Anti_virus

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sun Mar 11, 2012 7:58 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 280
Now I am getting a service with apache that won't start. I have looked and nothing is bound to the port./

-bash-3.00# /usr/local/psa/admin/sbin/websrvmng -a -v
[Sun Mar 11 16:56:38 2012] [warn] module jk_module is already loaded, skipping
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
websrvmng: Service /etc/init.d/httpd failed to gracefully restart

nable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start

0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sun Mar 11, 2012 8:40 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Any errors in your apache or server logs?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sun Mar 11, 2012 9:13 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 280
Code:
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs


Top
 Profile  
 
 Post subject: Re: GootKit
Unread postPosted: Sun Mar 11, 2012 9:23 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 280
I resolved this by turning off the web site. I'll check further but it is one site that was compromised.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 38 posts ]  Go to page Previous  1, 2, 3

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group