what door or window did I leave open this time?
Jude DaShiell
jdashiel at shellworld.net
Thu May 10 00:45:39 EDT 2007
A debian system I had running was very badly hacked. This was debian
speakup 2.6.18 kernel. I decided to write a cs script to run clamscan and
found a really easy way to write that script and was planning on sharing
that technique until I had a listen of part of the log file I had the
script make for me. Then it was time to preserve what I could and erase
partitions and install a new system. I'm most interested in what door or
window I had left open for this hack to have happened. Activity on the
system was downloading podcasts which were preserved and also doing some
ssh connections but sshd_config and ssh_config had been modified to not
listen on any port; permit root login was disabled, and X11-forwarding was
also turned off.
What follows is the part of the log I preserved:
-------------------------------------------------------------------------------
Unpacker process 11675 stopped due to exceeded limits
//usr/share/doc/lg/108/misc/laundrette/laundrette-108.txt: HTML.Phishing.Bank-1 FOUND
//usr/share/doc/lg/112/lg_laundrette.html: HTML.Phishing.Bank-164 FOUND
//usr/share/doc/lg/issue85/misc/mahoney/c.img.gz: GZip.ExceededFileSize FOUND
//usr/share/doc/lg/issue86/TWDT.txt.gz: Exploit.IFrame.Gen FOUND
Beyond that, here's a copy of cs script used with clamscan:
#!/bin/bash
# file: cs - clamscan script
clamscan -l clamscan`date -I`.log -r --bell --exclude=/dev --exclude=/proc --exclude=/pts --exclude=/tmp -i --detect-broken --block-encrypted --block-max --max-files=500 --max-space=10M --max-recursion=8 --max-ratio=250 --max-mail-recursion=8 --max-dir-recursion=15 --deb=/usr/bin/dpkg-deb / *
How I found that script so easy to write was I put each command line
option on its own line after clamscan and when the several lines had all
of those options I used the join command in ex to join those lines into
the clamscan command you find in that script.
More information about the Speakup
mailing list