TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:683] ...And now for my next trick...



I agree - someone with root access did this.
Probably replaced a system binary. A quick check would be to
go into /bin, /sbin and the like and look at timestamps and see if
anything jumps out at you. If this doesn't work, try re-installing Linux 
using the "upgrade" mode of the install. Of course with a large machine 
and many users, this will have to be handled by your sysadmin during off 
hours, and if you have a special kernel, it will have to be rebuilt -- a 
pain to be sure.

You might log in as single user and take a very careful look at
the "ps" list and go look at the binaries. You can use "nm" or "strings" 
to search for the filename embedded in the binary. Something like:

find / -name * -print -exec strings DLZDB {} \; > /tmp/out

and look through the 'out' file. Make sure you have plenty of space in 
the directory that you pipe this out to - it will be large. You can then 
use "more" on 'out' and search for DLZDB -- you might get lucky.


A quick solution (just until you find the culprit) is to create a cron 
job like:

find / -name "DLZDB" -exec rm -f {} \;

and run it every 10-15 minutes, or so. This is, or course, a stupid 
solution and only temporary until you find the problem binary.


>From tclug-list-return-686-crwhiting=hotmail.com@listserv.real-time.com 
Thu Jul 16 19:27:41 1998
>Received: (qmail 19914 invoked by uid 504); 17 Jul 1998 02:55:49 -0000
>Mailing-List: contact tclug-list-help@listserv.real-time.com; run by 
ezmlm
>Precedence: bulk
>Reply-To: tclug-list@listserv.real-time.com
>Delivered-To: mailing list tclug-list@listserv.real-time.com
>Received: (qmail 19904 invoked from network); 17 Jul 1998 02:55:48 
-0000
>Received: from bilbo.intexp.com (209.98.25.10)
>  by listserv.real-time.com with SMTP; 17 Jul 1998 02:55:48 -0000
>Received: from snarf2.nerp.net (ben@pub-29-c-226.dialup.umn.edu 
[160.94.61.226])
>	by bilbo.intexp.com (8.9.0.Beta3/8.8.7) with SMTP id VAA15762
>	for <tclug-list@listserv.real-time.com>; Thu, 16 Jul 1998 21:26:07 
-0500
>Date: Thu, 16 Jul 1998 16:28:17 -0500 (CDT)
>From: Benjamin Kochie <ben@intexp.com>
>X-Sender: ben@snarf2.nerp.net
>To: TCLUG <tclug-list@listserv.real-time.com>
>In-Reply-To: <35AEA215.3054A0AE@tc.umn.edu>
>Message-ID: <Pine.LNX.3.96.980716162502.7605B-100000@snarf2.nerp.net>
>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>Subject: Re: [TCLUG:683] ...And now for my next trick...
>
>wow... virii for unix tend to be less common.. mostly because of the
>memory security model... sounds like a large system, from what i can
>tell.. it may have been a previous sysadmin's legacy.. unless someone 
root
>exploited the computer.. it's doubtfull a user could insert something 
like
>that into the system.. it sounds more more like a trojan than a real
>virus, processes started on boot up.. it'd be worth it to shutdown into
>single usermode, and start checking all the system files for addons.. 
:)
>
>On Fri, 17 Jul 1998, Michael Hicks wrote:
>
>> Well, considering the fact that a Linux box I set up would have no 
one
>> to administrate it, I'll just let the company buy the MS Exchange
>> servers...  It's their money, not mine, and I don't have an 
alternative
>> that would be simple enough for them to try..
>> 
>> Now, for my next question--Does anyone know about viruses and Unix? 
>> Apparently, there is a virus running rampant on an SGI DM Series box
>> running an ancient version of IRIX (4.x, I think..) where I work...
>> 
>> The person there who (sorta) admins that system has knowledge 
restricted
>> to basically running 'top,' 'osview,' and some other relatively 
simple
>> utilities..
>> 
>> Anyway, the system traditionally gets system loads of 11-14, with a 
load
>> of 23 this morning (type 'ls,' wait ten seconds, get the list) when 
the
>> admin was running about 10 'find' processes in a script that would
>> delete some of the files that this virus was laying all over the
>> place...
>> 
>> CPU power isn't a problem, as it has 4.  3 of them could be turned 
off,
>> and the 4th turned to half power, and the system would still run at 
the
>> same speed..  It is apparently maxing out the Ultra-SCSI controller 
that
>> is connected to a RAID bank.  (the DM has 3 or 4 fiber-optic FDDI
>> connections to the network, plus at least one Ethernet connection..)
>> 
>> Sorry I'm giving all the specs, but it's strangely hilarious, IMHO.. 
:)
>> 
>> Anyway, back to the virus--it leaves files named DZLDB or something 
like
>> that laying all over the place, plus it creates start-up scripts, so 
it
>> will get initiated when the system reboots (apparently..)
>> 
>> If you happen to know the correct way to fight this virus, I'd
>> appreciate it..  Also, if you have a good (hopefully inexpensive,
>> relatively speaking) way of getting this system to have better
>> performance, I'd like to hear about it..
>> 
>> Thanks,
>> 
>> Mike Hicks
>> -- 
>> Linux: Because a PC is a terrible thing to waste
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
>> For additional commands, e-mail: 
tclug-list-help@listserv.real-time.com
>> Try our website: http://tclug.real-time.com
>> 
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
>For additional commands, e-mail: tclug-list-help@listserv.real-time.com
>Try our website: http://tclug.real-time.com
>
>


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com