Mission Net Status
Well, since I need a bit of clearing house for problems, here goes
Mission.net has been infected with what it looks like This guy is describing I’ll post updates as I find out more. To see what happened previously, look here. This doesn’t make me happy as I’ve been battling a migrain all day.
ST Infection
– Moved binary
21:28
netstat -tap shows
e PID/Program name
tcp 0 0 —.mission.net:58873 ik59064.ikexpress.com:ssh ESTABLISHED 11884/perl
a perl process that is running from apache that has ssh running. I kill the process.
21:43
Dan’s scrubbing files again with
grep -lR kgeba * | xargs sed -e ‘s\/\\
\< \/html\>//g’
Removing awstats and orca since this are probable entry vectors
21:51
– Cleaning out /tmp looking for anything more suspicious.
– Cleaning out all Orca related files
22:04
– Cleaning all SIB related /tmp files
22:24
– Orca cleared, confirming cleaning of html files
22:34
– Because I am ultra paranoid now, I am shutting down any third party application that I can’t get security info on in the Individual webmaster directories.
22:38
– Bringing up Apache again, please be vigilant when reviewing your sits.
– Watching for signs of infection again.
22:46
PURL (Perminant Url) is back up and running thanks to Dan.
– I know mysql is still borked. Please leave me comments so that I can track what ever else got borked through the fedora core 3 to fedora core ? upgrade.
ehh??? so does that mean that it’s dead?
nope
I don’t know if it’ll help any, but if you need a on-line virus scanner to sweep it and make sure it’s clean I recommend housecall65.trendmicro.com. I’ve used it a few times on my database server at work. Also checks for security loopholes / vulnerabilities and what not. Or you can just ignore me 🙂 which is usually the wisest course of action.