It’s not a big secret that I am helping out other people when they have Linux issues – and so I did at this fellows network. In fact, we did a Gentoo server together to give him some chance to learn more about Linux and how things work together. I double-checked all except for the passwords which left the server open wide in the end.
Sure, sshd config with root login disabled is nice, but that didn’t help on the user account which brought in the first batch of malware. We noticed as in the middle of getting some stuff set up, the server started to act weird and I did had a feeling that something went horribly wrong and I checked ‘last’ for last logins seeing some weird IPs in there. Asking my mate who’s IP this was, he shrugged and I knew what was wrong.
Looking at the process list to find some proof, I saw a few weird binaries running, like a gnome-terminal process. This wouldn’t be any suspicious if the server wouldn’t be running without a graphical desktop. So for showing the problem I started to poke around and found some shell scripts in /etc/cron.hourly planted which start the malware as a safety ‘backup’ for them.
The malware files itself were cluttered over the system changing their name pretty randomly. So I rebooted the system with cron disabled and in theory I was malware-free for a few seconds. For demonstration purposes I started up a malware scanner and tried to run it on the known malware. Without results.
Having my point proven, we’re starting the server from scratch again as it’s impossible to locate every file messed with. This time starting with SSH keys first.