Postfix

Thx. How to get the executable file from the PID? With fstat(1) or lsof(8)?
EDIT fstat -p <pid> and then theres a text item, I'd say it's the executable? Then from the inode number we can find the path of the executable. How?
 
I'd just look at tcpdump(1) traffic for anything besides the normal port 80/443 traffic. The IRC C&C connection is bound to show up (server and port is configurable, so no use looking for specific ports or servers). It's not a complex bot, it's fairly rudimentary. Still, it's able to scan for holes in other machines and inject itself there too. There's also a function to send traffic to a certain address, controlled from the IRC C&C, used for DDoS. It has a number of other features too, but as this is just perl code it's quite easy to extend and include more attacks. Because this is just plain-text code that's easily modified I'm highly doubtful any of the AV scanners will be able to pick it up.
 
procstat -b <pid>
EDIT IRC is also International Rescue Committee (IRC). Would make sense here, too, if the OP has been hacked... No smiley, because then this is not funny.
 
Call me paranoid but there are a couple of malware bots on the internet that appear to look like regular processes.
Click to expand...

Would of been my first suggestion. A process running as www and appearing to be a postfix executable that doesn't even exist is incredibly suspicious (hell even if postfix was installed these processes running as www would be suspicious). It smacks of a compromised server that is running something dodgy and the running scripts are trying to disguise themselves as a process that might be running anyway in the hope they will be ignored.
 
Maybe just rename the perl binary ( mv /usr/local/bin/perl /usr/local/bin/perl.orig). If the malware is not sophisticated enough to check that, it's enough to stop it.
 
I have found vireses in /tmp/scn folder.
Снимок4.PNG

Clamscan found this:
/tmp/scn/brute: Unix.Malware.Agent-6628158-0 FOUND
/tmp/scn/masscan: Unix.Malware.Agent-6640864-0 FOUND
/tmp/scn/aha.tgz: Unix.Malware.Agent-6754186-0 FOUND
Do you know what the viruses?
How to remove the effects of the work of this virus?
I removed this viruses from /tmp to other (my user) folder.
 
Yeah, that doesn't surprise me. It was already clear you had malware, even without the scans. Backup your data, and only your data, and wipe the machine. Do a complete reinstall, that's the only way to be sure. And take a really close look at your web application, that's how they got in in the first place.
 
I cannot reinstall the web server. This is a working government web server. How can I clean the server from viruses?
 
Evaluate if you can switch the vulnerable software tool: PHP. E.g. the CMS Plone and it's underlying framework (Zope) claim to have a good security record.
 
akshin said:
This is a working government web server.
Click to expand...
Take it offline a.s.a.p.!

How can I clean the server from viruses?
Click to expand...
By wiping the whole system. Seriously. There's no telling what they modified or changed. Even those root-kit scanners you used didn't find anything even though the machine is clearly infected. Take it offline. Wipe it. Start over. Plug the holes before putting it back online.
 
Install your system on a new harddrive. Back up your files.
Keep the old one to investigate how they got in, only mounted from a live media OS as read-only.
 
Thank you very much, but I cannot reinstall the system until I can not find the virus itself. Freebsd and linux does not have good antivirus software to find this virus. I'm desperate and don't know what to do, because I don't know where the virus is. In this respect, I am beginning to like Windows. Kaspersky and Bitdefender are very good antiviruses. How can I reinstall the system if I don't know where the virus is.
 
akshin said:
Thank you very much, but I cannot reinstall the system until I can not find the virus itself. Freebsd and linux does not have good antivirus software to find this virus. I'm desperate and don't know what to do, because I don't know where the virus is. In this respect, I am beginning to like Windows. Kaspersky and Bitdefender are very good antiviruses. How can I reinstall the system if I don't know where the virus is.
Click to expand...
But you gave the list above: /tmp/scn/...? So there seems to be a leak in some software along the stack, which allowed to write the virus into these files. You have to fix this hole. And seriously consider how to get rid of PHP... it's evil, just like Adobe Flash. My hair rolled backwards when I witnessed the spread of PHP, nowadays that's not possible anymore, but the facts about PHP remain to be true: it's just badly designed software, mixing application logic & UI appearence. Brrr.
 
The problem is that it is visually impossible to find leak in some software along the stack, which allowed to write the virus into these files. Antiviruses are needed here
 
Get a new harddrive for the OS and important files. Perhaps another harddrive for important files. If data is on its own disk, you can switch between operating systems, while saving that data. Back data up on CD or DVD as well, but optical disks are easily damaged by heat. That's how you start new.

Save the infected harddrive, then you can investigate it offline mounted as read-only, from a disk/usb operating system. They're saying to format the infected harddisk, you can do that too, unless you want to investigate that harddisk.

It's too complex to find every thing that virus did, but you can find a lot of what it did.
 
I am sorry.
I need to find the virus itself, rather than what he did or what files are deleted.
 
Not a problem if the virus is in the system files. But if the virus is in the files of the site itself, this is the problem. Inside the server there are about 30 sites, big and small
 
akshin said:
I need to find the virus itself, rather than what he did or what files are deleted.
Click to expand...

You can find the virus and the damage, while that infected harddisk is mounted as read-only, from something like System Rescue CD. Perhaps that OS isn't advanced enough, but you get the idea.

Or you can format that harddisk, and reinstall an operating system.

Either way, you have to install FreeBSD or another operating system from a formatted or new harddrive.

That virus is there to cause problems, and it has to be gotten rid of. Formatting the harddrive is the only way to get rid of it. If you want to investigate that harddrive, get a new harddrive, and save the old one to investigate it as read-only.
 
You must log in or register to reply here.
Back
Top