I have two rather new RH7.3 servers, which I installed without any patches (dumb- had never installed patches before). A couple of weeks ago both got infected with [different] strains of the Cinik (mod_ssl) worm. On machine "A" I shut down Apache for about a week, and left "B" running. On 10/5/02 I downloaded and installed RH patches for apache, bind, glibc, openssh, openssl, php and mod_ssl on both machines. I deleted the cinik stuff from /tmp. Machine "B" has been worm-free since. Cinik reappeared on machine "A" overnight last night -- process running and the usual suspect files back in /tmp. I happened to look in /var/log/cron (on the subject of cron I am rather clueless) and saw the following suspicious entries in the time frame when I believe the worm reappeared: Oct 13 05:20:00 archive3 CROND[25572]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:20:00 archive3 CROND[25573]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:25:00 archive3 CROND[25577]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:26:34 archive3 crontab[25622]: (apache) REPLACE (apache) Oct 13 05:27:00 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:27:29 archive3 crontab[25630]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25635]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25640]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25645]: (apache) REPLACE (apache) Oct 13 05:28:01 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:30:00 archive3 CROND[25666]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:30:00 archive3 CROND[25667]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:35:00 archive3 CROND[25670]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Any suggestions as to what the log entries mean (i.e. who did what to Apache?), and why cinik has reappeared? Also, can someone point me towards a resource about cron so that I may become less clueless? Thanks, Dick
This may answer a few of your questions. Its a tree of the various Slapper worm variations and how each one works. http://isc.incidents.org/analysis.html?id=177 Phil On Sun, 13 Oct 2002, Richard Goodman wrote:
I have two rather new RH7.3 servers, which I installed without any patches (dumb- had never installed patches before).
A couple of weeks ago both got infected with [different] strains of the Cinik (mod_ssl) worm.
On machine "A" I shut down Apache for about a week, and left "B" running. On 10/5/02 I downloaded and installed RH patches for apache, bind, glibc, openssh, openssl, php and mod_ssl on both machines. I deleted the cinik stuff from /tmp.
Machine "B" has been worm-free since. Cinik reappeared on machine "A" overnight last night -- process running and the usual suspect files back in /tmp.
I happened to look in /var/log/cron (on the subject of cron I am rather clueless) and saw the following suspicious entries in the time frame when I believe the worm reappeared:
Oct 13 05:20:00 archive3 CROND[25572]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:20:00 archive3 CROND[25573]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:25:00 archive3 CROND[25577]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:26:34 archive3 crontab[25622]: (apache) REPLACE (apache) Oct 13 05:27:00 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:27:29 archive3 crontab[25630]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25635]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25640]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25645]: (apache) REPLACE (apache) Oct 13 05:28:01 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:30:00 archive3 CROND[25666]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:30:00 archive3 CROND[25667]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:35:00 archive3 CROND[25670]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg)
Any suggestions as to what the log entries mean (i.e. who did what to Apache?), and why cinik has reappeared?
Also, can someone point me towards a resource about cron so that I may become less clueless?
Thanks, Dick
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Phil Deneault "We work in the dark, We do what we can, deneault@wpi.edu We give what we have. Our doubt is our passion, WPI NetOps and our passion is our task. The rest is the InfoSec maddness of art." - Henry James -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
participants (2)
-
Phillip G Deneault -
Richard Goodman