# A bit worried... (Virus - help!)

## mattjgalloway

Ok I was scanning my Linux box for viruses because my uni network admin said I had a virus (actually I was just port scanning  :Wink: ). But I found Linux.RST.B there, which was a bit worrying...

In /var/tmp/.tmp I have this:

```
drwxr-xr-x     4 distcc  daemon   4096 Nov  1 16:54 .tmp
```

And in there I have:

```
-rw-r--r--  1 distcc daemon 3104716 Oct 16 22:45 ls-lR.gz

-rw-r--r--  1 distcc daemon 3104528 Oct 16 22:46 ls-lR.gz.1

-rwxr--r--  1 distcc daemon  477239 Sep 11 01:36 mremap_pte

-rw-r--r--  1 distcc daemon  901120 Sep  6 12:18 open.tar

-rwxr--r--  1 distcc daemon   15716 Sep 11 01:35 ptrace

drwx------  8 distcc daemon    4096 May 10  2001 standard

drwxr-xr-x  2 distcc daemon    4096 Oct 16 23:09 stuff
```

And one of the files (/var/tmp/.tmp/standard/log/directory.log) has this in it:

```
2004-10-16 22:49:15 root       unknown    default          /+_13_+_#+++++++++++++++++++++++++++++++++++++#

2004-10-16 22:49:15 root       unknown    default          /+_12_+_#++++++++++++++++++++++++++++#

2004-10-16 22:49:16 root       unknown    default          /+_11_+______RespecT_ThE_RuleZ

2004-10-16 22:49:17 root       unknown    default          /+_10_+_#++++++++++++++++++++++++++++#

2004-10-16 22:49:18 root       unknown    default          /+_09_+______MP3Z

2004-10-16 22:49:18 root       unknown    default          /+_08_+______MovieZ

2004-10-16 22:49:19 root       unknown    default          /+_07_+______AppZ

2004-10-16 22:49:20 root       unknown    default          /+_06_+______GameZ

2004-10-16 22:49:21 root       unknown    default          /+_05_+_#++++++++++++++++++++++++++++#

2004-10-16 22:49:21 root       unknown    default          /+_04_+______HaXx0red_by_cozinata_4_F4A

2004-10-16 22:49:22 root       unknown    default          /+_03_+_#++++++++++++++++++++++++++++#

2004-10-16 22:49:23 root       unknown    default          /+_02_+______Scanned_by_Ultra0815_4_F4A

2004-10-16 22:49:23 root       unknown    default          /+_01_+_#+++++++++++++++++++++++++++++++++++++#
```

Should I be worried?!?!!?

Looking through a few of those files I see it's something to do with OpenFTPD. I also noticed that the files are from distcc - is it to do with a vuln in that - I've turned off distcc now though, and I have deleted the file which ClamAV said was infected with Linux.RST.B

Please respond someone!!!

----------

## Lajasha

Well unless you are looking to reinstall the OS I hope for your sake you KNOW you were not cracked. If you are then the only 100% way to make sure you are not still is to reinstall.

----------

## mattjgalloway

Umm I really don't think I was cracked. It looks like something happened around October 16th, but I've had a firewall running and nothing odd has gone on or anything. I always run under a normal user and su for things like emerging packages, etc. I'm confused as to where this has come from.

Any advice anyone?

Edit: I have been looking on various anti-virus websites and McAffee site says that as long as you delete the infected file it'll be ok. Also it says it infects all files in /bin and sets their last edited date to the date of infection, but most the files in /bin say they were created in March, which is when I set Gentoo up. So I really don't think it's done much damage. But does anyone know anything about this virus?!?! Please help!

----------

## pjp

Moved from Other Things Gentoo.

----------

## Lajasha

Just did a google on one of the files "mremap_pte" and came up with this.. http://www.k-otik.com/exploits/03.01.mremap_pte.c.php

----------

## mattjgalloway

What do you think it means?

Personally I think it's something other than the virus - someone's got in somehow and tried to run those programs:

1. ptrace

2. mremap

3. Linux.RST.B virus

However they wouldn't have had much luck with distcc as the user - root would be needed to do any damage surely?

Looking at that page you sent me:

Vulnerable kernel versions are all <= 2.2.25, <= 2.4.24 and <= 2.6.2

I have used 2.4.25 and upwards, so should (:-S) be ok on that one?

----------

## Lajasha

Well as far as that exploit yes you should be fine, but this would then brng up the question how did they get there, and if that is there who is to say that they were not able to load something else and have now hidden it in your system...?

----------

## mattjgalloway

Yeh I agree, although some of the files have been modified recently (16 October), it's only a few.

Mmmm, I might take this as an oppurtunity to reformat and start again when I get home from uni at christmas.

Any tips for what I can do to scan my box further? Should I remove all those files in /var/tmp/.tmp ? I have run chkrootkit and it displayed some "warnings" in that it found lots of ".keep" files, but it didn't flag up any issues.

I'll be on the lookout from now on and see if anything goes bad, and I'll backup my files!

----------

## yakapiece

I'm almost certain you need a fresh install, had you just been made a pub it wouldn't be such a big deal, but it looks like a bit more from your folder/file lists

----------

## mattjgalloway

What's wrong with the folder list? It looks like these files I have in /var/tmp/.tmp are to do with an installation of OpenFTP right?

I'll fresh install some time - I really can't at the moment - is there anything to make my PC safe for now? I have a firewall running... which only has a couple of ports open for me to use.

Edit: Also, what's a pub?

----------

## yakapiece

a pub is a term for a server that is being exploited for public use, as a fileserver (generally only windows server fall into this category)

although, you might have just been used as just a private server

Just watching your firewall until you get a chance to reinstall should be fine.

----------

## mattjgalloway

Cool.

Good stuff.

I'll be on the lookout now - I reckon it happened ages ago when I was a Gentoo n00b. A reinstall should be fun! Slaving away for a good 36 hours will be a good laugh! (Yeh right!) Ah well, i've done it a fair few times on other PCs now.

I'm going to search the the ftpd daemon to see if that is on my PC somewhere.

Thanks for the help guys - if you have any more advice then please post!

----------

## mattjgalloway

How should I go about making sure I never get this again after I reformat?

I installed ClamAV before, but obviously if the virus gets in, then my system could be compromised right away anyway. I have had a firewall pretty much the whole time I've had my system on...

----------

## johnnymac

First...are you using IP tables as your firewall?  This is unwise unless your a firewall guru...you could just use a router and that fixes a lot of people poking at your system.  In addtion you can also install chkrootkit.  This will let you run and check for rootkits which are used by hackers to punch holes into your security.  Firewalls are only a deterrant so you may want to think about having a cron setup that keeps your Clam updated and have it run as a service.  

rc-update add clamd default

Good Luck!!

----------

## Lajasha

 *johnnymac wrote:*   

> First...are you using IP tables as your firewall?  This is unwise unless your a firewall guru...you could just use a router and that fixes a lot of people poking at your system.  In addtion you can also install chkrootkit.  This will let you run and check for rootkits which are used by hackers to punch holes into your security.  Firewalls are only a deterrant so you may want to think about having a cron setup that keeps your Clam updated and have it run as a service.  
> 
> rc-update add clamd default
> 
> Good Luck!!

 

Now why would you need to be a firewall guru? Iptables is a straight forward service... You want a port in, well make a rule for it and drop all other incoming connectins.

----------

## mattjgalloway

I use KMyFirewall which obviously uses IPTables - my system is secure as far as I can see - only ports open that I need.

As for clamav... yeh I have it running... but it only runs freshclam which is the updater thing. So what about clamav - all it does is scan, not clean. Any good docs on setting up a good clamav setup? It stays up to date fine, i'm just not sure what it's scanning!?!

----------

