IptabLes / IptabLex trojan#

Solved#

Update 03.06.2014: The root cause were security holes in the web framework struts (1,2). So generally I have to admin that even Ubuntu 10 seems to be safe and also all Tomcat 7 versions. I now updated struts to version 2.3.14.3 and have no issues anymore.

Preface#

I am fighting for days with this type of trojan on my virtual server hosted at server4you, which is a Ubuntu 10.04 release with kernel 2.6.18.
Ok, I know it is quite old, but server4you does not offer newer images and a kernel rebuilt is not possible with vServers.
I quit at server4you already, but I am bound to the contract up to Oct 2014.
So the strange suggestions found here do not apply for me.

Diagnosis#

Here are the best commands to analyse it:

ls -laList all files (also hidden ones) properly in a folder
ps -efList all running processes
netstat -panList all network activities
lsofList all open files
lsof -i tcp:<port>List all open files for that port
ss -apList all open sockets

You are infected if you see ".IptabLes" or ".IptabLex" in your processes list.
(And no, it is not the Linux firewall called "iptables", which is built into the kernel of Linux.)
You will also see open connections in your network activities like:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 62.75.171.160:41792     59.63.167.168:1001      ESTABLISHED off (0.00/0/0)
tcp        0      0 62.75.171.160:48497     59.63.167.167:1001      ESTABLISHED off (0.00/0/0)

What I discovered and what I did#

This infection started when I changed my web server from "JBoss 7.01" to "Tomee 1.6 Webprofile", which is a Tomcat 7 inside. I once had the web server shut down for a day and had no more infections. So I suppose it is web server related (well, or web app related, I suspect Struts).

I write more later, but the status now is, that I am still infected, but I have blocked all traffic from that trojan, so that it is ok for now. This is my clean and block script:

#!/bin/sh

# remove malware
rm -f /boot/Ip*
rm -f /boot/.Ip*
rm -f /boot/..Ip*
rm -f /usr/.Ip*
rm -f /tmp/29*
rm -f /.my*
rm -f /etc/rc2.d/S55Ip*
rm -f /etc/rc3.d/S55Ip*
rm -f /etc/rc4.d/S55Ip*
rm -f /etc/rc5.d/S55Ip*
rm -f /var/lib/update-rc.d/IptabLex
rm -f /markus/tomee/bin/getsetup*

# block IPs in firewall
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -s 222.184.0.0/16 -j DROP
iptables -I INPUT -s 222.185.0.0/16 -j DROP
iptables -I INPUT -s 222.186.0.0/16 -j DROP
iptables -I INPUT -s 222.187.0.0/16 -j DROP
iptables -I INPUT -s 222.188.0.0/16 -j DROP
iptables -I INPUT -s 222.189.0.0/16 -j DROP
iptables -I INPUT -s 222.190.0.0/16 -j DROP
iptables -I INPUT -s 222.191.0.0/16 -j DROP
iptables -I INPUT -s 59.0.0.0/8 -j DROP
iptables -I INPUT -s 119.0.0.0/8 -j DROP
iptables -I INPUT -s 162.221.12.0/22 -j DROP
iptables -I INPUT -s 218.0.0.0/8 -j DROP
iptables -I INPUT -s 23.239.192.0/19 -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 64344 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -d 222.184.0.0/16 -j DROP
iptables -I OUTPUT -d 222.185.0.0/16 -j DROP
iptables -I OUTPUT -d 222.186.0.0/16 -j DROP
iptables -I OUTPUT -d 222.187.0.0/16 -j DROP
iptables -I OUTPUT -d 222.188.0.0/16 -j DROP
iptables -I OUTPUT -d 222.189.0.0/16 -j DROP
iptables -I OUTPUT -d 222.190.0.0/16 -j DROP
iptables -I OUTPUT -d 222.191.0.0/16 -j DROP
iptables -I OUTPUT -d 59.0.0.0/8 -j DROP
iptables -I OUTPUT -d 119.0.0.0/8 -j DROP
iptables -I OUTPUT -d 162.221.12.0/22 -j DROP
iptables -I OUTPUT -d 218.0.0.0/8 -j DROP
iptables -I OUTPUT -d 23.239.192.0/19 -j DROP
iptables -P OUTPUT ACCEPT
iptables -L -v -n
After running this you need to reboot and are clean until.
(But I get infected after a while again, which I have not solved yet)

IPs Under inspection#

23.239.208.127

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-) was last changed on 03-Jun-2014 21:26 by Administrator