[{ALLOW view All}]
[{ALLOW edit Authenticated}]

!!IptabLes / IptabLex trojan

! Solved
Update 03.06.2014: The root cause were security holes in the web framework struts ([1|http://www.heise.de/security/meldung/Wichtiges-Sicherheitsupdate-fuer-Apache-Struts-1874093.html],[2|http://www.heise.de/security/meldung/Zero-Day-Luecke-in-Apache-Struts-2-2176605.html]). So generally I have to admin that even Ubuntu 10 seems to be safe and also all Tomcat 7 versions. I now updated struts to version 2.3.14.3 and have no issues anymore.

! Preface
I am fighting for days with this type of trojan on my virtual server hosted at server4you, which is a Ubuntu 10.04 release with kernel 2.6.18.\\
Ok, I know it is quite old, but server4you does not offer newer images and a kernel rebuilt is not possible with vServers.\\
I quit at server4you already, but I am bound to the contract up to Oct 2014.\\
So the strange suggestions found [here|http://askubuntu.com/questions/407457/help-my-server-has-been-hacked-iptables-and-iptablex-in-boot] do not apply for me.

! Diagnosis

Here are the best commands to analyse it:
|ls -la|List all files (also hidden ones) properly in a folder
|ps -ef|List all running processes
|netstat -pan|List all network activities
|lsof|List all open files
|lsof -i tcp:<port>|List all open files for that port
|ss -ap|List all open sockets

You are infected if you see ".IptabLes" or ".IptabLex" in your processes list.\\
(And no, it is not the Linux firewall called "iptables", which is built into the kernel of Linux.)\\
You will also see open connections in your network activities like:
{{{
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 62.75.171.160:41792     59.63.167.168:1001      ESTABLISHED off (0.00/0/0)
tcp        0      0 62.75.171.160:48497     59.63.167.167:1001      ESTABLISHED off (0.00/0/0)
}}}

! What I discovered and what I did

This infection started when I changed my web server from "JBoss 7.01" to "Tomee 1.6 Webprofile", which is a Tomcat 7 inside.
I once had the web server shut down for a day and had no more infections. So I suppose it is web server related (well, or web app related, I suspect Struts).

I write more later, but the status now is, that I am still infected, but I have blocked all traffic from that trojan, so that it is ok for now.
This is my clean and block script:
{{{
#!/bin/sh

# remove malware
rm -f /boot/Ip*
rm -f /boot/.Ip*
rm -f /boot/..Ip*
rm -f /usr/.Ip*
rm -f /tmp/29*
rm -f /.my*
rm -f /etc/rc2.d/S55Ip*
rm -f /etc/rc3.d/S55Ip*
rm -f /etc/rc4.d/S55Ip*
rm -f /etc/rc5.d/S55Ip*
rm -f /var/lib/update-rc.d/IptabLex
rm -f /markus/tomee/bin/getsetup*

# block IPs in firewall
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -s 222.184.0.0/16 -j DROP
iptables -I INPUT -s 222.185.0.0/16 -j DROP
iptables -I INPUT -s 222.186.0.0/16 -j DROP
iptables -I INPUT -s 222.187.0.0/16 -j DROP
iptables -I INPUT -s 222.188.0.0/16 -j DROP
iptables -I INPUT -s 222.189.0.0/16 -j DROP
iptables -I INPUT -s 222.190.0.0/16 -j DROP
iptables -I INPUT -s 222.191.0.0/16 -j DROP
iptables -I INPUT -s 59.0.0.0/8 -j DROP
iptables -I INPUT -s 119.0.0.0/8 -j DROP
iptables -I INPUT -s 162.221.12.0/22 -j DROP
iptables -I INPUT -s 218.0.0.0/8 -j DROP
iptables -I INPUT -s 23.239.192.0/19 -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 64344 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -d 222.184.0.0/16 -j DROP
iptables -I OUTPUT -d 222.185.0.0/16 -j DROP
iptables -I OUTPUT -d 222.186.0.0/16 -j DROP
iptables -I OUTPUT -d 222.187.0.0/16 -j DROP
iptables -I OUTPUT -d 222.188.0.0/16 -j DROP
iptables -I OUTPUT -d 222.189.0.0/16 -j DROP
iptables -I OUTPUT -d 222.190.0.0/16 -j DROP
iptables -I OUTPUT -d 222.191.0.0/16 -j DROP
iptables -I OUTPUT -d 59.0.0.0/8 -j DROP
iptables -I OUTPUT -d 119.0.0.0/8 -j DROP
iptables -I OUTPUT -d 162.221.12.0/22 -j DROP
iptables -I OUTPUT -d 218.0.0.0/8 -j DROP
iptables -I OUTPUT -d 23.239.192.0/19 -j DROP
iptables -P OUTPUT ACCEPT
iptables -L -v -n
}}}
After running this you need to reboot and are clean until.\\
(But I get infected after a while again, which I have not solved yet)

!IPs Under inspection

{{{
23.239.208.127
}}}