#83 Failed to detect \'Opyum Team\' attack

closed-fixed
Detection (54)
5
2011-11-10
2011-10-24
Anonymous
No

I guess I didn\'t run rkhunter with the server running. I became aware of the attack because outbound ssh kept dying and chkrootkit warned me /bin/f had eth0 opened in promiscuous mode.

Running strings on /bin/f, I found out it also has /bin/i as part of its attack. It looks like neither binary has been stripped, so maybe gdb can be attached or the programs cleanly decompiled and the functionality figured out. I\'ve left that partition untouched since I shut it down, but obviously I no longer boot to it. /bin/i appears to contain a dictionary file for attempting to attack other servers. /bin/f appears create some text files full of data and perform some operation on them (upload them?):
/bin/cp /usr/sbin/t.txt unsort.txt && sort -u unsort.txt > /usr/sbin/t.txt && /bin/rm unsort.txt

The only referenced file on my system other than /bin/i I found was /usr/sbin/t.txt, and that was 0-bytes.

debsums -a showed my /etc/crontab had been modified, and I found where the script was executing from:
* * * * * root f Opyum Team

I have the two files, but they're too big to attach. I assume you would need copies to be able to detect them in the future, so let me know where to upload or send them. /bin/i is 865K, and /bin/f is 2.4M

Discussion

  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2011-10-24

    Searching around, I found others suffering the same attack:
    https://www.linuxquestions.org/questions/linux-security-4/server-hacked-by-opyum-874288/#post4321449

    My sha1sums don't match that user, but that's not surprising. I also found:
    /usr/sbin/change.jpg, but strings offered nothing
    /usr/sbin/change.jpg.1 through /usr/sbin/change.3239 exist, some of which show "rm -rf /usr/sbin/chang*" in strings
    /usr/bin/chattr has been renamed to /usr/bin/ses

    I do not have any s or s.jpg binary.

    It seems support for this was added in version 1.396. I'm running 1.3.6-5 from Ubuntu 11.04. Running the latest code from cvs results in a "Possible rootkit" and detects "Opyum kit component", so I suppose my issue is invalid.

     
  • John Horne

    John Horne - 2011-11-10
    • assigned_to: nobody --> jhorne
    • status: open --> closed-fixed
     
  • John Horne

    John Horne - 2011-11-10

    Yes, as you have found components of this rootkit have already been added to the RKH CVS code.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks