GootKit

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
hwijaya
Forum User
Forum User
Posts: 7
Joined: Wed Mar 07, 2012 7:53 pm
Location: Singapore

Re: GootKit

Unread post by hwijaya »

Here's my script

/root/removepl.php
<?
while (true)
{
sleep(1);
system("/bin/mv /var/www/vhosts/*/cgi-bin/* /root/compromisedfolder/");
}
?>

call it :
php-cli /root/removepl.php &

it will keep running

the tmp files created will only be there if the gootkit successfully run, otherwise it will be clean.

Cheers.
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: GootKit

Unread post by KrazyBob »

What about legitimate files? We still have many customers with shopping carts that use perl.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: GootKit

Unread post by scott »

If you're using the dazuko module in ASL, just set it up to monitor /var/www/vhosts. This would intecept the gootkit malware regardless of how it was added to the system and will block it and only it. So legitimate files will continue to work, but this kit wont even be able to run (or be saved to the file system if they try to reinstall it).
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: GootKit

Unread post by mikeshinn »

Please see this url to turn on the dazuko module in ASL:

https://www.atomicorp.com/wiki/index.php/Anti_virus
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: GootKit

Unread post by KrazyBob »

Now I am getting a service with apache that won't start. I have looked and nothing is bound to the port./

-bash-3.00# /usr/local/psa/admin/sbin/websrvmng -a -v
[Sun Mar 11 16:56:38 2012] [warn] module jk_module is already loaded, skipping
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
websrvmng: Service /etc/init.d/httpd failed to gracefully restart

nable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start

0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: GootKit

Unread post by mikeshinn »

Any errors in your apache or server logs?
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: GootKit

Unread post by KrazyBob »

Code: Select all

Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: GootKit

Unread post by KrazyBob »

I resolved this by turning off the web site. I'll check further but it is one site that was compromised.
Post Reply