Page 3 of 3
Re: GootKit
Posted: Sat Mar 10, 2012 1:46 am
by hwijaya
Here's my script
/root/removepl.php
<?
while (true)
{
sleep(1);
system("/bin/mv /var/www/vhosts/*/cgi-bin/* /root/compromisedfolder/");
}
?>
call it :
php-cli /root/removepl.php &
it will keep running
the tmp files created will only be there if the gootkit successfully run, otherwise it will be clean.
Cheers.
Re: GootKit
Posted: Sat Mar 10, 2012 2:27 am
by KrazyBob
What about legitimate files? We still have many customers with shopping carts that use perl.
Re: GootKit
Posted: Sat Mar 10, 2012 10:16 am
by scott
If you're using the dazuko module in ASL, just set it up to monitor /var/www/vhosts. This would intecept the gootkit malware regardless of how it was added to the system and will block it and only it. So legitimate files will continue to work, but this kit wont even be able to run (or be saved to the file system if they try to reinstall it).
Re: GootKit
Posted: Sat Mar 10, 2012 10:25 pm
by mikeshinn
Please see this url to turn on the dazuko module in ASL:
https://www.atomicorp.com/wiki/index.php/Anti_virus
Re: GootKit
Posted: Sun Mar 11, 2012 7:58 pm
by KrazyBob
Now I am getting a service with apache that won't start. I have looked and nothing is bound to the port./
-bash-3.00# /usr/local/psa/admin/sbin/websrvmng -a -v
[Sun Mar 11 16:56:38 2012] [warn] module jk_module is already loaded, skipping
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
nable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start
0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28
Re: GootKit
Posted: Sun Mar 11, 2012 8:40 pm
by mikeshinn
Any errors in your apache or server logs?
Re: GootKit
Posted: Sun Mar 11, 2012 9:13 pm
by KrazyBob
Code: Select all
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
Re: GootKit
Posted: Sun Mar 11, 2012 9:23 pm
by KrazyBob
I resolved this by turning off the web site. I'll check further but it is one site that was compromised.