Here's my script
/root/removepl.php
<?
while (true)
{
sleep(1);
system("/bin/mv /var/www/vhosts/*/cgi-bin/* /root/compromisedfolder/");
}
?>
call it :
php-cli /root/removepl.php &
it will keep running
the tmp files created will only be there if the gootkit successfully run, otherwise it will be clean.
Cheers.
GootKit
Re: GootKit
What about legitimate files? We still have many customers with shopping carts that use perl.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: GootKit
If you're using the dazuko module in ASL, just set it up to monitor /var/www/vhosts. This would intecept the gootkit malware regardless of how it was added to the system and will block it and only it. So legitimate files will continue to work, but this kit wont even be able to run (or be saved to the file system if they try to reinstall it).
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: GootKit
Please see this url to turn on the dazuko module in ASL:
https://www.atomicorp.com/wiki/index.php/Anti_virus
https://www.atomicorp.com/wiki/index.php/Anti_virus
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: GootKit
Now I am getting a service with apache that won't start. I have looked and nothing is bound to the port./
-bash-3.00# /usr/local/psa/admin/sbin/websrvmng -a -v
[Sun Mar 11 16:56:38 2012] [warn] module jk_module is already loaded, skipping
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
nable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start
0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28
-bash-3.00# /usr/local/psa/admin/sbin/websrvmng -a -v
[Sun Mar 11 16:56:38 2012] [warn] module jk_module is already loaded, skipping
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
websrvmng: Service /etc/init.d/httpd failed to gracefully restart
nable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start
0: /usr/local/psa/admin/plib/common_func.php3:158
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to start')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: GootKit
Any errors in your apache or server logs?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: GootKit
Code: Select all
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
(2)No such file or directory: httpd: could not open error log file /var/www/vhosts/hyperactuel.org/statistics/logs/error_log.
Unable to open logs
Re: GootKit
I resolved this by turning off the web site. I'll check further but it is one site that was compromised.