Trojan found on Linux server

["Gaddis, Jeremy L." <jeremy () linuxwiz net>]

After having a customer report that he had large amounts of outbound 
traffic from one of his Linux servers, I began to investigate and found 
a trojan.

The trojan had created a crontab for the "nobody" user (Apache was 
running as nobody and, while I did not take the time to verify I believe 
that Apache was probably the way the intruder got in) which, at 24 
minutes after the hour, would write itself out to /tmp/ummtodkhk and 
then execute itself.

The /tmp/ummtodkhk file was packed with UPX.  It has been unpacked and 
made available at http://www.jeremygaddis.com/files/ummtodkhk.  It was 
submitted to VirusTotal, but nothing identified as anything known.

The results of `crontab -l -u nobody >> nobody.cron` are available at 
http://www.jeremygaddis.com/files/nobody.cron.

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------