Re: Ramen

[Brian Taylor <drak3 () ATL MEDIAONE NET>]

Matt, generally (well, actually 99.999% of the time), the rule is to totally
reformat whenever there has been
a root level compromise.  Go to your old backups, restore from there.  Have
a stiff drink, for that box is history.

But for future reference, check the file attributes.  No, I'm not referring
to the regular rwx using chmod.  I'm referring to the attributes you can set
using chattr.  More than likely the intruders have modified those files by
changing the security attributes using -a and/or -i flags (Append only and
Immutable).  Ext2 is really a great filesystem for allowing you to set those
types of attributes, unless, of course they're set against you!  :-)  These
can be used for some light file protection as well (as it seems to be used
against you currently).  An excellent paper on Ext2 attributes can be found
on securityfocus.com ( http://www.securityfocus.com/announcements/230 ) or
else just 'man chattr'. You can use 'lattr' to list the file attributes.

But I wouldn't spend any more time on that box.  It's rooted.  Restore from
backups.  Take a look at Bastille and Tripwire for the future!

Good luck and best regards,

Brian Taylor
Level 2 Security Analyist
SecureWorks/IMSC
www.secureworks.net




I was wondering if you can help me (...please :)).  One of our RedHat 6.2
servers was hit this morning with Ramen.  I've cleaned it out using the
documented procedure but there's still a lingering problem which seems
related.  The hosts.allow and hosts.deny files on the server have been
completely locked and cannot be changed, removed, chmoded even with
superuser access.  This doesn't seem documented anywhere but I can't think
of any other cause (this problem did not occur before the infection).

Any help or advice you can give would be (very) greatly appreciated.

Thanks.
Matt