How do I remove the malicious installation of the IRC chat relay software "psybnc" from my Linux server?
Requested and Answered by Gene Amtower [pcbgene] on 11-Aug-2010 15:15 (2962 reads)
We recently had to remove psybnc -- installed by a Frenchman operating in association with undernet.org and other questionable domains -- from a SUSE Linux server. We searched for information on the Internet about removing this software, but the information was either not current or the software had been modified in order to hide it from server administrators.
Here's how it was configured and how we removed it:
First, we found a hidden directory under /lib/security/.bash that contained what appeared to be the psybnc software files. This folder appeared to contain configuration information, the program executables, source code, libraries, and log information. According to the log file, it first configured a listener on port 3307 and added a new user named "iptables", with the initial connection made from the wanadoo.fr domain. (Who knows if this is a real address or not, but that's what the log contained!) It attempts to connect to other psybnc servers at port 6667.
We deleted this folder and restarted the server, and it was regenerated, suggesting that there was a source for the executable program somewhere else on the server. So, we went off in search of other information.
The online documentation on psybnc said it is launched through a "cron" job entry, which is probably what regenerated the program folder as well. However, the Internet instructions for removing the cron job did not work - apparently the author knew admins would look in the standard location for this entry. We eventually found the nefarious cron table file stashed under /var/spool/cron/tabs instead. So, this file and the program folder got deleted, followed by another reboot.
It appears that these efforts successfully removed the running process for psybnc, but close attention to log files and system activity will be needed to prove if this is really the case.
In addition to the psybnc program itself, we found clues about how this program made its way onto the server. PHP apparently was not secure enough to prevent this access, and we found a log entry suggesting the source was downloaded to the server through a carefully-crafted HTML request. The weakness might also involve configuration issues with Apache 2.0 as well. We hardened PHP through a number of recommended settings, as well as new settings in Apache to prevent client access through any request method other than GET and POST actions.
If anyone has further suggestions on how to block and/or remove this particular piece of malware, please let us know by submitting your feedback through our "Contact Us" form on this site. We hope this information helps other server administrators with this problem.
Here's how it was configured and how we removed it:
First, we found a hidden directory under /lib/security/.bash that contained what appeared to be the psybnc software files. This folder appeared to contain configuration information, the program executables, source code, libraries, and log information. According to the log file, it first configured a listener on port 3307 and added a new user named "iptables", with the initial connection made from the wanadoo.fr domain. (Who knows if this is a real address or not, but that's what the log contained!) It attempts to connect to other psybnc servers at port 6667.
We deleted this folder and restarted the server, and it was regenerated, suggesting that there was a source for the executable program somewhere else on the server. So, we went off in search of other information.
The online documentation on psybnc said it is launched through a "cron" job entry, which is probably what regenerated the program folder as well. However, the Internet instructions for removing the cron job did not work - apparently the author knew admins would look in the standard location for this entry. We eventually found the nefarious cron table file stashed under /var/spool/cron/tabs instead. So, this file and the program folder got deleted, followed by another reboot.
It appears that these efforts successfully removed the running process for psybnc, but close attention to log files and system activity will be needed to prove if this is really the case.
In addition to the psybnc program itself, we found clues about how this program made its way onto the server. PHP apparently was not secure enough to prevent this access, and we found a log entry suggesting the source was downloaded to the server through a carefully-crafted HTML request. The weakness might also involve configuration issues with Apache 2.0 as well. We hardened PHP through a number of recommended settings, as well as new
If anyone has further suggestions on how to block and/or remove this particular piece of malware, please let us know by submitting your feedback through our "Contact Us" form on this site. We hope this information helps other server administrators with this problem.
|
The comments are owned by the poster. We aren't responsible for their content.
|