06/10/2009
ossec to the rescue
That’s why I love ossec:
OSSEC HIDS Notification. 2009 Oct 06 17:45:17 Received From: XXXX->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/album_mod/.. /.../.log'. --END OF NOTIFICATION OSSEC HIDS Notification. 2009 Oct 06 17:45:17 Received From: XXXX->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/lang_english/ /... /.log'. --END OF NOTIFICATION OSSEC HIDS Notification. 2009 Oct 06 17:45:17 Received From: XXXX->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/ /... /.log'. --END OF NOTIFICATION
Just found this by copying some files for a client from his previous hosting company to one of the hosting servers of a company I work for.
There were actually 2 different sets of files.
The first one contained a tool that “hides” a process, called: “XH (XHide) process faker”, and the second one contained an iroffer executable.
Files:
i)xh-files.tar.gz
Listing:
.log/
.log/.crond/
.log/.crond/xh
.log/week~
.log/week
ii)iroffer-files.tar.gz
Listing:
.--/
.--/imd.pid
.--/imd.state.tmp
.--/imd.state
.--/linux
Mind the . (dot) of the directories containing the files.
Filed by kargig at 22:01 under Linux
Tags: iroffer, Linux, ossec, process hider, rootkit, security, vulnerability
2 Comments | 10,160 views