Sub7 Subseven on a Redhat Linux Server

[Podolak]

Hey all,

I think my linux mail server is infected with Sub7. Any help determining if it is infact infected and how to remove it would be great!

Thanks,

-Mike

 

[drag]

I don't think that there is a subseven trojan for Linux. Now there are lots of trojans, to be sure, but I don't think that subseven is one of them, it's Windows-only....

However if your system is comprimised it is a very serious matter. If you log into a compromised machine then it is safe to assume that they know all your passwords, and any other machine that you use the same passwords on have probably been hacked too.

The easiest way to clean them up is to take the machine down. Boot up with a live linux or rescue cdrom and backup your e-mail and any special configuration files that you put a lot of work into, and then format the operating system and restart from scratch. That's probably the safest and easiest thing to do.

However it would be realy realy helpfull to determine exactly how they comprimised your system. If your running a vintage Redhat install and never bothered to upgrade or install system patches then it's a pretty easy thing to comprimise your system. If your using a simple password (dictionary word or phrase, less then 8 characters in your password) then there is a decent chance that the cracker can use a brute force login attack on your system and succeed.

But before we start freaking out, how did you figure out that your machine has been comprimised? Did you run a nmap scan and it came up with port 27374 open?

If you use nmap and it finds a open port it will suggest common things that use that port. It does not mean that it knows what actually is running. Anything can be running on any port and even subseven can be made to listen to any port that you want it to.

What Redhat version are you running? If your running anything earlier then Redhat 9 and it's unpatched then it's a good chance that you've been owned. It's very very important that you keep up to date.

Common trojans/worms that listen on ports 27374: (from here)
Bad Blood, Fake SubSeven, li0n, Ramen, Seeker, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven 2.2, SubSeven Muie, The Saint.

Out of those Li0n and Ramen are Linux worms that affect older unpatched Redhat (around 6.x, 7.x or so) systems.

In the future if you have a legacy Redhat system that you need to keep using for whatever reason check out the fedora legacy project. However with Linux it is very important to keep somewhat up to date. Newer Redhat ES and AS style server operating systems have a garrenteed life of either 3 or 5 years or so (I can't remember which) so that you can go up to a few years between upgrades. If you don't want to pay for REdhat's service sceme then you have Suse and especially Debian that you can expect to be kept up to date security-wise and allow smooth upgrade path to newer versions. (something Debian does very well thru apt-get and online repositories)

For Li0n to infect your system you have to be running a BIND DNS server versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.. If you have any of those versions running then it would be safe to assume that your system is toast. Ramen is pretty similar.
li0n
Ramen

I don't know exactly what to do, but if you give me more information I'll try to figure something else out. If your running a ancient Linux version it's time to upgrade now anyways. A easy thing to would to simply buy another harddrive for your server if that is pratical, they are fairly cheap... Pull out the old harddrive, pop the new one in, install your server on that. If you have a problem then you can simply move back to the old system...

Now you may not be infected with anything.. For instance if you have a lot of hits on your firewall on those ports, that's common and it doesn't mean anything.

determin running ports
again
how not to get hacked
linux security.com
linuxsecurity.com docs
reclaiming a comprimised system, from linux security quickstart.

Stuff like that. Once you've been roohttp://feenix.burgiss.net/ldp/...rusion.html#RECLAIMted it's about impossible to ever ensure that you can trust that system again. In Unix-land security violations have always been very nasty, you have things like LKM-based root kits that sit between the kernel and operating system and intercepts system calls to keep it's identity hidden, unless you boot up with a seperate boot disk with security features it's about impossible to find these...
chkrootkit tries to find these things...

More information would be nice if you want something more accurate..

 

[Podolak]

The information you've given me so far is great, but I'll be happy to answer a few of your questions so that I can get even better help.

Ok, firstly...

But before we start freaking out, how did you figure out that your machine has been comprimised? Did you run a nmap scan and it came up with port 27374 open?

The answer to that is simple. We have a Sonic Wall Pro 3060 and in the logs it said the IP address of the Mail Server (Running Redhat 7.3) is attacking the ip addres of our database server (A windows box) with subseven. Or something along those lines.

Our server is presently running on its last leg. We don't want to do too much to it or else we are afraid we won't be able to get it back up. Its the mail server for our entire company so its rather important. I have some linux experience and always try and work with it more. Been using Clarkconnect for a while at home and have installed various distro's on my laptop to play around with them. Anyhow, point being my linux knoweledge is very limited.

We don't want to go through the process of re-setting up sendmail and the like of that because sometime very soon our new mail server will be coming in. We are going to Lotus Notes. So basically we don't want to do anything to finish off this mail server before the new one is implemented. Alright, I think that answeres the questions you need, but by all means ask me more and I'll come up with what I can.

Thanks!

 

[n0cmonkey]

Originally posted by: Podolak
The answer to that is simple. We have a Sonic Wall Pro 3060 and in the logs it said the IP address of the Mail Server (Running Redhat 7.3) is attacking the ip addres of our database server (A windows box) with subseven. Or something along those lines.

Signatures for things like this are typically pretty bad. My guess is that it would be a false alarm, or something else.

 

[Podolak]

Signatures for things like this are typically pretty bad. My guess is that it would be a false alarm, or something else.

Do you think that may hold true even if it comes up multiple times in the sonic wall logs? And is there any way to tell for sure that it is there?

 

[Nothinman]

Do you think that may hold true even if it comes up multiple times in the sonic wall logs? And is there any way to tell for sure that it is there?

If a signature matches once, it can match infinite times. I would be money that the SonicWall is just using port numbers in that signature, which make it 99% worthless.

 

[drag]

Try running a port scan on the mail server using Nmap (they have both Windows and Linux/unix versions) (run it behind the firewall and see what ports are open.

Also run a packet sniffer like Ethereal and see if you can monitor network traffic coming in and out of your mail server. I don't know how often your SonicWall firewall is registering these attacks, but if it is fairly often it wouldn't be to hard to look up in the firewall logs what time the event happenned and then you can go thru your packet log from ethereal and see if you can figure out what exactly is happenning.

I think that Redhat 7.3 is new enough to be immune to the basic ramen/li0n-type worm attack, but it wouldn't withstand a human-based attack for more then a few seconds unless it's completely patched and up to date.

Also if you have a ssh server running on your mail server you can use putty.exe (or just ssh if your using linux/os x/unix etc) to connect to a command line enviroment from your desktop to the server so it make troubleshooting and looking up commands on the internet easier. Stuff like:
netstat -tuan
ps aux |less
chkrootkit

 

[spyordie007]

Try running a port scan on the mail server using Nmap (they have both Windows and Linux/unix versions) (run it behind the firewall and see what ports are open.

Why not just telnet to it on port 27374 to see if the port is open? Nmap might have quite a learning curve for you considering your other experiences.

from a command prompt on your windows desktop:
ftp servername 27374
and see what the response is; if it gives you a "Could not open connection to the host, on port 27374: Connect failed" than at least you know the port isnt open.

Of course, this is assuming the worm would open that port...

 

[Aluf]

Sub7 on Linux ?? No way, If it works on Linux it's defin something else. Digging a compromised system to get the picture of what happened can make hard time if you don't know the OS beforehand. At least try (I'm sure you installed all software through RPM) this command:
rpm -Va
that'll verify every installed package agains RPM database and will report any inconsistancy.
To understand report see here:
http://www.rpm.org/max-rpm/s1-rpm-verify-output.html

 

[Podolak]

Why not just telnet to it on port 27374 to see if the port is open? Nmap might have quite a learning curve for you considering your other experiences. from a command prompt on your windows desktop: ftp servername 27374 and see what the response is; if it gives you a "Could not open connection to the host, on port 27374: Connect failed" than at least you know the port isnt open. Of course, this is assuming the worm would open that port...

Ok, says connection failed.

Try running a port scan on the mail server using Nmap (they have both Windows and Linux/unix versions) (run it behind the firewall and see what ports are open. Also run a packet sniffer like Ethereal and see if you can monitor network traffic coming in and out of your mail server. I don't know how often your SonicWall firewall is registering these attacks, but if it is fairly often it wouldn't be to hard to look up in the firewall logs what time the event happenned and then you can go thru your packet log from ethereal and see if you can figure out what exactly is happenning.

Now I'd install and run that on the mail server? Or could I run it from my laptop?

Also if you have a ssh server running on your mail server you can use putty.exe (or just ssh if your using linux/os x/unix etc) to connect to a command line enviroment from your desktop to the server so it make troubleshooting and looking up commands on the internet easier. Stuff like: netstat -tuan ps aux |less chkrootkit

I've putty installed and am connected to the server now. What other commands might be helpful?

 

[drag]

Originally posted by: spyordie007

Try running a port scan on the mail server using Nmap (they have both Windows and Linux/unix versions) (run it behind the firewall and see what ports are open.

Why not just telnet to it on port 27374 to see if the port is open? Nmap might have quite a learning curve for you considering your other experiences.

from a command prompt on your windows desktop:
ftp servername 27374
and see what the response is; if it gives you a "Could not open connection to the host, on port 27374: Connect failed" than at least you know the port isnt open.

Of course, this is assuming the worm would open that port...

Ya. His firewall says that the mail server is attacking with "subseven" on his Windows machine. Which is more then likely means that something is trying to access that 27374 and is saying that it has the ip address of the mail server.

It doesn't mean that he has subseven installed on the Linux machine, it means that the firewall is stopping what it thinks are attempts from the mail server to access a subseven server on the Windows machine.

It's a little mix up. The firewall doesn't say that he has subseven installed on the Linux machine, but that the linux machine is trying to access a subseven trojan on the Windows machine.

So there are several explainations why this could be happening. If it is indeed comming from the Linux machine then this would indicate generic script kiddy behavior. The person who would take over the Linux server would probably install his own trojan or rootkit to make it easy to control it undetected, then they would download bash and perl scripts from various places on the internet and then try them out on other machines in the local area network. So it the cracker may have a script that goes and checks for common window trojens and the firewall is picking up on it.

Or it could be something completely benign and the firewall is getting false positives.

A nmap scan would reveal what ports are open and then you can go and narrow it down to what service is using what port by shuting down service by service and making sure that you know everything that is going on. If you can't figure out what port goes to what service then it would help to narrow down what is going on.

Then once you get suspect ports, then you can telnet into that port and see what pops ups. It's a pain in the butt sometimes.

Now I'd install and run that on the mail server? Or could I run it from my laptop?

Ya. You can install it on the Linux server and run it on itself, but the most honest answer would come from your laptop running it on the server. you can get nmap here, if you haven't already found it.

 

[drag]

Oh, and if you don't like nmap, there are other port scanners out there. Nmap is just what I am familar with personally.

tucows has some links for some port scanners, that LANguard looks promising and it's free.

 

[Aluf]

If you have Windows XP or 2000 there's a nice port-scanner from Foundstone for free that gets the job done - SuperScan

Superior scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
TCP SYN scanning
UDP scanning (two methods)
IP address import supporting ranges and CIDR formats
Simple HTML report generation
Source port scanning
Fast hostname resolving
Extensive banner grabbing
Massive built-in port list description database
IP and port scan order randomization
A selection of useful tools (ping, traceroute, Whois etc)
Extensive Windows host enumeration capability

http://www.foundstone.com/resources/freetools.htm

P.S. if telnet says can't connect it may mean there's no 24/7 server on the Linux box running
and just now it's closed, moreover to get "connected" something has to listen to the connection so "isn't open " proves not much here.

 

[Nothinman]

and just now it's closed, moreover to get "connected" something has to listen to the connection so "isn't open " proves not much here.

It proves there's no daemon running right now and for an effective back door there should be a daemon.

Frankly this has gone way out of control, Sub7 doesn't run on Linux. That with a look at the box in question to prove there's nothing listening on that port should have had the issue closed as a false positive in 10 minutes. If you really want to, you should call SonicWall support and ask how the finger print for the Sub7 detection works, chances are it's only a port number which makes it virtually useless.

 

[drag]

The answer to that is simple. We have a Sonic Wall Pro 3060 and in the logs it said the IP address of the Mail Server (Running Redhat 7.3) is attacking the ip addres of our database server (A windows box) with subseven. Or something along those lines.

The issue is currently is why the firewall is registering attacks comming from the Redhat server... Probably just something probing the port 27374, but why is it coming from the Redhat server directed at the Windows server?

So the easiest answer that I can think of is to check and make sure that only the ports that are suppose to be open are open on the redhat server, to check and make sure that somebody has rooted it and installed a backdoor (not sub7, obviously.). And then once that's done do a packet capture on the lan, if possible, (and call the firewall company and ask them about the finger printing is a good idea) and figure out why the firewall is registering it the way it is.

 

[Nothinman]

The issue is currently is why the firewall is registering attacks comming from the Redhat server... Probably just something probing the port 27374, but why is it coming from the Redhat server directed at the Windows server?

Or it could just be return traffic coming from a random (in this cause 27374) high port.

 

[drag]

Originally posted by: Nothinman

The issue is currently is why the firewall is registering attacks comming from the Redhat server... Probably just something probing the port 27374, but why is it coming from the Redhat server directed at the Windows server?

Or it could just be return traffic coming from a random (in this cause 27374) high port.

I suppose so. It would suck to put a lot of work into it only to find out that it's a false alarm. But if it's something that didn't start happenning until recently and it's happenning repeatedly, assuming nothing else has changed, then it would be make me very nervous.

But then again I am a fairly paraniod person. Once every month or two I get the "that's odd" type feeling when something I notice looks funny and I'll go around shutting down services and running chkrootkit, checking logs, checking outgoing and ingoing connections and other stuff like that. Usually takes a few hours to convince myself that everything is ok.

 

[Nothinman]

I suppose so. It would suck to put a lot of work into it only to find out that it's a false alarm

True, but it happens. It happened to me at work, I can't remember the signature but it got triggered by a random high port when I ssh'd into a box. It was easy to track down since I still had the ssh connection open, but it sure made some people jump and run over to my cube.

But then again I am a fairly paraniod person. Once every month or two I get the "that's odd" type feeling when something I notice looks funny and I'll go around shutting down services and running chkrootkit, checking logs, checking outgoing and ingoing connections and other stuff like that. Usually takes a few hours to convince myself that everything is ok.

I do that once in a while as well.