Linux Exploit (Linux.RST.B) - My Server Was Just Hacked

Some Piss Ant found one of my dedicated collocated servers and hacked it to death. It took 48 hours for my Network Administrators to bring everything back online. This childish prank not only cost me 48 hours of lost revenue but it required the assistance of multiple people spending hours of their valuable time diagnosing and rectifying this problem.

This is my understanding as to how it all went down.

A couple days ago I started to receive strange emails from one of my applications informing me someone was trying to gain access to the admin accounts. This caused me to waist most of the afternoon with my network administrators turning off services and changing all passwords.

Then later that night while watching Prison Break with my wife I got a phone call on my cell from one of my collocation facilities urgently informing me that they had just pulled one of my servers offline due to a violation of TOS.

“We have received notification that unauthorized access attempts are originating from your server. We ask that you cease this immediately or we will be forced to remove your server from our network.”

After spending a few hours talking to the network administrators I came to the quick realization this is going to end up sucking big-time for me.

Two days have now passed and we finally believe we have a handle as to what went down.

“Your server was not booting because it had been infected with the RST.b Virus. This infection was caused by a root compromise. It appears the hacker gained access to your server by using the ”news” user, and then elevated his/her privileges to root using a brute force password hack, or via a local kernel exploit.”

I can’t tell you how pissed I am about this. Anyhow, here is some more info about the gift the hacker left me to deal with.

Linux.RST.B is a Linux-based virus that infects ELF files and has backdoor capabilities.

1. Infects all executable files in same folder as the virus and the /bin folder.
2. Attempts to access a Web page at http:/ /207.66.155.21.
3. Creates an Exterior Gateway Protocol (EGP) socket for backdoor purposes.

This entry was posted on Thursday, April 20th, 2006 at 9:34 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.