mtfriend
04-06-2002, 12:33 AM
My machine seems to have been infected with the Adore Worm. Here is the short story explaining what I have pieced together. Keep in mind I am very new to linux and was niave to think that leaving your ftp port open with wu-ftpd running for only a few hours would not harm anything. I WAS WRONG!!!
Two mornings ago as I was reading my log files I noticed that a new user was created in the middle of the night on my machine and this was accessed by an unfamiliar IP. futher investigation revealed two emails sent to unfamiliar adresses (@k.ro & @emoka.ro). After checking every modified file on that date I came to realize that somthing called Adore was placed on my machine. I had no idea what this was at the time. I immediately changed all passwords on the machine, shutdown wu-ftpd altogether, set the shell to false for the unidentified user that was created, replaced my ps with a clean one and began learning about this worm.
From what I can tell it takes advantage of a known vunerability in wu-ftpd. This vuneralbilty was disclosed on Red Hat's web site and they claim to have a patch for this. The only problem with this story is that the problem was with Red Hat 7.0 and other versions prior to this. I am running Red Hat 7.2 and would assume that the update would have been included. The version of Adore that made its way to my machine is 0.34 ( I got this by reading some of the source files) and it did some different things than I have read about. The emails that were sent out were sent to different addresses, it created a user by the name of xserver and it seems to have installed its own version of ssh (not totally positive about the last one). One of the symptoms that I have read about is that syslogd will restart every morning and 4:02. This happened on my machine the next morning. I have since found to Adorefind files to run, the newest version being 0.2.4, but when I have run these they find nothing. I can still see the directories and the removal files cannot find them. The next step I have taken is to remove all of the files I can find on my own. When I do an ls on the directory they were in I no longer see them, but when I run "locate adore". They still show up.
I am looking for some more suggestons, but I also wanted to post my story so that others could learn from my mistakes. Short of reloading (ugh!) I don't really know what else to do.
mtfriend
:mad:
Two mornings ago as I was reading my log files I noticed that a new user was created in the middle of the night on my machine and this was accessed by an unfamiliar IP. futher investigation revealed two emails sent to unfamiliar adresses (@k.ro & @emoka.ro). After checking every modified file on that date I came to realize that somthing called Adore was placed on my machine. I had no idea what this was at the time. I immediately changed all passwords on the machine, shutdown wu-ftpd altogether, set the shell to false for the unidentified user that was created, replaced my ps with a clean one and began learning about this worm.
From what I can tell it takes advantage of a known vunerability in wu-ftpd. This vuneralbilty was disclosed on Red Hat's web site and they claim to have a patch for this. The only problem with this story is that the problem was with Red Hat 7.0 and other versions prior to this. I am running Red Hat 7.2 and would assume that the update would have been included. The version of Adore that made its way to my machine is 0.34 ( I got this by reading some of the source files) and it did some different things than I have read about. The emails that were sent out were sent to different addresses, it created a user by the name of xserver and it seems to have installed its own version of ssh (not totally positive about the last one). One of the symptoms that I have read about is that syslogd will restart every morning and 4:02. This happened on my machine the next morning. I have since found to Adorefind files to run, the newest version being 0.2.4, but when I have run these they find nothing. I can still see the directories and the removal files cannot find them. The next step I have taken is to remove all of the files I can find on my own. When I do an ls on the directory they were in I no longer see them, but when I run "locate adore". They still show up.
I am looking for some more suggestons, but I also wanted to post my story so that others could learn from my mistakes. Short of reloading (ugh!) I don't really know what else to do.
mtfriend
:mad: