[Dshield] Warning: Possible Scalper Worm installed

dxm5afod02@sneakemail.com dxm5afod02 at sneakemail.com
Thu Jan 2 22:13:12 GMT 2003


Hello all,

I got that warning while running chkrootkit-0.38.  I guess I didn't update Apache quickly enough :P

I did locate a few empty files named '.cinik' and deleted them:  

/misc/backup/squirrelmail/prefs/.cinik
/var/cache/httpd/.cinik
/var/lib/squirrelmail/prefs/.cinik
/var/lib/dav/.cinik

The only other messages from chkrootkit were these "suspicious files and directories":

/usr/lib/perl5/5.6.1/i386-linux/.packlist 
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Crypt/SSLeay/.packlist 
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/SSLeay/.packlist 
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/XWhois/.packlist

I first got suspicious when I was digging through the mail spool directory and found a directory for user apache.  I found a bounced email from Yahoo becuase by the time I got infected they had already shut down the 'cinik at yahoo.com' account the worm used to call home.  The text of the email contained all sorts of useful info about my server/system.  

I did some searching and did not find anything in /tmp that was suspicious, and there is no running process '.a'

Redhat 7.3, apache-1.3.27-2 (I did update, but apparently after the imfection).

Any ideas on what I should do other than reformatting the drive?  

Let me know if there is any info y'all might need that I didn't include. Any hints/help is appreciated!

Thanks so much!
Kara


--------------------------------------
Protect yourself from spam, 
use http://sneakemail.com




More information about the list mailing list