Reply To: DoS on DNS Zeroshell: Malware!

Home Page Forums Network Management ZeroShell DoS on DNS Zeroshell: Malware! Reply To: DoS on DNS Zeroshell: Malware!

#52999

jpJxPhOuhvqc
Participant

I’ve found one of my installations infected with this too.

Can we try and narrow down what we have in common to work out the infection method.

I am running Release 2.0.RC2 setup and running since circa. 17/02/2013

I have (open to the world):
-Port 80 (the web interface)
-Port 443 (the web interface)
-Some LAN-to-LAN (OpenVPN) connections.

-rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001

Yet other installations have not been infected.
OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.

OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months

OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year

Both the hosts referenced in the copy I have are the same as the OP.
zeroshell.will.mx
and
zeroshell.samhan.biz
Luckily both of these don’t resolve and given the date on the infection I presume this must be a very, very old infection that we’ve only just discovered.

root@zeroshell DB> pstree -Gp
init(1)─┬─.DB.001(14049)
root@zeroshell DB> ps aux | grep 14049
root 7832 0.0 0.0 1944 244 pts/0 S 03:33 0:00 grep 14049
root 14049 0.0 0.2 2036 640 ? S 2013 64:09 sleep 1800

I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:

NICK WORO
USER DCRK localhost localhost :VQYJWO

Tom – http://www.mouselike.org