Results 1 to 9 of 9

Thread: rkhunter scalper worm

  1. #1
    Join Date
    Mar 2012
    Beans
    4

    rkhunter scalper worm

    Just ran rkhunter and received the following error:

    Warning: Scalper Worm [ Warning ]
    File '/tmp/.a' found

    How do I remove this from Ubuntu Server 10.04? I tried to delete file and kill process, but neither works.

    Thanks,

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: rkhunter scalper worm

    Check to see what process is using those files:

    Code:
    sudo lsof /tmp/.a
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: rkhunter scalper worm

    Do you think it's possible that /tmp/.a is just a temporary file you or some non-malicious application created?

    That's a pretty broad flag to say that you have the scalper worm, especially considering scalper spread through vulnerable versions of Apache 1.3.x and 2.0.x. So unless you're running a VERY old webserver, it's highly unlikely you have the scalper worm

    Code:
    rm -f /tmp/.a
    should get rid of the file though you should do what Charles said and find out what's using it. Alternatively I like fuser as well for that purpose.

    Code:
    fuser /tmp/.a
    Hope this helps.

  4. #4
    Join Date
    Mar 2012
    Beans
    4

    Re: rkhunter scalper worm

    Thanks for the reply.

    Ran lsof and .jboss is using the file.

  5. #5
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: rkhunter scalper worm

    In that case you might consider this...

    Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.

    The worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products. An update to JBoss enterprise products was produced in April 2010 to correct the flaw, CVE-2010-0738

    Instructions for securing the JMX console are available here: http://community.jboss.org/wiki/SecureTheJmxConsole.

  6. #6
    Join Date
    Mar 2012
    Beans
    4

    Re: rkhunter scalper worm

    Once I secure Jboss, how do you suggest removing the worm?

  7. #7
    Join Date
    Sep 2011
    Beans
    1,531

    Re: rkhunter scalper worm

    If it were me I would back up my data & reinstall everything. Then I would secure Jboss.

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: rkhunter scalper worm

    Quote Originally Posted by Ms. Daisy View Post
    If it were me I would back up my data & reinstall everything. Then I would secure Jboss.
    That would be what I would do as well.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Mar 2012
    Beans
    4

    Re: rkhunter scalper worm

    Ok, thanks

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •