I've found that file too on a clients server, and it's very, very suspicious.
I've found it because my ntpd binaries where disapearing every once in a while. I monitored them with auditctl and found this:
Code:
type=SYSCALL msg=audit(29/05/14 12:02:31.120:68) : arch=i386 syscall=unlink success=yes exit=0 a0=0xff3f7fc0 a1=0x9 a2=0x80be5e0 a3=0xff3ffbe0 items=2 ppid=7508 pid=7509 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=.flush exe=/tmp/.flush key=ntpd
WHAT! syscall=unlink by executable .flush ? Who are you?
Let's check proccesses:
Code:
~$ ps aux|grep flush
root 198 0.0 0.0 0 0 ? S< 12:31 0:00 [kdmflush]
root 201 0.0 0.0 0 0 ? S< 12:31 0:00 [kdmflush]
root 1565 0.0 0.0 7168 136 ? Ss 12:32 0:00 [flush-242:0]
root 1566 0.0 0.0 7168 136 ? S 12:32 0:00 [flush-242:0]
root 1567 0.0 0.0 7168 136 ? S 12:32 0:00 [flush-242:0]
root 1568 0.0 0.0 7168 136 ? S 12:32 0:00 [flush-242:0]
root 1569 0.0 0.0 7168 136 ? S 12:32 0:00 [flush-242:0]
Code:
~$ ps -e -T|grep flush
198 198 ? 00:00:00 kdmflush
201 201 ? 00:00:00 kdmflush
1565 1565 ? 00:00:00 .flush
1566 1566 ? 00:00:00 .flush
1567 1567 ? 00:00:00 .flush
1568 1568 ? 00:00:00 .flush
1569 1569 ? 00:00:00 .flush
I uploaded it to VirusTotal and, right now, it shows nothing suspicious:
https://www.virustotal.com/en/file/1...is/1401379742/
File type is funny, because it's static, which might be usual on rootkits, to be able to run everywhere, and also, it's 32bit (80386, not even pentium optimized), while my clients machine is 64.
Code:
~$ file /tmp/.flush
/tmp/.flush: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Lets compare it to one regular system binary:
Code:
~$ file /bin/ls
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped
I've deleted it and it appears again on reboot. Although I was auditing the file to find who created it, it appears that it's created before auditctl process started, so it doesn't appear.
Code:
$ sudo stat -c%x /tmp/.flush
2014-05-29 13:53:47.723794621 -0400
$ sudo stat -c%y /tmp/.flush
2014-05-29 13:50:17.388910913 -0400
$ sudo stat -c%w /tmp/.flush
-
13:50 was, approx, my reboot time.
I'm asking the client for an immediate shutdown and deleteion of the machine, as it was fairly clean and not in production, but I'm asking also for a virtual image I can analize...
Do you have any other ideas to check this machine?
Bookmarks