Red Hat Enterprise Linux Server release 5.5 - Hacked and fixed

One of our public, rarely used, sandbox servers was hacked last January. Even Amazon Web Services got hit with one of the three we've gotten rid of.

Several of the OS binaries would have been overwritten by a 1135000 byte binary file, so you will have to re-copy them from a different server.

Run these commands to get rid of the offending trojans/viruses:

killall -9 l26.tmp 

killall -9 http.sh 

killall -9 https.sh 

killall -9 sleep

killall -9 ps 

killall -9 .sshd 

chattr -i /usr/bin/.sshd 

chattr -i /usr/bin/kernel 

chattr -i /usr/bin/acpid 

chattr -i /etc/bash 

rm -rf /usr/bin/dpkgd 

rm -rf /usr/bin/bsd-port 

rm -f /l26.tmp 

rm -f /usr/bin/.sshd 

rm -f /usr/bin/kernel 

rm -f /usr/bin/acpid 

rm -f /etc/bash 

rm -f /etc/Centos-ssh 

rm -f /etc/Centos-sshd 

rm -f /etc/fake.cfg 

rm -f /etc/http.sh* 

rm -f /etc/https.sh* 

scp oracle@soadb:/bin/ps /bin 

scp oracle@soadb:/bin/netstat /bin 

scp oracle@soadb:/usr/sbin/lsof /usr/sbin 

scp oracle@soadb:/usr/sbin/ss /usr/sbin 

scp oracle@soadb:/usr/bin/chattr /usr/bin 

scp oracle@soadb:/usr/bin/kernel /usr/bin 

scp oracle@soadb:/usr/bin/acpid /usr/bin

Applicable Versions:

• Red Hat Enterprise Linux Server release 5.5