I am wondering if this is a new virus that I have found...I was watching tcpdump today over lunch and I saw about a thousand outgoingconnections. I didn't know what was causing it, but it was pretty funny tosee. So I watched about 20 minutes while I mawed on my sandwich and then Inoticed that the target IP's were all sequential! A quick search on Googlestold me something was certainly amiss.So when lunch hour was up, I decided to get to the bottom of this before thehigher-ups here at the bank noticed that outbound browsing was impossibledue to the saturated OC12. Good thing I don't have to worry about HIPArequirements today, 'eh? Haha!First, I decided I needed to get to the root of the problem, no punintended:# fstat / | tcpdump -i - | lessWell, that doesn't work. It seems some newb committer removed the switch toallow tcpdump to read from stdin. Thanks a lot, buster!With tcpdump not being useful at all with tracking down this networkingproblem, I knew I had to do something fast! The natives were gettingwrestless as I saw the suited buzzards churning outside the NOC! So I lockedthe door and decided to start by removing all unneeded device drivers frommy kernel. For the archives, a simple way of doing this is as follows:# dmesg > /tmp/mygoodstuff# cat /usr/src/sys/`machine`/conf/GENERIC > /tmp/mybadstuff# diff /tmp/mygoodstuff /tmp/mybadstuff | uniq -v > \ /usr/src/sys/`machine`/NEWGENERICThen I compiled and installed the brand new kernel in an attempt to cure theproblems of the day (or lunch hour lol).After a quick smoke break, I rebooted the system with the new kernel. Atthis point, I decided to systrace the entire system. Again, for thearchives, this is how one would do it (please add this to the FAQ, dudes,because I don't like having to repeat this every few days):# echo "systrace /etc/rc" > /etc/rcAs time marched forward and after a quick reboot, I ran into a couple ofsnags in the armor! It seems that the virus may have taken its toll on thesystem which is a Soekris attached to a Sun D1000 drive array with a 3.2VPCI card (sorry guys I don't have the dmesg, but I can send one from Debianif that would help). Anyway, I tried to debug the system using the followingcommand:# systrace tcpdump -i /dev/systrace | cut -d' -f 3 | \ sed '/12/' | for a in `cat /dev/systrace`; do echo "$a" > /dev/consoleThis didn't seem to produce the desired results so now I am stuck in a poopboat with out a paddle, so to speak. Can anybody help?P.S. I already have sent the output of "cat /dev/wd0c > /tmp/obsdvirus" toSymantec for them to analyze. That's what we pay them for! P.P.S. Check out my blog in my sig!--------Mr. Billy B. Bilano, MSCE, CCNAExpert Sysadmin Since 2003!'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMShttp://monkey.org/openbsd/archive/misc/0406/msg00216.html
11/13/2010 1:22:05 PM
OpenBSD comes with an already integrated Standard Activation Wizard that does it all for you at the press of a button. Can it get easier? Its called "ReportMagic" or short "rm". There is an updated Version of it supplied with the ports collection, BUT do NOT use it! The Version in ports doesn't get the connection to the restartable system calls right and prints silly warnings. Thats why it is not integrated in the high quality default distribution. So it is much better to use the default Version integrated in OpenBSD. As arguments it you must supply which elements of a standard you want to break and the name of the standard.If you want to break all Elements of a Standard give the wildcard character * if you want only the top level elements of a standard give the standard root character / , bottom elements */ , elements between top and bottom /*/ and so on ...Examples:rm -fr * POSIX1arm -fr / ASN.1the -fr Option gives u a nicely formatted _f_ull _r_eport.Unfortunately you must use this option otherwise it will do nothing because there is no sense in breaking a standard without reporting it, isn't it?
11/13/2010 11:04:10 PM
NOT FUNNY.
11/14/2010 12:14:04 AM