secure.tgz untars into the folder secure which contains the following
In the various RedHatx folders, where x is the RedHat versions, are scripts for downloading and installing of tools like wget, bind, nmap, libpcap, LPRng specific to the version of x. For example, folder RedHat7.2 contains the script rh7.2 that downloads and install rpms of libpcap, nmap, wget and LPRng from ftp.rpmfind.net.
CC is a script that greps Master and Visa accounts in the directory /home, /var, /root and /www. The results are piped into the file card.log
flq.sh is a script for clearing logs.
secure is a shell script that calls 2 other shell scripts, secure1 and secure2.
secure1 performs several task:
(a) It unsets a list of "bad" files, such as /bin/mount and /usr/bin/write, using chmod -s. This allows the attacker to run his processes as the process privilege, usually root.
(b) Next a set of "good" files, such as /etc/passwd, are immunized using "chattr +i", this prevents the files from being deleted without first doing a chattr -i. We suspect that the hacker attempts to prevent accidental deletion of his accounts in passwd and shadow.
(c) The script carry on to patch against possible DoS with the following actions:
echo "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" >> /etc/rc.d/rc.local
echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> /etc/rc.d/rc.local
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
(d) The last step involved patching bind and tcl and removing rcp.statd.
secure2 secures the machine by killing portmap service and patching to a non-vulnerable wu-ftpd version.