Analysis of files in secure.tgz

secure.tgz untars into the folder secure which contains the following

  • CC
  • RedHat5.2
  • RedHat6.0
  • RedHat6.1
  • RedHat6.2
  • RedHat7.0
  • RedHat7.1
  • RedHat7.2
  • secure
  • secure1
  • secure2
  • wu-ftpd6x.rpm

    In the various RedHatx folders, where x is the RedHat versions, are scripts for downloading and installing of tools like wget, bind, nmap, libpcap, LPRng specific to the version of x. For example, folder RedHat7.2 contains the script rh7.2 that downloads and install rpms of libpcap, nmap, wget and LPRng from

    CC is a script that greps Master and Visa accounts in the directory /home, /var, /root and /www. The results are piped into the file card.log is a script for clearing logs.

    secure is a shell script that calls 2 other shell scripts, secure1 and secure2.

    secure1 performs several task:
    (a) It unsets a list of "bad" files, such as /bin/mount and /usr/bin/write, using chmod -s. This allows the attacker to run his processes as the process privilege, usually root.

    (b) Next a set of "good" files, such as /etc/passwd, are immunized using "chattr +i", this prevents the files from being deleted without first doing a chattr -i. We suspect that the hacker attempts to prevent accidental deletion of his accounts in passwd and shadow.

    (c) The script carry on to patch against possible DoS with the following actions:
    echo "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" >> /etc/rc.d/rc.local
    echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> /etc/rc.d/rc.local
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    (d) The last step involved patching bind and tcl and removing rcp.statd.

    secure2 secures the machine by killing portmap service and patching to a non-vulnerable wu-ftpd version.