So one of my servers is totally compromised by a rootkit called Hacker Defender. I’ve spent the day trying to clean it off, and I think I just pronged it for good (cross my fingers). It’s funny how I discovered the problem (and by funny, I mean, there’s nothing funny about it this): my Tomcat-based task manager (Jira) stopped working. It threw a ClassNotFoundException when loading. That’s odd, thinks I, and switch to the relevant /classes directory and — sure enough — the /com folder leading to the classes is gone.
I sent out a message to users (“Who fracked with the server?”) and, after some stumbling around, explicitly unpacked the classes into that directory and … they disappear …
It turns out that the rootkit (or its payload) installs a significantly sized Java-based web service and then hides the .class files from Windows (I think the evil hidden process actively hooks kernel .dlls and hides .class files). Well, the same logic that hid the evil Java classes hid my good Java classes. And thus began my education.
So, long story short: I highly recommend Sophos Anti-Rootkit, which was able to diagnose the rootkit automatically and not-quite-automatically allowed me to locate and delete the critical initialization file that re-infects the system every time it is rebooted. (It is not enough to delete the driver!)
Now that the hidden files are visible, what does it turn out my system was doing? Trading movies. These guys f***ed with my system in orded to swap a cam of Norbit in German. F***ers.
Okay, so now I have logs of a whole bunch of machines, all presumably in the botnet. Do I send these to someone?
Update: OMFG. Someone from a British Telcom range just logged on (anonymously — how the f*** is he doing that? The guest account was never enabled, I’ve changed the name of the admin account, I’ve changed every password on the f***ing system), booted me off, and now I can’t access via Remote Desktop. Well, it was a nice server while it lasted…