.IptabLes/.IptabLex DDoS botnet is spreading via known code execution flaws in various Java components

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 5.x
  • Red Hat JBoss Fuse
    • 6.x
  • Fuse ESB Enterprise
    • 7.x
  • Red Hat JBoss A-MQ
    • 6.x
  • Fuse MQ Enterprise
    • 7.x
  • Red Hat Network Satellite Server
    • 5.x
  • JBoss Operations Network
    • 3.x
  • Red Hat Subscription Asset Manager
    • 1.x

Issue

A botnet used to perform distributed denial-of-service (DDoS) attacks has been detected. If your system is compromised to become part of this botnet, you will notice very high outbound network traffic from the system, as it is used to participate in DDoS attacks. The botnet has been reported to spread via exploitation of known code execution flaws in various Java components.

Resolution

To protect your systems, ensure you have applied all patches for the flaws listed in the Root Cause section below.

If your systems are already compromised by the .IptabLes/.IptabLex DDoS botnet, you need to take immediate action. As the attacker gained root access you can't be certain exactly what that attacker has changed or installed on your system. You should back up your data, image the drive, and reinstall from scratch to ensure no trace of the attackers is left on your system. This guide from CERT will give you more details about the process you should follow in recovering from a compromise:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

In the interim, to attempt to clean an affected system:

  1. Check if IptabLex / IptabLes is running:

    # ps -ef | grep IptabL
root   9000  1  mar 10  12:00:00 /boot/.IptabLex

    You need to kill all the .IptabLex processes

    # ps -ef | grep IptabL | grep -v grep | awk '{print $2}' | xargs kill -9

  2. Look for the related files:

    # find / -name "*IptabL*" -print

    Ensure you are not including system files by mistake and then remove all of them:

    # find / -name "*IptabL*" -exec rm -f {} \;

  3. Look for further related files:

    # ls -al /.mylisthb*

    Remove them with the following command:

    # rm -f /.mylisthb*

  4. Check /etc/rc.local for any strange commands that might be there related to the malware. Remove them if they are there.

  5. Change your root password.

  6. If you are using ssh, please remove the .ssh directory from root's home (/root/.ssh) and filter the connections to the machine.

  7. Ensure your system is up to date with the latest security patches.

Root Cause

It has been reported that the following code execution flaws in Java components have been exploited to spread this botnet. The following flaws do not affect any supported Red Hat Products:

CVE-2011-3923 Apache Struts 2: Remote code execution via OGNL injention in HTTP parameter values
CVE-2012-0394 Apache Struts 2: remote execution of arbitrary commands when developer mode is used
CVE-2013-1966/CVE-2013-2115 Apache Struts 2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
CVE-2013-2251 Apache Struts 2: arbitrary OGNL code execution via crafted parameters
CVE-2013-4212 Apache Roller: remote code execution via OGNL injection
CVE-2014-0094 Apache Struts 2: ClassLoader manipulation via request parameters
CVE-2014-0112 Apache Struts 2: ClassLoader manipulation via request parameters

The following flaws do affect supported Red Hat products, but updates are available:

CVE-2012-0874 JBoss invoker servlets do not require authentication
CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
CVE-2014-3120 Elasticsearch: remote code execution flaw via dynamic scripting

Akamai has published an advisory with an overview of the botnet. More detailed technical analysis of the payload is available here.

Diagnostic Steps

  • If you notice unusual volumes of outbound network traffic from a system, follow the steps in the Resolution section above.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.