rc.local mystery executables

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

rc.local mystery executables

quisquous
I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today
I was doing some maintenance and I found my way to /etc/rc.local. When I
opened it I saw this:

$ cat rc.local
#       $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $

# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode.  For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr

I don't remember adding those lines to my rc.local file.

$ cd /etc && ls -al ./sfewfesfs
-rwsrwsrwt  1 root  wheel  694680 Apr  4 07:47 /etc/sfewfesfs

$ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version
1, statically linked, stripped

Seems odd to have a bunch of randomly named executibles running at boot.
And that they are compiled for 386 (I'm running amd64), and that they have
suid set, and to root.

$ clamscan *
dsfrefr: OK
ferwfrre: OK
gfhddsfew: OK
gfhjrtfyhuf: OK
rc.local: OK
rewgtf3er4t: OK
sdmfdsfhjfe: OK
sfewfesfs: OK
Scanned directories: 0
Scanned files: 8
Infected files: 0
Data scanned: 3.21 MB
Data read: 3.20 MB (ratio 1.00:1)
Time: 10.842 sec (0 m 10 s)

Hmm, ok let's run one.

$ ./dsfrefr                                                                    
./dsfrefr[1]: syntax error: `(' unexpected

That's all any of them say when run.

So...have I been p0wned or does anyone know what innocent thing might be
happening here? Please CC [hidden email] on any replies, as I'm not
subscribed to updates from the list.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Chris Cappuccio
Scott Bonds [[hidden email]] wrote:
> I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today
...
> $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version
...
> So...have I been p0wned or does anyone know what innocent thing might be
> happening here? Please CC [hidden email] on any replies, as I'm not
> subscribed to updates from the list.

Yeah, you are compromised.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Adam Thompson
In reply to this post by quisquous
On 14-08-14 07:54 PM, Scott Bonds wrote:
> So...have I been p0wned or does anyone know what innocent thing might be
> happening here?

I think you already know the answer, unless you've done something very,
very strange back in April.
However, it could be said that the 3rd party here isn't terribly
competent, mixing arches and leaving traces behind.
The most innocent thing I can think of is that someone is playing a
prank of you...

--
-Adam Thompson
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Ted Unangst-6
In reply to this post by quisquous
On Thu, Aug 14, 2014 at 17:54, Scott Bonds wrote:

> So...have I been p0wned or does anyone know what innocent thing might be
> happening here? Please CC [hidden email] on any replies, as I'm not
> subscribed to updates from the list.

Bad news: yeah. They appear to have screwed up their rootkit by
installing the i386 edition, but those files should not be there. I'd
reinstall after giving some consideration to how this may have
happened (and changing all your passwords, rotating ssh keys, etc.).

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

quisquous
Ok, thanks for confirming (and Chris and Adam). And while I have you
here, thank you for all of your contributions to OpenBSD, its amazing to
me the scope and quality of what y'all have built.

I thought I was being reasonably careful: ssh disabled for root,
key-only login on my admin account, following stable, etc...then again,
I'm running owncloud and a bunch of other (no doubt less secure)
software. Perhaps I should separate the router and 'everything else'
roles, so that the router only has builtin OpenBSD software on it, no
packages. Then again, whatever the exploit, they could probably still
use it on the newly separated 'everything else' box. Anyway, I clearly
have a lot to learn about security.

On Thu, Aug 14, 2014 at 09:23:54PM -0400, Ted Unangst wrote:

> On Thu, Aug 14, 2014 at 17:54, Scott Bonds wrote:
>
> > So...have I been p0wned or does anyone know what innocent thing might be
> > happening here? Please CC [hidden email] on any replies, as I'm not
> > subscribed to updates from the list.
>
> Bad news: yeah. They appear to have screwed up their rootkit by
> installing the i386 edition, but those files should not be there. I'd
> reinstall after giving some consideration to how this may have
> happened (and changing all your passwords, rotating ssh keys, etc.).

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Giancarlo Razzolini-3
On 15-08-2014 11:39, Scott Bonds wrote:
> I thought I was being reasonably careful: ssh disabled for root,
> key-only login on my admin account, following stable, etc...then again,
> I'm running owncloud and a bunch of other (no doubt less secure)
> software. Perhaps I should separate the router and 'everything else'
> roles, so that the router only has builtin OpenBSD software on it, no
> packages. Then again, whatever the exploit, they could probably still
> use it on the newly separated 'everything else' box. Anyway, I clearly
> have a lot to learn about security.
Don't forget to check your own machine, not just your OpenBSD server.
It's more often than not the point of origin of the attack. If your
machine is compromised, reinstalling your server won't do anything,
since they'll reinfect it again.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

quisquous
On Fri, Aug 15, 2014 at 11:42:32AM -0300, Giancarlo Razzolini wrote:
> Don't forget to check your own machine, not just your OpenBSD server.
> It's more often than not the point of origin of the attack. If your
> machine is compromised, reinstalling your server won't do anything,
> since they'll reinfect it again.

I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't
running any public services AFAIK...I've configured the ones I'm running
on it (like unbound) to only respond to local requests. Then again, I
haven't tested those ports from another machine to verify that I locked
them down the way I think I have, and now that I think about it, that
would be a good idea--I'll add that to my todo list.

If my laptop config IS properly locked down, it would need to be trojan
horse or some kind of Firefox or email based vector, I suppose. Let's
see... well, my laptop rc.local doesn't have any mystery files, at least.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Adam Thompson
On 14-08-15 10:01 AM, Scott Bonds wrote:

> I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't
> running any public services AFAIK...I've configured the ones I'm running
> on it (like unbound) to only respond to local requests. Then again, I
> haven't tested those ports from another machine to verify that I locked
> them down the way I think I have, and now that I think about it, that
> would be a good idea--I'll add that to my todo list.
>
> If my laptop config IS properly locked down, it would need to be trojan
> horse or some kind of Firefox or email based vector, I suppose. Let's
> see... well, my laptop rc.local doesn't have any mystery files, at least.

While a long way from perfect, tools such as "chkrootkit" and "rkhunter"
might shed some light on your situation.
As Giancarlo said, check every machine that's closely interconnected,
not just the one compromised server you've noticed.
I haven't used them under OpenBSD, so not sure how effective they'll be
(both projects claim to support OpenBSD), but they're probably more
appropriate than clamscan(1) which looks for mostly MS Windows-based
viruses, not rootkits.

--
-Adam Thompson
  [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Josh Grosse
In reply to this post by quisquous
On 2014-08-15 10:39, Scott Bonds wrote:

> ...I'm running owncloud and a bunch of other (no doubt less secure)
> software....

On June 29, there was a 5.5-stable update to www/owncloud to release
6.0.4 to fix a security issue.

If you are looking for possible attack surfaces, this may have been one,
or may still be one.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/Makefile

Reply | Threaded
Open this post in threaded view
|

Re: [Bulk] Re: rc.local mystery executables

Kevin Chadwick-2
In reply to this post by quisquous
previously on this list Scott Bonds contributed:

> I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't
> running any public services AFAIK...I've configured the ones I'm running
> on it (like unbound) to only respond to local requests. Then again, I
> haven't tested those ports from another machine to verify that I locked
> them down the way I think I have, and now that I think about it, that
> would be a good idea--I'll add that to my todo list.
>
> If my laptop config IS properly locked down, it would need to be trojan
> horse or some kind of Firefox

Is your firefox/email client 6 months old or are you using the updated
mtier packages?


--
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Mihai Popescu-3
In reply to this post by quisquous
> On June 29, there was a 5.5-stable update to www/owncloud to release
> 6.0.4 to fix a security issue.

The developers annoucement, from the webpage for this thingie ( i
don't know what the hell this software is doing):
--------------

Yeah, you were screwed!

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

quisquous
In reply to this post by Adam Thompson
On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote:
> While a long way from perfect, tools such as "chkrootkit" and "rkhunter"
> might shed some light on your situation.
> As Giancarlo said, check every machine that's closely interconnected, not
> just the one compromised server you've noticed.
> I haven't used them under OpenBSD, so not sure how effective they'll be
> (both projects claim to support OpenBSD), but they're probably more
> appropriate than clamscan(1) which looks for mostly MS Windows-based
> viruses, not rootkits.

Thank you for the suggestion. I just ran both chkrootkit and rkhunter.
chkrootkit didn't find any matches. rkhunter had a couple warnings but
to my eye they checkout out, i.e. warning that pkg_info is a perl
script.

That said, I'm going to make chkrootkit and rkhunter a regular part of
my maintenance regime, perhaps add them as daily cron jobs.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Josh Grosse
In reply to this post by Mihai Popescu-3
On 2014-08-15 12:38, Mihai Popescu wrote:
>> On June 29, there was a 5.5-stable update to www/owncloud to release
>> 6.0.4 to fix a security issue.
>
> The developers annoucement, from the webpage for this thingie ( i
> don't know what the hell this software is doing):
> --------------
>
> Yeah, you were screwed!

There are a number of security issues that have been fixed in that
release -- if
I read their web page correctly -- including one which that project
perceives to be a
high-risk issue:

https://owncloud.org/security/advisory/?id=oc-sa-2014-018

There's also a big one, that earlier this month that project decided
*not to fix*.  I don't know anything about OwnCloud either, but this
sort of issue is
one that should probably be addressed.

https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php

"An attacker, who is able to read the PHP session files by exploiting
another
web application that is running on the ownCloud server, will be able to
gather
the unencrypted private key of every ownCloud user. All encrypted files
that
are stored in a user's home directory can be decrypted with this RSA
private
key, stored in the PHP session files in plain text. If the user's
encrypted
files are synced to other devices or shared with other servers - for
hosting
or backup - an attacker will be able to decrypt all user data that is
being
intercepted, even if the attacker has no longer access to the server's
file
system."

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Stuart McMurray
Before I blocked all of China, I saw something very similar on an ssh
honeypot I run.

Every few hours or so, I'd get the following:

http://sprunge.us/OGfE

Seemed totally automated.

J. Stuart McMurray


On Fri, Aug 15, 2014 at 1:51 PM, Josh Grosse <[hidden email]> wrote:

> On 2014-08-15 12:38, Mihai Popescu wrote:
>
>> On June 29, there was a 5.5-stable update to www/owncloud to release
>>> 6.0.4 to fix a security issue.
>>>
>>
>> The developers annoucement, from the webpage for this thingie ( i
>> don't know what the hell this software is doing):
>> --------------
>>
>> Yeah, you were screwed!
>>
>
> There are a number of security issues that have been fixed in that release
> -- if
> I read their web page correctly -- including one which that project
> perceives to be a
> high-risk issue:
>
> https://owncloud.org/security/advisory/?id=oc-sa-2014-018
>
> There's also a big one, that earlier this month that project decided
> *not to fix*.  I don't know anything about OwnCloud either, but this sort
> of issue is
> one that should probably be addressed.
>
> https://senderek.ie/archive/2014/owncloud_unencrypted_
> private_key_exposure.php
>
> "An attacker, who is able to read the PHP session files by exploiting
> another
> web application that is running on the ownCloud server, will be able to
> gather
> the unencrypted private key of every ownCloud user. All encrypted files
> that
> are stored in a user's home directory can be decrypted with this RSA
> private
> key, stored in the PHP session files in plain text. If the user's encrypted
> files are synced to other devices or shared with other servers - for
> hosting
> or backup - an attacker will be able to decrypt all user data that is being
> intercepted, even if the attacker has no longer access to the server's file
> system."

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Joel Rees-2
In reply to this post by quisquous
On Sat, Aug 16, 2014 at 1:52 AM, Scott Bonds <[hidden email]> wrote:

> On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote:
>> While a long way from perfect, tools such as "chkrootkit" and "rkhunter"
>> might shed some light on your situation.
>> As Giancarlo said, check every machine that's closely interconnected, not
>> just the one compromised server you've noticed.
>> I haven't used them under OpenBSD, so not sure how effective they'll be
>> (both projects claim to support OpenBSD), but they're probably more
>> appropriate than clamscan(1) which looks for mostly MS Windows-based
>> viruses, not rootkits.
>
> Thank you for the suggestion. I just ran both chkrootkit and rkhunter.
> chkrootkit didn't find any matches. rkhunter had a couple warnings but
> to my eye they checkout out, i.e. warning that pkg_info is a perl
> script.
>
> That said, I'm going to make chkrootkit and rkhunter a regular part of
> my maintenance regime, perhaps add them as daily cron jobs.

Both give warnings that look like false positives, but are really
asking you, "Is this something you intended, or would have intended
had you known the package did it this way?"

(The warning on pkg_info is one such.)

It takes a while to learn to weed through them. (I'm still not very used to it.)

Speaking of which, is tripwire still considered useful, if set up right?

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Joel Rees-2
In reply to this post by quisquous
On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds <[hidden email]> wrote:
> [...]
> Perhaps I should separate the router and 'everything else'
> roles, so that the router only has builtin OpenBSD software on it, no
> packages.

Strongly encourage you to get a separate box to run the router and
firewall on. (Ted, if you read this, do you run firewall on Beagle
Boards?)

> Then again, whatever the exploit, they could probably still
> use it on the newly separated 'everything else' box. Anyway, I clearly
> have a lot to learn about security.

Actually, many of the exploits will hit high enough speed bumps
getting through the router/firewall, if you set it up right, that the
exploit would not succeed in dropping actual rootkit.

Not to say you don't need something to watch for rootkits, as well,
but combining functions makes for a weaker system.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Todd Zimmermann
In reply to this post by quisquous
Yeah it sucks, the miscreants run 24/7 365. My guess is home systems
are targeted a lot because there's only an 'IT Dept' of one.

Lots of good stuff in base and the ports collection. mtree can be
extended to check file integrity for anything you've modified and
other local stuff (something I need to do).

OpenBSD has always rocked for providing very current versions of
snort. barnyard2 compiles cleanly on obsd.

IIRC swatch can email you on log events. i.e. I know I haven't logged
onto the server for 2 weeks, why was there an unsuccessful (or yikes
successful) su/sudo attempt at 0237 when I was sleeping.

Got sagan-1.0.0RC4 set up earlier and was greeted with this alert:

[**] [1001:1]  sagan_blacklist: Address found in blacklist [**]
[Classification: Blacklist] [Priority: 1]
2014-08-15 22:58:01 61.174.51.214:1514 -> 127.0.0.1:1514 daemon warning
Message:  Aug 15 22:57:55.617311 rule 7/(match) block in on rl0:
61.174.51.214.6000 > xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0)
win 16384 [tos 0x20]

And snort (timestamps are messed up):
04/21-15:21:46.000067  [**] [1:2100528:6] <snort> GPL SCAN loopback
traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:31105
12/30-19:03:17.000065  [**] [1:2100528:6] <snort> GPL SCAN loopback
traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:3117

So you're not alone. Good Luck



On Thu, Aug 14, 2014 at 8:54 PM, Scott Bonds <[hidden email]> wrote:

> I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today
> I was doing some maintenance and I found my way to /etc/rc.local. When I
> opened it I saw this:
>
> $ cat rc.local
> #       $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
>
> # Site-specific startup actions, daemons, and other things which
> # can be done AFTER your system goes into securemode.  For actions
> # which should be done BEFORE your system has gone into securemode
> # please see /etc/rc.securelevel.
> cd /etc;./sfewfesfs
> cd /etc;./gfhjrtfyhuf
> cd /etc;./rewgtf3er4t
> cd /etc;./sdmfdsfhjfe
> cd /etc;./gfhddsfew
> cd /etc;./ferwfrre
> cd /etc;./dsfrefr
>
> I don't remember adding those lines to my rc.local file.
>
> $ cd /etc && ls -al ./sfewfesfs
> -rwsrwsrwt  1 root  wheel  694680 Apr  4 07:47 /etc/sfewfesfs
>
> $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version
> 1, statically linked, stripped
>
> Seems odd to have a bunch of randomly named executibles running at boot.
> And that they are compiled for 386 (I'm running amd64), and that they have
> suid set, and to root.
>
> $ clamscan *
> dsfrefr: OK
> ferwfrre: OK
> gfhddsfew: OK
> gfhjrtfyhuf: OK
> rc.local: OK
> rewgtf3er4t: OK
> sdmfdsfhjfe: OK
> sfewfesfs: OK
> Scanned directories: 0
> Scanned files: 8
> Infected files: 0
> Data scanned: 3.21 MB
> Data read: 3.20 MB (ratio 1.00:1)
> Time: 10.842 sec (0 m 10 s)
>
> Hmm, ok let's run one.
>
> $ ./dsfrefr
> ./dsfrefr[1]: syntax error: `(' unexpected
>
> That's all any of them say when run.
>
> So...have I been p0wned or does anyone know what innocent thing might be
> happening here? Please CC [hidden email] on any replies, as I'm not
> subscribed to updates from the list.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Ted Unangst-6
In reply to this post by Ted Unangst-6
On Sat, Aug 16, 2014 at 15:22, Joel Rees wrote:
> On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds <[hidden email]> wrote:
>> [...]
>> Perhaps I should separate the router and 'everything else'
>> roles, so that the router only has builtin OpenBSD software on it, no
>> packages.
>
> Strongly encourage you to get a separate box to run the router and
> firewall on. (Ted, if you read this, do you run firewall on Beagle
> Boards?)

No, I don't think they're useable for that purpose. Only one ethernet,
and not very reliable. At least for the Black boards, there's no USB
yet, and even on the others, I don't think I'd ever use USB ethernet
for something like a firewall that I expect to just work.

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

Erik van Westen
In reply to this post by Joel Rees-2
On 16-08-14 08:22, Joel Rees wrote:

> On Fri, Aug 15, 2014 at 11:39 PM, Scott Bonds <[hidden email]> wrote:
>> [...]
>> Perhaps I should separate the router and 'everything else'
>> roles, so that the router only has builtin OpenBSD software on it, no
>> packages.
> Strongly encourage you to get a separate box to run the router and
> firewall on. (Ted, if you read this, do you run firewall on Beagle
> Boards?)
>
>> Then again, whatever the exploit, they could probably still
>> use it on the newly separated 'everything else' box. Anyway, I clearly
>> have a lot to learn about security.
> Actually, many of the exploits will hit high enough speed bumps
> getting through the router/firewall, if you set it up right, that the
> exploit would not succeed in dropping actual rootkit.
>
> Not to say you don't need something to watch for rootkits, as well,
> but combining functions makes for a weaker system.
>
You might want to run a SIEM solution such as ossim with local ossec
agents. Works fine.

Overkill? Might be, but it is nice to see what is happening, and you can
run automated vulnerability scans on your own network to see where leaks
or misconfigurations might be.

Erik Jan

Reply | Threaded
Open this post in threaded view
|

Re: rc.local mystery executables

quisquous
In reply to this post by Todd Zimmermann
On Sat, Aug 16, 2014 at 02:34:21AM -0400, Todd Zimmermann wrote:

> Lots of good stuff in base and the ports collection. mtree can be
> extended to check file integrity for anything you've modified and
> other local stuff (something I need to do).

thanks, mtree is neat, glad to know about it
security(8) uses it too

and on that note, I realized I hadn't received my daily security(8)
email in a while, I broke my root=scott alias when fiddling with smtpd
configuration and forgot to fix it, otherwise I would have likely
noticed the breach sooner...live and learn

> OpenBSD has always rocked for providing very current versions of
> snort. barnyard2 compiles cleanly on obsd.

The funny thing is that I have a book on Snort on my reading list. Time
to read it. I'll checkout barnyard2 as well.

> IIRC swatch can email you on log events. i.e. I know I haven't logged
> onto the server for 2 weeks, why was there an unsuccessful (or yikes
> successful) su/sudo attempt at 0237 when I was sleeping.
>
> Got sagan-1.0.0RC4 set up earlier and was greeted with this alert:
>
> [**] [1001:1]  sagan_blacklist: Address found in blacklist [**]
> [Classification: Blacklist] [Priority: 1]
> 2014-08-15 22:58:01 61.174.51.214:1514 -> 127.0.0.1:1514 daemon warning
> Message:  Aug 15 22:57:55.617311 rule 7/(match) block in on rl0:
> 61.174.51.214.6000 > xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0)
> win 16384 [tos 0x20]
>
> And snort (timestamps are messed up):
> 04/21-15:21:46.000067  [**] [1:2100528:6] <snort> GPL SCAN loopback
> traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
> {UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:31105
> 12/30-19:03:17.000065  [**] [1:2100528:6] <snort> GPL SCAN loopback
> traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
> {UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:3117
>
> So you're not alone. Good Luck

Thank you. I'll checkout swatch and sagan too.

Also, another emailer suggested I submit the files to virustotal.com. I
did and all of them were recognized as malware, all but one had been
uploaded to them before:

https://www.virustotal.com/en/file/f9ff2f398e479a3e4dbb36c8b1a61e737ed18d6249bf0c2dc9abf4f0fe9ca665/analysis/
https://www.virustotal.com/en/file/53f0ba09b70923874ff84fb0061087a880c8583f4f9b5cee2deaa0d55a9ffdc9/analysis/
https://www.virustotal.com/en/file/50e83cea2ebcb0a8fc806a1ad19db3b052438ca585c4da6ab50048d0f640c27c/analysis/
https://www.virustotal.com/en/file/4c703e03afbda5411dda6e653b8c9bca48fd5b9187a730656b3a9da4b2a593ee/analysis/
https://www.virustotal.com/en/file/29f89dc1da6da3fa2fa951c3453d63ff82eab3159020012a90763df279a75e25/analysis/
https://www.virustotal.com/en/file/ab8c46065f2ae116e09d168d6cca940e8f472c80bb4b354c8e594081525da31a/analysis/
https://www.virustotal.com/en/file/2c22dfc1ea336737349bb51c60be268c42a1e965aaab292cb6ba9a4a4fa31171/analysis/

If anyone reading this knows where I can read up on (those specific)
exploits, please let me know, perhaps I can figure out where my
vulnerability is/was if I know more about how they work.

12