virus/worm hacker attack

From: Thomas Reith (Thomas.Reith@rhoen.de)
Date: 09/12/02 

From: Thomas.Reith@rhoen.de (Thomas Reith)
Date: 12 Sep 2002 00:23:37 -0700

Hi,

we run a server with former kernel 2.2.18/glibc 2.2.2 and
now kernel 2.4.19/glibc 2.2.5.

for about two weeks, we were victims of a hacker attack
via apache/php. the security hole has been fixed, and
further attacks are not possible.

But now, we have a much more serious problem the
guy infected our linux system with a strange virus.

the mechanism seems to be related with the one
used in "epcs2.c" (exploit for execve/ptrace race condition)
see: http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/os/linux/misc/kernel/epcs2.c

infected elf binaries grow nearly 7k. they can be detected by
"strings binary" 

----
...
/tmp/extfsRNV23z
/dev
/proc
/bin
/proc/////////////////exe
SQRV
^ZY[
gfff
gfff
WVS1
-----

if there is something like above on the end of the output, 
the binary is infected.

we tried to replace all infected binaries with clean ones,
but after a while every binary was infected again. 
there seems to be no cronjob or daemon, which does this
job, the shared libraries in /lib are clean, too. 

problems:
- infected binaries have problems with pipes, which
mean that gcc/as/ld cannot be used anymore. strace 
doesn't help, because it hangs completely.

questions:
- does anyone know more about this virus/worm
- scanning could be done with "strings", but
what about removing?

regards

Thomas Reith