Glupteba botnet controller

bigmen58 · 12-31-2013, 07:03 AM

Hello,

My server IP adress is blocked by SpamHaus SBL list:

Quote:

Glupteba botnet controller @x.x.x.x

The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse.

Malware botnet controller located at x.x.x.x on port 8000 (using HTTP GET):
hXXp://x.x.x.x/stat?uptime=XXX

Referencing malware binaries (MD5 hash):
2c4c54d5e861ad0904dd55154a2f51bf - AV detection: 19/46 (41.30)

I cannot find the process which use irdmi 8000 port. Only "tcpdump tcp port 8000" show some information. It show packages like this:

Quote:

13:54:40.672444 IP static.17.75.46.78.clients.your-server.de.irdmi > myhostname.ptp: Flags [P.], seq 1:51, ack 182, win 123, length 50
13:54:40.672455 IP myhostname.irdmi > 92.46.67.188.ptp: Flags [P.], seq 1:51, ack 182, win 123, length 50

I tried use auditctl:

Enable:

Quote:

auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=1 -S socket -k SOCKET

Search results (1F40 is 8000 port number in HEX):

Quote:

tail -n 50000 audit.log | grep SOCKADDR | grep 1F40

But it's no result :/.

How find suspicious process or file?

business_kid · 12-31-2013, 08:48 AM

This might help, and there are others.

http://rkhunter.sourceforge.net/

bigmen58 · 12-31-2013, 09:17 AM

Quote:

Originally Posted by business_kid

This might help, and there are others.

http://rkhunter.sourceforge.net/

Rkhunter return some warnings, but i think all seems to be a false alarm:

Quote:

[12:42:46] /sbin/ifdown [ Warning ]
[12:42:46] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[12:42:46] /sbin/ifup [ Warning ]
[12:42:46] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[12:42:52] /usr/bin/GET [ Warning ]
[12:42:52] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable

[12:42:53] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[12:42:53] /usr/bin/perl [ Warning ]
[12:42:53] Warning: The file properties have changed:
[12:42:53] File: /usr/bin/perl
[12:42:53] Current hash: 0d9c3733255f61b43c0cae860023ae2245a44e2d
[12:42:53] Stored hash : 7bbfdc75e46168dc956c3fdcbcf5004db0ab7b96
[12:42:53] Current permissions: 0755 Stored permissions: 0705
[12:42:53] Current gid: 0 Stored gid: 501
[12:42:53] Current size: 13544 Stored size: 13200
[12:42:53] Current file modification time: 1385321543 (24-Nov-2013 20:32:23)

[12:45:07] Checking /dev for suspicious file types [ Warning ]
[12:45:07] Warning: Suspicious file types found in /dev:
[12:45:07] /dev/md/autorebuild.pid: ASCII text
[12:45:07] /dev/md/md-device-map: ASCII text
[12:45:07] /dev/.udev/queue.bin: data
[12:45:07] /dev/.udev/db/block:md0: ASCII text
[12:45:07] /dev/.udev/db/block:md2: ASCII text
[12:45:07] /dev/.udev/db/input:event0: ASCII text
[12:45:07] /dev/.udev/db/block:sda1: ASCII text
[12:45:07] /dev/.udev/db/block:sdb1: ASCII text
[12:45:07] /dev/.udev/db/block:sdd1: ASCII text
[12:45:07] /dev/.udev/db/input:event1: ASCII text
[12:45:07] /dev/.udev/db/input:event2: ASCII text
[12:45:07] /dev/.udev/db/input:mouse1: ASCII text
[12:45:07] /dev/.udev/db/input:event3: ASCII text
[12:45:07] /dev/.udev/db/input:event4: ASCII text
[12:45:07] /dev/.udev/db/block:sdb2: ASCII text
[12:45:07] /dev/.udev/db/block:sda2: ASCII text
[12:45:07] /dev/.udev/db/block:sdc1: ASCII text
[12:45:07] /dev/.udev/db/block:sda: ASCII text
[12:45:07] /dev/.udev/db/block:sdc: ASCII text
[12:45:08] /dev/.udev/db/block:sdd: ASCII text
[12:45:08] /dev/.udev/db/block:sdb: ASCII text
[12:45:08] /dev/.udev/db/net:eth0: ASCII text
[12:45:08] /dev/.udev/db/net:eth1: ASCII text
[12:45:08] /dev/.udev/db/block:md1: ASCII text
[12:45:08] /dev/.udev/db/block:dm-0: ASCII text
[12:45:08] /dev/.udev/db/block:dm-1: ASCII text
[12:45:08] /dev/.udev/db/block:ram10: ASCII text
[12:45:08] /dev/.udev/db/block:ram7: ASCII text
[12:45:08] /dev/.udev/db/block:ram5: ASCII text
[12:45:08] /dev/.udev/db/block:loop4: ASCII text
[12:45:08] /dev/.udev/db/block:ram1: ASCII text
[12:45:08] /dev/.udev/db/block:loop6: ASCII text
[12:45:08] /dev/.udev/db/block:ram9: ASCII text
[12:45:08] /dev/.udev/db/block:loop3: ASCII text
[12:45:08] /dev/.udev/db/block:ram11: ASCII text
[12:45:08] /dev/.udev/db/block:ram3: ASCII text
[12:45:08] /dev/.udev/db/block:ram6: ASCII text
[12:45:08] /dev/.udev/db/block:loop0: ASCII text
[12:45:08] /dev/.udev/db/block:loop5: ASCII text
[12:45:08] /dev/.udev/db/block:ram14: ASCII text
[12:45:08] /dev/.udev/db/block:ram0: ASCII text
[12:45:08] /dev/.udev/db/block:ram4: ASCII text
[12:45:08] /dev/.udev/db/block:ram15: ASCII text
[12:45:08] /dev/.udev/db/block:loop7: ASCII text
[12:45:08] /dev/.udev/db/block:ram12: ASCII text
[12:45:08] /dev/.udev/db/block:ram2: ASCII text
[12:45:08] /dev/.udev/db/block:ram13: ASCII text
[12:45:08] /dev/.udev/db/block:loop1: ASCII text
[12:45:08] /dev/.udev/db/block:loop2: ASCII text
[12:45:08] /dev/.udev/db/block:ram8: ASCII text
[12:45:08] /dev/.udev/db/usb:1-1.2: ASCII text
[12:45:08] /dev/.udev/db/usb:2-1: ASCII text
[12:45:08] /dev/.udev/db/usb:1-1: ASCII text
[12:45:08] /dev/.udev/db/usb:usb2: ASCII text
[12:45:08] /dev/.udev/db/usb:usb1: ASCII text
[12:45:08] /dev/.udev/rules.d/99-root.rules: ASCII text
[12:45:08] Checking for hidden files and directories [ Warning ]
[12:45:08] Warning: Hidden directory found: '/dev/.mdadm'
[12:45:08] Warning: Hidden directory found: '/dev/.udev'
[12:45:08] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[12:45:08] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[12:45:08] Warning: Hidden file found: /sbin/.cryptsetup.hmac: ASCII text

[12:45:58] Checking version of OpenSSL [ Warning ]
[12:45:58] Warning: Application 'openssl', version '1.0.0', is out of date, and possibly a security risk.

Maybe /usr/bin/perl ?

unSpawn · 12-31-2013, 09:24 AM

- Check the integrity of all files if you use a Linux distribution with package management,
- inspect any file not under package management,
- find strings in any file. Might use ClamAV with that. Here's a signature for it:

Code:

RKH_Glupteba-v1;Target:0;(0&0&2&3&4&5&6&7);757074696d65;646f776e6c696e6b;75706c696e6b;7374617470617373;76657273696f6e;6665617475726573;67756964;636f6d6d656e74

Save as say "/var/tmp/clamtest/RKH_Glupteba.ldb", then run 'clamscan --database=/var/tmp/clamtest/ /path/to/files/'. (Run 'sigtool --datadir=/var/tmp/clamtest --find-sigs=Glupteba | sigtool --debug --decode-sig' to see what the sig contains.)
- instead of doing tcpdump that way capture all traffic to file ("-w /path/to/file"). Afterwards run Snort with a modified "Glupteba CnC Checkin" signature from the Snort "emerging-trojan.rules" rule set of Emerging Threats on the capture file:

Code:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"(modified) ET TROJAN Win32/Glupteba CnC Checkin"; flow:established,to_server; uricontent:"uptime="; uricontent:"&downlink="; uricontent:"&uplink="; uricontent:"&id="; uricontent:"&statpass="; uricontent:"&version="; uricontent:"&features="; uricontent:"&guid="; uricontent:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:trojan-activity; sid:9999999; rev:1;)

- check whatever ports are open with 'lsof -Pwlni',
- read the CERT Intruder Detection Checklist CERT Intruder Detection Checklist and perform the checks.

unSpawn · 12-31-2013, 09:27 AM

Quote:

Originally Posted by bigmen58

Code:

[12:42:53] /usr/bin/perl [ Warning ]
 [12:42:53] Warning: The file properties have changed:
 [12:42:53] File: /usr/bin/perl
 [12:42:53] Current hash: 0d9c3733255f61b43c0cae860023ae2245a44e2d
 [12:42:53] Stored hash : 7bbfdc75e46168dc956c3fdcbcf5004db0ab7b96
 [12:42:53] Current permissions: 0755 Stored permissions: 0705
 [12:42:53] Current gid: 0 Stored gid: 501
 [12:42:53] Current size: 13544 Stored size: 13200
 [12:42:53] Current file modification time: 1385321543 (24-Nov-2013 20:32:23)

If you didn't run any updates then that's interesting.
*BTW don't delete files but move them aside as I'd like a copy.

unSpawn · 12-31-2013, 09:28 AM

*BTW, is this the same server as in https://www.linuxquestions.org/quest...it-4175469319/ and https://www.linuxquestions.org/quest...em-4175484467/ ?

bigmen58 · 12-31-2013, 09:49 AM

Quote:

Originally Posted by unSpawn

*BTW, is this the same server as in https://www.linuxquestions.org/quest...it-4175469319/ and https://www.linuxquestions.org/quest...em-4175484467/ ?

No, unfortunately it's different server.

unSpawn · 12-31-2013, 09:56 AM

I made 3 posts, you replied only to the last one, so get on it! ;-p

bigmen58 · 12-31-2013, 10:41 AM

Quote:

Originally Posted by unSpawn

I made 3 posts, you replied only to the last one, so get on it! ;-p

Sorry, clamscan take a long time.

Quote:

Originally Posted by unSpawn

If you didn't run any updates then that's interesting.
*BTW don't delete files but move them aside as I'd like a copy.

I do not remember that - maybe i have to backup this file and reinstall perl?

Quote:

Originally Posted by unSpawn

- Check the integrity of all files if you use a Linux distribution with package management,

I have CloudLinux Server release 6.4 and Direct Admin. It's possible to check integrity of all files? :/

Quote:

Originally Posted by unSpawn

- inspect any file not under package management,

How to do it?

Code:

df -i

show 2951393 inodes - it's too much files.

Quote:

Originally Posted by unSpawn

Save as say "/var/tmp/clamtest/RKH_Glupteba.ldb", then run 'clamscan --database=/var/tmp/clamtest/ /path/to/files/'. (Run 'sigtool --datadir=/var/tmp/clamtest --find-sigs=Glupteba | sigtool --debug --decode-sig' to see what the sig contains.)

I did it. Result:

Code:

-------------------------------------------------------------------------------

/var/log/httpd/homedir.log.2: RKH_Glupteba-v1.UNOFFICIAL FOUND

This file contains one line match to pattern:

Code:

145 "HEAD /stat?uptime=100&downlink=1111&uplink=1111&id=0000B4D8&statpass=bpass&version=20131011&features=30&guid=3aaeb239-9acf-461a-8ed5-19e9acce8bc1&comment=20131011&p=0&s= HTTP/1.0"

Quote:

Originally Posted by unSpawn

- instead of doing tcpdump that way capture all traffic to file ("-w /path/to/file"). Afterwards run Snort with a modified "Glupteba CnC Checkin" signature from the Snort "emerging-trojan.rules" rule set of Emerging Threats on the capture file:

I don't know how install Snort on Centos. Is it required? When I add -X to tcpdump, i've seen in some packet content:

Code:

        0x0000:  4500 00dd eaa4 4000 6e06 4490 2e1d 158a  E.....@.n.D.....
        0x0010:  4e2e 4b11 2eea 1f40 aad7 4f0f c377 d72b  N.K....@..O..w.+
        0x0020:  5018 fdca ac74 0000 4745 5420 2f73 7461  P....t..GET./sta
        0x0030:  743f 7570 7469 6d65 3d31 3030 2664 6f77  t?uptime=100&dow
        0x0040:  6e6c 696e 6b3d 3131 3131 2675 706c 696e  nlink=1111&uplin
        0x0050:  6b3d 3131 3131 2669 643d 3030 3835 4637  k=1111&id=0085F7
        0x0060:  3042 2673 7461 7470 6173 733d 6270 6173  0B&statpass=bpas
        0x0070:  7326 7665 7273 696f 6e3d 3230 3133 3132  s&version=201312
        0x0080:  3331 2666 6561 7475 7265 733d 3330 2667  31&features=30&g
        0x0090:  7569 643d 3263 3334 6238 6638 2d62 6133  uid=2c34b8f8-ba3
        0x00a0:  612d 3463 3036 2d61 6433 652d 6537 3434  a-4c06-ad3e-e744
        0x00b0:  3038 3339 3238 3166 2663 6f6d 6d65 6e74  0839281f&comment
        0x00c0:  3d32 3031 3331 3230 3226 703d 3026 733d  =20131202&p=0&s=
        0x00d0:  2048 5454 502f 312e 300d 0a0d 0a         .HTTP/1.0....

Quote:

Originally Posted by unSpawn

- check whatever ports are open with 'lsof -Pwlni'

"lsof -Pwlni | grep 8000" is empty return. I don't see there any suspicious process, all of them looks OK (all of them: named, directadm, pop3-logi, imap-logi, mysqld, proftpd, httpd, imap, dovecot, spamd, exim, clamd)

Quote:

Originally Posted by unSpawn

- read the CERT Intruder Detection Checklist CERT Intruder Detection Checklist and perform the checks

Code:

[root@server ~]# find / -user root -perm -4000 -print
/bin/mount
/bin/su
/bin/fusermount
/bin/umount
/bin/ping6
/bin/ping
/usr/local/directadmin/plugins/csf/exec/csf
/usr/local/suphp/sbin/suphp
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/chage
/usr/bin/at
/usr/bin/chfn
/usr/bin/passwd
/usr/libexec/openssh/ssh-keysign
/usr/libexec/polkit-1/polkit-agent-helper-1
/usr/libexec/pt_chown
/usr/sbin/exim
/usr/sbin/userhelper
/usr/sbin/suexec
/usr/sbin/usernetctl
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/etc/virtual/majordomo/wrapper
/lib64/dbus-1/dbus-daemon-launch-helper

[root@server ~]# find / -group kmem -perm -2000 -print
(empty)

unSpawn · 12-31-2013, 01:38 PM

Quote:

Originally Posted by bigmen58

maybe i have to backup this file and reinstall perl?

Please don't install anything anymore on this machine. Send me an email and we'll talk dropping off files.

Quote:

Originally Posted by bigmen58

I have CloudLinux Server release 6.4 and Direct Admin. It's possible to check integrity of all files?

If it's based on RHEL then you run 'rpm -vV'. See commands below.

Quote:

Originally Posted by bigmen58

How to do it?

Code:

df -i

show 2951393 inodes - it's too much files.

At least run Linux Malware Detect on them. You don't have to install it: just download it, extract the two ClamAV signature databases, move them into your /var/lib/clamav signature database directory and scan. Do keep a log file because files that are clean should be inspected later on anyway.

Quote:

Originally Posted by bigmen58

Code:

/var/log/httpd/homedir.log.2: RKH_Glupteba-v1.UNOFFICIAL FOUND

This file contains one line match to pattern:

Code:

145 "HEAD /stat?uptime=100&downlink=1111&uplink=1111&id=0000B4D8&statpass=bpass&version=20131011&features=30&guid=3aaeb239-9acf-461a-8ed5-19e9acce8bc1&comment=20131011&p=0&s= HTTP/1.0"

I shouldn't speculate but if "20131011" is an installation date it seems your machine has been at it since at least October. The fact it's in "/var/log/httpd/homedir.log.2" means the process producing that log file is suspect. In what way I can't tell w/o details. Run a lsof on the process and verify all the files it uses:

Code:

( pgrep httpd|while read ITEM; do lsof -Pwlnp ${ITEM}; done )|awk '/\// {print "readlink -f "$NF}'|sort -u|/bin/sh|xargs rpm -qf --qf="%{name}\n"|sort -u

*plus check all the files the process has access to.

Quote:

Originally Posted by bigmen58

I don't know how install Snort on Centos. Is it required?

No. Please don't install anything on this machine. Snort should be run from another machine, be it your private workstation or a VM.

Quote:

Originally Posted by bigmen58

"lsof -Pwlni | grep 8000" is empty return. I don't see there any suspicious process, all of them looks OK (all of them: named, directadm, pop3-logi, imap-logi, mysqld, proftpd, httpd, imap, dovecot, spamd, exim, clamd)

Please, I don't want your assessment: I need to verify things myself. So please post proper output:

Code:

( /bin/ps axfwwwe -opid,ppid,gid,uid,cmd 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anTpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last -wai 2>&1; /usr/bin/who -a 2>&1 ) > /path/to/data.txt'

Code:

/bin/rpm  --nodeps --noscripts --notriggers -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1> /path/to/rpmvfy.log

Run all system and daemon logs through Logwatch (on your workstation or VM) with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" args. (With perl-Date-Manip installed a range can also be expressed like "--range 'between 2012/11/26 and 2012/12/01'": see --range Help). MAC times: 'find / -type f -printf "%T@ %A@ %C@ \"%p\"\n" 2>&1;'.(or find /tmp /var /tmp /usr/tmp -printf "%T@ %A@ %C@ %u %g %m %y \"%p\"\n" 2>&1).

The above as a one-liner:

Code:

( /bin/ps axfwwwe -opid,ppid,gid,uid,cmd 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anTpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last -wai 2>&1; /usr/bin/who -a 2>&1; /bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1; /usr/share/logwatch/scripts/logwatch.pl --numeric --detail 5 --service all --range All --archives --print 2>&1; ) > /path/to/log.txt;

*Piping output through SSH or saving it in /dev/shm may be a substitute for "/path/to/".

Please compress and attach (rename to .txt extension) or pastebin, docs.google or email all output. If file size prohibits attaching it please do not use a public file sharing service but contact me to discuss dropping off output.

Quote:

Originally Posted by bigmen58

Code:

[root@server ~]# find / -user root -perm -4000 -print
(..)

[root@server ~]# find / -group kmem -perm -2000 -print
(empty)

Odd. I thought the document contained more checks...

*Should the above show no clues then I'm asking you to first shut down the web service (not server) or at least block external access to the ports using the firewall.

bigmen58 · 01-02-2014, 02:58 PM

Quote:

Originally Posted by unSpawn

Send me an email and we'll talk dropping off files.

Could you please send me your email address? I can't find private messages on this forum

.

Habitual · 01-02-2014, 03:25 PM

Quote:

Originally Posted by bigmen58

Could you please send me your email address? I can't find private messages on this forum

.

I think you'll need > 50 posts to send PMs.

unSpawn · 01-02-2014, 08:04 PM

Email sent.

bigmen58 · 01-03-2014, 10:48 AM

Quote:

Originally Posted by unSpawn

Email sent.

Sorry, i can't also receive PM (< 50 posts like Habitual said).

Please email me: [REMOVED]

unSpawn · 01-03-2014, 12:11 PM

I said Email sent. Shame if you used a throwaway email account to register here.