Analysis: event records of one intrusion into Linux servers

Analysis: event records of one intrusion into Linux servers

This vulnerability is common in ColdFusion and content management systems. In some cases, a specific attack may succeed, and a high-value server may cause significant data leakage. In other cases, attackers can operate infected hosts on a large scale.

Recently, I noticed that multiple IP addresses were attempting to exploit a PHP vulnerability, So I recorded the results using a honeypot. This activity reminds me of the days when the botnet was crazy and controlled by the IRC command, and use the compromised host as a scanning tool.

This is interesting because it indicates that it is a successful PHP vulnerability targeting Linux servers. What can it do? I will demonstrate how to do some basic memory forensics, you can summarize events of the Volatilit type.

The following are attacks attempted by attackers:

This is targeted at an old Vulnerability (CVE-2012-1823) that allows remote attackers to inject arbitrary code into the string through the command line option HTTP query.

The attack code is decoded as follows:

If the exploitation is successful, the remaining part of the http post is displayed.

The following operations are performed on the compromised server:

· Change the working directory to/var/tmp.

· Delete a file named a.pdf from the directory.

· Download the.pdf file from the attacker and save it to the/var/tmp directory. The PDF file is actually a per script.

· Execute perscripts, and upload a.pdf files.

· Delete the.pdf file at the bottom.

To ensure successful downloading of remote scripts, the attacker repeatedly uses the "curl", "fetch", and "lwp-get" commands.

The captured data packet shows the overall activity of the injection script. After the script is executed, it sleep for a period of time. The guess may be to avoid the Administrator's ears. Connect to IRC C2 of vafel. pexit. cu, and port 45129.

After a period of time, the attacker instructed to obtain another script "ins_h.sh" from m1.pexit. cu. cc ".

In the content of the "ins_h.sh" script, the attacker creates a hidden directory on the Linux server, obtains the source code of another tool (HC), and compiles it, save the changes to the scheduled task.

Soon afterwards, a large number of files will be downloaded to infected hosts, including mining software, development libraries, and compilation tools, A large number of local linux privilege escalation exploitation programs have also been downloaded. Later, the attacker will start Bitcoin and prime coin Mining in the way he wants. It is worth noting that it uses the Stratum Mining protocol to connect to the server 37.251.139.161:

Most servers are injected with these different scripts and then used for various tasks, including DDoS, vulnerability scanning and utilization. Internet Storm Center recently published a piece of news, "the situation of Mayard", discussing the use of damaged servers for virtual currency exploitation.

Now, let's do some memory forensics for the memory image of the compromised host. We will use version 2.3.1 to analyze the Linux image. To do this, you must provide an appropriate Linux configuration file, which is very easy to create, but it requires proper distribution and kernel. I recommend Ken Pryor's Github website, where Ken Pryor creates a Linux Configuration File Repository.

According to the analysis, the system is a Ubuntu 10.04 server with kernel version 2.6.32-33. Let's take a look at the active processes on the system and use the linux_pslist plug-in.

Note that the timestamp of PID1517 (httpps) and PID27157 (rsyslogd) is much later than the processes listed above. Since earlier processes and their relative timestamps are similar to Linux boot programs, note that these processes display a user ID and group ID1002, in which Ubuntu is assigned to a user account.

The "linux_psaux" of the volatility plug-in is similar to the Linux Command ps, so it can display the command line parameters used in the process call:

Therefore, the process name is named "httpps", PID is 1517, directory/usr/bin/httpd, another process "rsyslogd", PID is 27157, and call the command line parameter "-B-c ". If we get a disk image that destroys the server, we will check the "httpd" of/usr/bin ". By studying "rsyslogd", we know that "-B" is not a valid option, so this process is still suspicious. When you use the pslist command to list the running processes, "linux_pidhashtable" can help us find hidden processes.

In this case, it is a good practice to check the server's network information and some network plug-ins, which will help determine remote connection and start these processes. For example, the _netstat plug-in acts like the Linux "netstat" command, and lists active network connections and listening sockets. In this case, we can see suspicious processes, PID1517 and PID27157, which are associated with the remote IP address of the established network connection.

Run the linux_route_cache plug-in to display the cache of the route table. This may indicate that you can see any old connection without using the linux_netstat plug-in.

Now we have established PID1517 and 27157 suspicious processes, allowing us to list all the relevant open files and paths. Similar to using "lsof" in linux, we will use the plug-in "linux_lsof" here ".

Note that the two processes, PID1517 and 27157, have two files opened together. One is [7916], and the other is the httpd. pid file in the hidden directory "/tmp/. ICE-unix/-log.

Another plug-in is linux_proc_maps, which displays the details of the process memory, including the shared library. Details include the start and end locations, nodes and tags of each part. This is valuable information from memory surveys. For example, in PID1517, we get the following content:

We can see the same hidden directory as mentioned above, but now it refers to the file name "httpps ". This file is considered as 405961. There is an output switch on the linux_proc_maps plug-in that can be listed in segments. However, in order to restore a complete and intact file, we need to cache it from the page and save it to all pages related to the file in the memory. We can do this through the linux_find_file plug-in. This plug-in will find the address and then let you dump the cached file content from the memory. Therefore, the "httpps" file is in node 405961:

Python vol. py-f/home/abc/pexit. vmem -- profile = LinuxUbuntu1004_pae32-33x86 linux_find_file-F "/tmp/. ICE-unix/-log/httpps"

Then, we use the "linux_find_file" plug-in to use the "-o" option to Extract files through the address of the index node. After extraction, we can run "strings" to view the content:

These examples only help you analyze the damaged host. I hope this article will successfully reveal some situations of PHP vulnerabilities and the resulting Script Injection examples, in addition to ensuring correct patching and Hardening for Internet-facing servers, we also need to know how to quickly track such attacks. In my honeypot, I see dozens of attacks every day, including linux ELF, perlbots, and old-fashioned shells. These injection of perl and shell scripts are very annoying and will cause the most serious damage to us.

Address: http://sempersecurus.blogspot.jp/2013/12/a-forensic-overview-of-linux-perlbot.html