1

I have discovered 'accidentally' while searching in my command history, that some one has issued these :

passwd
w
cat /proc/cpuinfo
free -m
uptime
w
perl v.py
python v.py
chmod +x *
./a 94.10

and these :

./a 52.30
rm -rf scan.log sparte.txt
./a 208.43 22
./a 208.43
rm -rf md
chmod +x *
rm -rf scan.log sparte.txt
./a 31.79 22
rm -rf scan.log
./a 163.172 22
rm -rf scan.log
./a 212.1
./a 212.1 22
rm -rf scan.log
rm -rf scan.log sparte.txt
./a 212.219 22
w
chmod +x *
rm -rf scan.log sparte.txt
./a 185.61 22
w
chmod +x *
cat sparte.txt
rm -rf scan.log sparte.txt
./a 81.102 22
./a 212.1 22
cat /proc/cpuinfo
free -m
rm -rf scan.log sparte.txt
chmod +x *
./a 31.220 22
rm -rf scan.log sparte.txt
./a 78.47 22
rm -rf scan.log sparte.txt

The apparently a noob intruder(hacker) who didn't clear the logs has taken advantage of a weak password to ssh into my server as he has tried with root :

Apr  1 06:35:39 ns346721 sshd[6641]: Failed password for root from 42.7.26.49 port 19029 ssh2

But succeed here

Apr 3 21:36:54 ns346721 sshd[26814]: Accepted password for [USERNAME] from 176.223.29.2 port 52054 ssh2

In the targeted user's home folder, the intruder has uploaded/generated some files :

/home/[USERNAME]/f
├── /home/[USERNAME]/f/a
├── /home/[USERNAME]/f/brute
├── /home/[USERNAME]/f/hu
├── /home/[USERNAME]/f/mass
├── /home/[USERNAME]/f/passfile
├── /home/[USERNAME]/f/scan.log
└── /home/[USERNAME]/f/vuln

that I guess some of them was the output of a python file in /home/[USERNAME]/v.py which after my search has the content of this https://github.com/funtimes-ninja/malware/blob/master/1a5c4fdec1e867bb27c633751e6f1184a6597bef82dc94512fbb3dbe398ed177

and the 'a' file :

#!/bin/bash
./brute 800 -b $1 passfile $2 "uname -a"

Unfortunately nothing readable can be displayed on the file 'brute' as it has a binary content.

When discovered the issue, one process with [USERNAME] was still running; so I just finished it.

What I have done :

  • Changed the password for the targeted user [USERNAME]
  • Disabled ssh for all users except root (I know it shouldn't be either).
  • Killed all processes under the user [USERNAME]

Now my main concern is to know what this intruder has made so far on the server.

Is there a well established procedure to check and clean malicious files and processes ? -

elsadek
  • 1,822
  • 2
  • 18
  • 55
  • Possible duplicate of [How do organizations check \*what\* has been hacked?](https://security.stackexchange.com/questions/103805/how-do-organizations-check-what-has-been-hacked) – John Deters Apr 07 '18 at 12:03

1 Answers1

4

At a high level, what you are looking for is called an Incident Response Plan. Ideally, your organization will have created an Information Security Policy, and this would be one of the recommended items in the policy.

NIST has a good plan you can look at and follow: the Incident Handling and Response Guide.

At the lower level, you are still in the midst of an attack. You can't be sure the attacker didn't create a back door for himself somewhere in your network. Consider engaging a professional security firm to help ensure your response is adequate for your organization.

John Deters
  • 33,897
  • 3
  • 58
  • 112