SlideShare a Scribd company logo

China.z / Trojan.XorDDOS - Analysis of a hack

Download as PPT, PDF
H
hendrikvb

Analyzing the hack of a Debian based system with the Trojan.XorDDOS witg some China.z thrown in the mix.

Technology
1 of 17
China.Z / XorDDOS Analysis of a hack (updated) hendrik.vanbelleghem@gmail.com V1.2– 13 May 2015
Disclaimer • Initial evidence pointed to abuse of ShellShock – China.Z • More detailed investigation pointed to bruteforce attack on SSH root passwords • ClamAV confirmed this by finding XorDDOS
The host • Debian Wheezy 64-bit – With all updates – Bash 4.2.37(1) – should be OK • LAMP • Firewall configured – Incoming allowed: HTTP, SSH, phpMyAdmin – Any outgoing • Public IP (Monitored by hosting company) • No FQDN (yet) • No activity (yet) • Console (VNC) access
The Symptoms • 100% CPU usage • Network access disabled due to DDoS Activity
The Symptoms • 1 Process taking all resources – Executable with randomized filename • Startup script for file • Nothing in command history • No apparent leftover files • No apparent hosting of malware / other • Root password still works • Client connection on random port • Server connection listening on random port
Initial Troubleshooting • Kill process – New process recreated automatically with randomized filename. Startup script recreated. – New randomized port server & client started • Delete executable – New process recreated automatically with randomized filename. Startup script recreated. Executable recreated. – New randomized port server & client started • Block server & client ports (iptables) – New randomized port server & client started • Backup executable & startup script • Backup command history • Backup Logfiles (HTTP as first guess) – /var/log/apache
Troubleshooting – Step 2 • Review logs – HTTP log shows port scan – HTTP log shows attack • Dump last changed files – find / -mtime -10 | grep –v dev | grep –v proc > recent_files.txt • Review recently modified files – /etc/cron.hourly/*loader*.sh – /etc/crontab (running *loader*) – /bin/*loader* (disguised as library) – /bin/*process* (randomized name) – /etc/init.d/*process* (randomized name) – /etc/rc?.d/S02*process* (randomized name)
Troubleshooting – Juicy Bits • Portscan before and after attack
Troubleshooting – Juicy Bits • Attack was not targetting CGI scripts – Initial approach with ShellShock • Attack shows signature – “China.Z”
Troubleshooting – Step 3 • Attacked used wget – Removed wget • Backup of cron scripts & executable – Removed files • Hard shutdown • Startup in single mode *fingers crossed* – No trojan • Disable network
Troubleshooting – Step 4 • Double-check bootscripts • Double-check netstat • Double-check logs • Disable Apache • Disable SSH • Installed & ran ClamAV – Cleaned up everything • Apply modsecurity • Enable all & reboot • *Fingers crossed*
Recommendations • Apply latest updates • Patch bash • Run bash in privileged mode • Limit incoming traffic (iptables) – DUH! • Limit outgoing traffic (iptables) • Block 121.12.168.0/21 & others (check logs) • Apply mod_security rules – OWASP • Get rid of wget if you don’t need it • Scan your system - ClamAV • Run Vulnerability tests!
Scan Results • ClamAV Detects trojan as Linux.Trojan.Xorddos • Brute force SSH password approach UPDATE!
UPDATE! Recommendations • Check /var/log/auth • Restrict root login on SSH • Restrict SSH access to limited Ips • Set up reverse SSH tunnels • Use shared keys • Update passwords
UPDATE! More reading – XorDDOS • Fuzzy reversing a new China ELF "Linux/XOR.DDoS" – http://blog.malwaremustdie.org/2014/09/mmd-0028-2014- fuzzy-reversing-new-china.html • Linux DDoS Trojan hiding itself with an embedded rootkit – https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding- itself-with-an-embedded-rootkit/ • DDoS Malware for Linux Distributed via SSH Brute Force Attacks – http://www.securityweek.com/ddos-malware-linux- distributed-ssh-brute-force-attacks • Symantec: Linux.Xorddos – http://www.symantec.com/security_response/writeup.jsp? docid=2015-010823-3741-99
More reading – China.Z • New ELF Malware on ShellShock – http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf- • ShellShock Deception with Echo – http://neonprimetime.blogspot.be/2015/03/shellshock-deception-wi • Analysis of China.Z – http://users.jyu.fi/~sapekiis/china-z/index.html
More reading - ShellShock • Debian Announcement on ShellShock – https://lists.debian.org/debian-security- announce/2014/msg00220.html • Using ModSecurity to prevent ShellShock – https://access.redhat.com/articles/1212303 • How ShellShock can be exploited – http://security.stackexchange.com/questions/68122/what-is- a-specific-example-of-how-the-shellshock-bash-bug-could-be- exploited • Inside ShellShock – https://blog.cloudflare.com/inside-shellshock/ • Mitigating the ShellShock Vulnerability – https://access.redhat.com/articles/1212303

Recommended

Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Chris Tankersley
 

Recommended

Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Chris Tankersley
 
OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanOSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanNETWAYS
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?IngridRivera36
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and SysdigJoshua Eichorn
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....Sadia Textile
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Burp Suite Extensions
Burp Suite ExtensionsBurp Suite Extensions
Burp Suite ExtensionsNeelu Tripathy
 
Rear automated testing with Bareos
Rear automated testing with BareosRear automated testing with Bareos
Rear automated testing with BareosGratien D'haese
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Resumen Programa de Estudios
Resumen Programa de EstudiosResumen Programa de Estudios
Resumen Programa de EstudiosMelissa Arrazola Ávila
 
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...Vih.org
 

More Related Content

What's hot

OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanOSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanNETWAYS
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and SysdigJoshua Eichorn
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....Sadia Textile
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Rear automated testing with Bareos
Rear automated testing with BareosRear automated testing with Bareos
Rear automated testing with BareosGratien D'haese
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 

What's hot (20)

OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanOSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and Sysdig
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Burp Suite Extensions
Burp Suite ExtensionsBurp Suite Extensions
Burp Suite Extensions
 
Rear automated testing with Bareos
Rear automated testing with BareosRear automated testing with Bareos
Rear automated testing with Bareos
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 

Viewers also liked

Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...Vih.org
 
Tren Teknologi Informasi
Tren Teknologi InformasiTren Teknologi Informasi
Tren Teknologi InformasiVinda Syakira
 
Popositos y usos de los tes
Popositos y usos de los tesPopositos y usos de los tes
Popositos y usos de los tesPaul Mocarro
 
Костенко Ирина Геннадиевна (Английский язык)
Костенко Ирина Геннадиевна (Английский язык)Костенко Ирина Геннадиевна (Английский язык)
Костенко Ирина Геннадиевна (Английский язык)YuliyaVladimirovna
 
Desajustes situacionales o reacciones
Desajustes situacionales o reaccionesDesajustes situacionales o reacciones
Desajustes situacionales o reaccionesPaul Mocarro
 
«La PrEP oui... mais quand?»
«La PrEP oui... mais quand?»«La PrEP oui... mais quand?»
«La PrEP oui... mais quand?»Vih.org
 
日経平均上下予想Botを作った話
日経平均上下予想Botを作った話日経平均上下予想Botを作った話
日経平均上下予想Botを作った話dokechin
 

Viewers also liked (18)

Resumen Programa de Estudios
Resumen Programa de EstudiosResumen Programa de Estudios
Resumen Programa de Estudios
 
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
Les germes d’un nouveau champ d’intervention de l’expertise profane dans la l...
 
Autumn colours
Autumn coloursAutumn colours
Autumn colours
 
Excel 2
Excel 2Excel 2
Excel 2
 
silver award
silver awardsilver award
silver award
 
Tren Teknologi Informasi
Tren Teknologi InformasiTren Teknologi Informasi
Tren Teknologi Informasi
 
Popositos y usos de los tes
Popositos y usos de los tesPopositos y usos de los tes
Popositos y usos de los tes
 
Paint
PaintPaint
Paint
 
Importancia de la tecnología
Importancia de la tecnologíaImportancia de la tecnología
Importancia de la tecnología
 
Костенко Ирина Геннадиевна (Английский язык)
Костенко Ирина Геннадиевна (Английский язык)Костенко Ирина Геннадиевна (Английский язык)
Костенко Ирина Геннадиевна (Английский язык)
 
Desajustes situacionales o reacciones
Desajustes situacionales o reaccionesDesajustes situacionales o reacciones
Desajustes situacionales o reacciones
 
Cucumber & perl
Cucumber & perlCucumber & perl
Cucumber & perl
 
Compair_Ladder
Compair_LadderCompair_Ladder
Compair_Ladder
 
«La PrEP oui... mais quand?»
«La PrEP oui... mais quand?»«La PrEP oui... mais quand?»
«La PrEP oui... mais quand?»
 
Excel 5
Excel 5Excel 5
Excel 5
 
日経平均上下予想Botを作った話
日経平均上下予想Botを作った話日経平均上下予想Botを作った話
日経平均上下予想Botを作った話
 
Autumn
AutumnAutumn
Autumn
 
ARRANTZA (3DBH)
ARRANTZA (3DBH)ARRANTZA (3DBH)
ARRANTZA (3DBH)
 

Similar to China.z / Trojan.XorDDOS - Analysis of a hack

Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsWO Community
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 

Similar to China.z / Trojan.XorDDOS - Analysis of a hack (20)

Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systems
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 

More from hendrikvb

Mojo – Simple REST Server
Mojo – Simple REST ServerMojo – Simple REST Server
Mojo – Simple REST Serverhendrikvb
 
Source Filters in Perl 2010
Source Filters in Perl 2010Source Filters in Perl 2010
Source Filters in Perl 2010hendrikvb
 
Scrabbling Code - Beatnik - YAPC::Eu::2003
Scrabbling Code - Beatnik - YAPC::Eu::2003Scrabbling Code - Beatnik - YAPC::Eu::2003
Scrabbling Code - Beatnik - YAPC::Eu::2003hendrikvb
 
Json In 5 Slices.Key
Json In 5 Slices.KeyJson In 5 Slices.Key
Json In 5 Slices.Keyhendrikvb
 
Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101hendrikvb
 

More from hendrikvb (6)

Mojo – Simple REST Server
Mojo – Simple REST ServerMojo – Simple REST Server
Mojo – Simple REST Server
 
Source Filters in Perl 2010
Source Filters in Perl 2010Source Filters in Perl 2010
Source Filters in Perl 2010
 
Scrabbling Code - Beatnik - YAPC::Eu::2003
Scrabbling Code - Beatnik - YAPC::Eu::2003Scrabbling Code - Beatnik - YAPC::Eu::2003
Scrabbling Code - Beatnik - YAPC::Eu::2003
 
Json In 5 Slices.Key
Json In 5 Slices.KeyJson In 5 Slices.Key
Json In 5 Slices.Key
 
Cleancode
CleancodeCleancode
Cleancode
 
Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

China.z / Trojan.XorDDOS - Analysis of a hack

  • 1. China.Z / XorDDOS Analysis of a hack (updated) hendrik.vanbelleghem@gmail.com V1.2– 13 May 2015
  • 2. Disclaimer • Initial evidence pointed to abuse of ShellShock – China.Z • More detailed investigation pointed to bruteforce attack on SSH root passwords • ClamAV confirmed this by finding XorDDOS
  • 3. The host • Debian Wheezy 64-bit – With all updates – Bash 4.2.37(1) – should be OK • LAMP • Firewall configured – Incoming allowed: HTTP, SSH, phpMyAdmin – Any outgoing • Public IP (Monitored by hosting company) • No FQDN (yet) • No activity (yet) • Console (VNC) access
  • 4. The Symptoms • 100% CPU usage • Network access disabled due to DDoS Activity
  • 5. The Symptoms • 1 Process taking all resources – Executable with randomized filename • Startup script for file • Nothing in command history • No apparent leftover files • No apparent hosting of malware / other • Root password still works • Client connection on random port • Server connection listening on random port
  • 6. Initial Troubleshooting • Kill process – New process recreated automatically with randomized filename. Startup script recreated. – New randomized port server & client started • Delete executable – New process recreated automatically with randomized filename. Startup script recreated. Executable recreated. – New randomized port server & client started • Block server & client ports (iptables) – New randomized port server & client started • Backup executable & startup script • Backup command history • Backup Logfiles (HTTP as first guess) – /var/log/apache
  • 7. Troubleshooting – Step 2 • Review logs – HTTP log shows port scan – HTTP log shows attack • Dump last changed files – find / -mtime -10 | grep –v dev | grep –v proc > recent_files.txt • Review recently modified files – /etc/cron.hourly/*loader*.sh – /etc/crontab (running *loader*) – /bin/*loader* (disguised as library) – /bin/*process* (randomized name) – /etc/init.d/*process* (randomized name) – /etc/rc?.d/S02*process* (randomized name)
  • 8. Troubleshooting – Juicy Bits • Portscan before and after attack
  • 9. Troubleshooting – Juicy Bits • Attack was not targetting CGI scripts – Initial approach with ShellShock • Attack shows signature – “China.Z”
  • 10. Troubleshooting – Step 3 • Attacked used wget – Removed wget • Backup of cron scripts & executable – Removed files • Hard shutdown • Startup in single mode *fingers crossed* – No trojan • Disable network
  • 11. Troubleshooting – Step 4 • Double-check bootscripts • Double-check netstat • Double-check logs • Disable Apache • Disable SSH • Installed & ran ClamAV – Cleaned up everything • Apply modsecurity • Enable all & reboot • *Fingers crossed*
  • 12. Recommendations • Apply latest updates • Patch bash • Run bash in privileged mode • Limit incoming traffic (iptables) – DUH! • Limit outgoing traffic (iptables) • Block 121.12.168.0/21 & others (check logs) • Apply mod_security rules – OWASP • Get rid of wget if you don’t need it • Scan your system - ClamAV • Run Vulnerability tests!
  • 13. Scan Results • ClamAV Detects trojan as Linux.Trojan.Xorddos • Brute force SSH password approach UPDATE!
  • 14. UPDATE! Recommendations • Check /var/log/auth • Restrict root login on SSH • Restrict SSH access to limited Ips • Set up reverse SSH tunnels • Use shared keys • Update passwords
  • 15. UPDATE! More reading – XorDDOS • Fuzzy reversing a new China ELF "Linux/XOR.DDoS" – http://blog.malwaremustdie.org/2014/09/mmd-0028-2014- fuzzy-reversing-new-china.html • Linux DDoS Trojan hiding itself with an embedded rootkit – https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding- itself-with-an-embedded-rootkit/ • DDoS Malware for Linux Distributed via SSH Brute Force Attacks – http://www.securityweek.com/ddos-malware-linux- distributed-ssh-brute-force-attacks • Symantec: Linux.Xorddos – http://www.symantec.com/security_response/writeup.jsp? docid=2015-010823-3741-99
  • 16. More reading – China.Z • New ELF Malware on ShellShock – http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf- • ShellShock Deception with Echo – http://neonprimetime.blogspot.be/2015/03/shellshock-deception-wi • Analysis of China.Z – http://users.jyu.fi/~sapekiis/china-z/index.html
  • 17. More reading - ShellShock • Debian Announcement on ShellShock – https://lists.debian.org/debian-security- announce/2014/msg00220.html • Using ModSecurity to prevent ShellShock – https://access.redhat.com/articles/1212303 • How ShellShock can be exploited – http://security.stackexchange.com/questions/68122/what-is- a-specific-example-of-how-the-shellshock-bash-bug-could-be- exploited • Inside ShellShock – https://blog.cloudflare.com/inside-shellshock/ • Mitigating the ShellShock Vulnerability – https://access.redhat.com/articles/1212303