2. Disclaimer
• Initial evidence pointed to abuse of ShellShock –
China.Z
• More detailed investigation pointed to bruteforce
attack on SSH root passwords
• ClamAV confirmed this by finding XorDDOS
3. The host
• Debian Wheezy 64-bit
– With all updates
– Bash 4.2.37(1) – should be OK
• LAMP
• Firewall configured
– Incoming allowed: HTTP, SSH, phpMyAdmin
– Any outgoing
• Public IP (Monitored by hosting company)
• No FQDN (yet)
• No activity (yet)
• Console (VNC) access
5. The Symptoms
• 1 Process taking all resources
– Executable with randomized filename
• Startup script for file
• Nothing in command history
• No apparent leftover files
• No apparent hosting of malware / other
• Root password still works
• Client connection on random port
• Server connection listening on random port
6. Initial Troubleshooting
• Kill process
– New process recreated automatically with randomized
filename. Startup script recreated.
– New randomized port server & client started
• Delete executable
– New process recreated automatically with randomized
filename. Startup script recreated. Executable recreated.
– New randomized port server & client started
• Block server & client ports (iptables)
– New randomized port server & client started
• Backup executable & startup script
• Backup command history
• Backup Logfiles (HTTP as first guess)
– /var/log/apache
15. UPDATE!
More reading – XorDDOS
• Fuzzy reversing a new China ELF "Linux/XOR.DDoS"
– http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-
fuzzy-reversing-new-china.html
• Linux DDoS Trojan hiding itself with an embedded rootkit
– https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-
itself-with-an-embedded-rootkit/
• DDoS Malware for Linux Distributed via SSH Brute Force
Attacks
– http://www.securityweek.com/ddos-malware-linux-
distributed-ssh-brute-force-attacks
• Symantec: Linux.Xorddos
– http://www.symantec.com/security_response/writeup.jsp?
docid=2015-010823-3741-99
16. More reading – China.Z
• New ELF Malware on ShellShock
– http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-
• ShellShock Deception with Echo
– http://neonprimetime.blogspot.be/2015/03/shellshock-deception-wi
• Analysis of China.Z
– http://users.jyu.fi/~sapekiis/china-z/index.html
17. More reading - ShellShock
• Debian Announcement on ShellShock
– https://lists.debian.org/debian-security-
announce/2014/msg00220.html
• Using ModSecurity to prevent ShellShock
– https://access.redhat.com/articles/1212303
• How ShellShock can be exploited
– http://security.stackexchange.com/questions/68122/what-is-
a-specific-example-of-how-the-shellshock-bash-bug-could-be-
exploited
• Inside ShellShock
– https://blog.cloudflare.com/inside-shellshock/
• Mitigating the ShellShock Vulnerability
– https://access.redhat.com/articles/1212303