0

I would like to ask for some directions to trace back to the original (malicious) script on my system (Ubuntu Server). I would try to be more specific if needed. If the question does not fit this stackexchange, then I will modify it.

In netstat's output, the PID/Program name only showed "-" and the one next to it 1441/-bash. While i can locate the PID of the latter, I have no idea to do that with the first one. These two processes would respawn after reboot.

To give more context, the two suspicious connections are from 198.251.80.207 and 157.230.4.227. It seems like they are trying to mine XMR. I have got rid of their keys in authorized_keys but could not find a way to stop the established connection to port 50866 from foreign port 443 (UFW already blocked that IP in and out but somehow it can still establish a connection). I was able to block connection from my server to 157.230.4.227, hence it only showed SYN_SENT.

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 my_server_ip:50866       198.251.80.207:443      ESTABLISHED -               
tcp        0      1 my_server_ip:36730       157.230.4.227:8443      SYN_SENT    1441/-bash

UFW info

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   DENY IN     159.75.245.82             
[ 2] Anywhere                   DENY IN     45.137.21.134             
[ 3] 194.163.163.20             DENY IN     Anywhere                  
[ 4] Anywhere                   DENY IN     194.163.163.20            
[ 5] 155.94.171.66              DENY IN     Anywhere                  
[ 6] Anywhere                   DENY IN     155.94.171.66             
[ 7] 198.251.89.111             DENY IN     Anywhere                  
[ 8] Anywhere                   DENY IN     198.251.89.111            
[ 9] Anywhere                   DENY IN     88.99.242.92              
[10] Anywhere                   DENY IN     198.251.80.207            
[11] Anywhere                   DENY IN     157.230.4.227             
[12] 157.230.4.227              DENY IN     Anywhere                  
[13] 198.251.80.207             DENY IN     Anywhere                  
[14] 88.99.242.92               DENY IN     Anywhere

ls -l /proc/1441's output, the -bash script got deleted right after reboot.

<snipped>
-r--r--r--   1 root root 0  1월 28 16:17 cpuset
lrwxrwxrwx   1 root root 0  1월 28 16:06 cwd -> //
-r--------   1 root root 0  1월 28 16:17 environ
lrwxrwxrwx   1 root root 0  1월 28 16:06 exe -> /bin/-bash (deleted)
dr-x------   2 root root 0  1월 28 16:05 fd/
dr-x------   2 root root 0  1월 28 16:17 fdinfo/
<snipped>

How to I find what script/process that triggered exe binary file above?

Long
  • 111
  • 3
  • 5
    Even if you locate your malware, the original entry-point of the attack remains. Please remove your server from production, taking it offline if possible. Then you could do a forensic analysis of its content. When you have found the probable source of entry, you should [nuke your server from orbit](https://security.stackexchange.com/q/138606/127837). – A. Hersean Jan 28 '22 at 09:55
  • I really appreciate this and this is what I would definitely do in production. This is my local server and I take this chance to learn more about malware traces. – Long Jan 30 '22 at 08:11

1 Answers1

0

For those who are struggling after removing the crontab created by the malware. There is one more place you should look for is the system services and start up services which locate in /etc. For example, in Ubuntu it should be something like /etc/rc.local file and /etc/systemd/system` dir. Try to check for suspicious script and remove them. It took me half day to find out all these things. Hope it helps.

Long
  • 111
  • 3