[BlueOnyx:17488] Hard to Find Infection

Rodrigo Ordoñez rodrigo at xnet.mx
Thu Apr 30 15:40:26 -05 2015 

HI All,

 

We would like to share a hard to find infection on a virtual blueonyx 5106.

A user got his password compromised and allowed the upload of a few php files, that downloaded an httpd.pl file.

The Perl program was in fact some sort of smtp engine, that, injected a cronjob that ran every 15 minutes, from the /tmp directory.

 

Hundred thousands of emails were spewed from the ipadress without being logged at maillog.

After succesfull infection all files were deleted but the process kept running on memory , so the service was ready to use whenever the hacker wanted to use it, but the files were not on disk anymore.

To detect it,
1 we search at /var/log/cron for unusual entries and then found the cronjob running from there

2 we located the file on /tmp that run and searched on the httpd logs at /var/log/httpd/access_log for acceses at the time the file at /tmp was created (with a random name apparently)

3 Once found the access_log we tried to find the file but it wasn’t there. So we Ran TOP command and then press the letter C, and saw the perl script trying to be disguised as httpd (apache):

4 Killed the processes using the pids provided by the top command (a reboot might do as well).

5 erased the traces of php files uploaded. As well as cleared the /tmp directory

 

Hope it helps someone

 

Regards


Rodrigo O
Xnet

 

From: blueonyx-bounces at mail.blueonyx.it [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Richard Barker
Sent: jueves, 30 de abril de 2015 11:26 a. m.
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:17487] Re: Smart Relay Server

 

I have an issue that I have to remove the hostname for the Smart Relay Server
click save and re enter is and save about every three days
RC

-- 

Richard C. Barker Sr. 
CEO & President 
1-800-510-3139 
ProBass Networks Inc. 
www.probassnetworks.net 
www.probass.net 
*************************************** 
DISCLAIMER : - 
This e-mail is confidential and intended only for the use 
of the individual or entity named above and may contain 
information that is privileged. If you are not the intended 
recipient, you are notified that any dissemination, distribution 
or copying of this e-mail is strictly prohibited. If you have 
received this email in error, please notify us immediately 
by return email or telephone and destroy the original message. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150430/33182733/attachment.html>

More information about the Blueonyx mailing list