New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Discussion about XOR.DDoS on OpenVZ - Linux Trojan that exploits servers with weak pass, sends DoS
linuxthefish
Member
Which when pressing C in top turn into:
ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=62047 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=62047 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=59153 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=59153 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=63043 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=63043 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=47464 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=47464 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=2328 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=2328 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=183.61.146.227 sport=19118 dport=6093 [UNREPLIED] src=183.61.146.227 dst=x.x.x.x sport=6093 dport=19118 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=58707 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=58707 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=46642 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=46642 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=4663 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=4663 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=49457 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=49457 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=56291 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=56291 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=31689 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=31689 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=183.61.146.227 sport=34688 dport=6093 [UNREPLIED] src=183.61.146.227 dst=x.x.x.x sport=6093 dport=34688 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=24187 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=24187 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=2422 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=2422 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=29972 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=29972 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=47670 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=47670 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=55278 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=55278 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=39918 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=39918 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=7000 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=7000 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=9739 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=9739 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=16352 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=16352 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=53334 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=53334 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=48457 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=48457 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=10883 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=10883 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=62510 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=62510 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=59082 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=59082 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=36826 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=36826 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=39147 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=39147 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=20701 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=20701 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=39278 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=39278 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=15953 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=15953 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=37946 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=37946 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=41133 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=41133 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=53798 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=53798 mark=0 secmark=0 use=2 ipv4 2 tcp 6 116 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=35531 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=35531 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=11420 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=11420 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=25779 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=25779 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=58039 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=58039 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=19830 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=19830 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=49782 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=49782 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=46480 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=46480 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=42456 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=42456 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=21792 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=21792 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=39404 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=39404 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=23101 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=23101 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=15779 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=15779 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=183.61.146.227 sport=65020 dport=6093 [UNREPLIED] src=183.61.146.227 dst=x.x.x.x sport=6093 dport=65020 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=139.196.74.233 sport=49362 dport=8000 [UNREPLIED] src=139.196.74.233 dst=x.x.x.x sport=8000 dport=49362 mark=0 secmark=0 use=2 ipv4 2 tcp 6 115 SYN_SENT src=x.x.x.x dst=36.42.34.12 sport=9357 dport=8546 [UNREPLIED] src=36.42.34.12 dst=x.x.x.x sport=8546 dport=9357 mark=0 secmark=0 use=2
And hides in /bin or /boot - Even cloudflare won't let me post this code snippet!
Comments
You got hacked bitch.... LOL.
Take your server, and create a backup of all important files. Check to make sure no files are tampered with, and scan with a good antivirus on a separate machine. I generally suggest you do this on a dummy machine in case it decides to take over that machine as well.
Confirm you have backups of the machine, and being going through them to determine if you have an unaffected copy. Make note of this and how long ago it was.
Look through the affected server and try and determine the point of entry so that you can patch down the line. (( are you running wordpress that hasn't been updated ))
Finally delete the VM, or make a backup copy for further testing down the line.
Rebuild vm, update vm, secure vm. Notify anyone affected that the server was hacked and make sure to request users change there passwords.
Pat yourself on the back.
Yeah I know it's caused by weak passwords and I know it's some malware - I'm more interested in the name as it's escaped me, If i remember you could get rid of it by changing passwords and removing some /etc/init.d files.
I'm more interested in this from a provider point of view as it's so common.
Generate md5 checksums of the binaries and look them up.
Whats in /etc/rc.local and /etc/ld.so.preload ?
The former is as default ("touch /var/lock/subsys/local"), and the latter does not exist.
ccbfb02390d9cf504630c1805d387689 bin/ozbmigmy
The md5 changes each time the program is killed or deleted.
OK I've found the name - it's https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
On OpenVZ containers I've found the following:
/etc/crontab runs /etc/cron.hourly/gcc.sh every min, which contains:
#!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done cp /lib/libudev.so /lib/libudev.so.6 /lib/libudev.so.6To remove so customer can login and backup (I'm unsure if there is some kind of rootkit left behind - will investigate further with honeypot)
You need to do this while the container is stopped and not running, mounting ploop image etc.
Ahh ok. Thought it may have been the minerd issue that was flying around after the IPMI issues.
Had a client have this problem a few weeks ago, seems like the culprit(s) decided to start back recently.
The rootkit is normally a kernel module and since its openvz you just have to clean the install and it should be ok.
I ended up adding iptables entries to block the outbound packets since it can get pretty stupid at times.
Francisco
Thanks!
Do you know what outbound port it uses to talk to it's control servers? Since blocking that will mean it's just a useless process that won't do anything too distractive on the host side of things.
Still waiting for my test VPS with a weak root password to get brute forced, got tcpdump and nodewatch running...
Far as I recall it was 80 or 443.
The MD5's won't matter since what it does is it actually talks to a C&C server that builds a custom binary specifically for that service, and that service alone. If you have a kernel it doesn't have headers for it actually uploads the headers from /usr/src or wherever right to the build server for future usage.
Anyway, do you have a tcpdump of the attack going on? If so I can write a rule for you so it at least won't beat up your network as well as your wallet with overages.
Francisco
Can you remove this from my server please
$100 if you have IPMI access, send me a PM!