{"id":5674,"date":"2013-03-19T08:10:17","date_gmt":"2013-03-19T08:10:17","guid":{"rendered":"http:\/\/www.hbyconsultancy.com\/?p=4990"},"modified":"2013-03-19T08:10:17","modified_gmt":"2013-03-19T08:10:17","slug":"fakeproc-your-account-has-been-hacked","status":"publish","type":"post","link":"https:\/\/hbyconsultancy.com\/2013\/03\/fakeproc-your-account-has-been-hacked.html","title":{"rendered":"Fakeproc, Your account has been Hacked !"},"content":{"rendered":"
\n
\n

In less than a month, after migrating to a new server, one of my accounts have been compromised ! The problem that the server goes online with a default configuration, that I wasn\u2019t expecting that dangerous ! And the time to configure it correctly was so long, as it was under attack from day Zero !! Amazing !!<\/p>\n

Now problems began with a high CPU usage of a strange perl script<\/strong> :<\/p>\n

top - 11:52:49 up 7 days, 7:44, 1 user, load average: 24.32, 32.21, 43.65
\nTasks: 191 total, 33 running, 158 sleeping, 0 stopped, 0 zombie
\nCpu(s): 67.2%us, 30.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 2.5%si, 0.0%st
\nMem: 2957096k total, 1704808k used, 1252288k free, 51492k buffers
\nSwap: 2064376k total, 33484k used, 2030892k free, 560352k cached
\nPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
\n12145 username 20 0 30144 2404 1184 R 3.4 0.1 55:36.48 perl
\n12152 username 20 0 30144 2400 1184 R 3.4 0.1 55:38.94 perl
\n12161 username 20 0 30144 2416 1184 R 3.4 0.1 55:38.34 perl
\n15413 username 20 0 42864 6688 1040 R 3.4 0.2 101:02.36 perl
\n15414 username 20 0 40772 6540 900 R 3.4 0.2 101:02.72 perl
\n15416 username 20 0 42864 6708 1052 R 3.4 0.2 101:02.74 perl
\n1777 username 20 0 31660 3244 524 R 3.1 0.1 0:25.63 perl<\/code><\/p>\n

Server started swapping, CPU usage is very high, I have noticed the fakeproc<\/strong> but couldn\u2019t find anything about it. Some online links<\/a> talk about a malicious perl IRC bot. The command below gave me more details about what\u2019s going on :<\/p>\n

root@new [~]# ps -ef | grep username
\nusername 323 1 0 Mar18 ? 00:00:01 fakeproc
\nusername 1777 1 3 11:40 ? 00:00:25 fakeproc
\nusername 3787 1 0 04:33 ? 00:00:02 fakeproc
\nusername 5916 1 0 05:06 ? 00:00:09 fakeproc
\nusername 10625 1 0 Mar18 ? 00:00:01 fakeproc
\nusername 12127 1 0 Mar18 ? 00:00:00 fakeproc
\nusername 12128 12127 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 53 0 2>&1 3>&1
\nusername 12129 12128 4 Mar18 ? 00:55:38 perl h.txt kill-9.us 53 0
\nusername 12134 1 0 Mar18 ? 00:00:00 fakeproc
\nusername 12135 12134 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 0 0 2>&1 3>&1
\nusername 12138 12135 4 Mar18 ? 00:55:39 perl u.txt kill-9.us 0 0
\nusername 12143 1 0 Mar18 ? 00:00:00 fakeproc
\nusername 12144 12143 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 80 0 2>&1 3>&1
\nusername 12145 12144 4 Mar18 ? 00:55:36 perl u.txt kill-9.us 80 0
\nusername 12150 1 0 Mar18 ? 00:00:00 fakeproc
\nusername 12151 12150 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 6667 0 2>&1 3>&1
\nusername 12152 12151 4 Mar18 ? 00:55:39 perl h.txt kill-9.us 6667 0
\nusername 12159 1 0 Mar18 ? 00:00:00 fakeproc
\nusername 12160 12159 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 7000 0 2>&1 3>&1
\nusername 12161 12160 4 Mar18 ? 00:55:38 perl u.txt kill-9.us 7000 0<\/code><\/p>\n

There is even a shell script running (sh) but I\u2019ll come back to it shortly. Now what\u2019s this fakeproc is doing ? I have removed known connection from the result, but seems that there are so many connections using this fakeproc !<\/p>\n

root@new [~]# netstat -p
\nActive Internet connections (w\/o servers)
\nProto Recv-Q Send-Q Local Address Foreign Address State PID\/Program name
\ntcp 0 0 myserver:33619 host.server*id3098.com:http ESTABLISHED 323\/fakeproc
\ntcp 0 0 myserver:41844 baribal.dima.hu:ircu-3 ESTABLISHED 15413\/fakeproc
\ntcp 0 283 myserver:58660 r*nger-f*rums.com:http ESTABLISHED 5916\/fakeproc
\ntcp 0 0 myserver:41720 bariba*.di*a.hu:ircu-3 ESTABLISHED 12127\/fakeproc
\ntcp 0 0 myserver:33543 119.235.255.174:http ESTABLISHED 30138\/fakeproc
\ntcp 0 0 myserver:41776 bariba*.di*a.hu:ircu-3 ESTABLISHED 10625\/fakeproc
\ntcp 0 0 myserver:55179 205.234.134:afs3-fileserver ESTABLISHED 323\/fakeproc
\ntcp 0 0 myserver:42577 205.234.134.222:ircu-3 ESTABLISHED 15273\/fakeproc
\ntcp 0 0 myserver:39287 gvo239240.gvodatacente:http ESTABLISHED 10625\/fakeproc
\ntcp 0 0 myserver:35723 www.fcc.gov:http ESTABLISHED 3787\/fakeproc <\/code><\/p>\n

And no comment on the last line ! Quick look at log files<\/strong> reveal the source of the infection :<\/p>\n

root@new [~]# tail -f \/var\/log\/cron
\nMar 19 12:11:01 new CROND[3385]: (username) CMD (\/home\/username\/.mails\/.httpd\/use.upd >\/dev\/null 2>&1)
\nMar 19 12:12:01 new CROND[3414]: (username) CMD (\/home\/username\/.mails\/.httpd\/use.upd >\/dev\/null 2>&1)
\nMar 19 12:13:01 new CROND[3421]: (username) CMD (\/home\/username\/.mails\/.httpd\/use.upd >\/dev\/null 2>&1)<\/code><\/p>\n

Cool ! If you are curious to see what\u2019s inside this malicious file<\/strong> here is a glimpse :<\/p>\n

root@new [~]# cat \/home\/username\/.mails\/.httpd\/use.upd
\nif test -r \/home\/username\/.mails\/.httpd\/pid.use; then
\npid=$(cat \/home\/username\/.mails\/.httpd\/pid.use)
\nif $(kill -CHLD $pid >\/dev\/null 2>&1)
\nthen
\nexit 0
\nfi
\nfi
\ncd \/home\/username\/.mails\/.httpd
\n.\/hat.run &>\/dev\/null
\nroot@new [~]# cat \/home\/username\/.mails\/.httpd\/use.run
\n.\/xh -s \"\/usr\/local\/apache\/bin\/httpd -DSSL\" .\/httpd -m use<\/code><\/p>\n

Now all is good, and I\u2019m able to locate bunch of malicious files<\/strong> :<\/p>\n

root@new [\/home\/username\/.mails]# ls .httpd\/
\n.\/ crot* doc\/ filesys\/ use use.dir use.upd* httpd* logs\/ README start* tcl* text\/ xh*
\n..\/ dalnet.conf efnet.conf fuck* use.d use.run* help\/ language\/ quakenet.conf scripts\/ t3394* terobot.conf tmp\/<\/code><\/p>\n

That\u2019s exactly the malicious perl IRC bot that I was reading about! Anyway, from all accounts on the server only One account have been compromised, which mean that the infection is very limited. I used my fav antivirus (rm -Rf) then rebooted to normal ! I don\u2019t have any default config anymore, passwords should be easy to guess, so don\u2019t loose your time \ud83d\ude09 Best of all, I have nothing really important on my server, especially that I\u2019m keeping backups of all data under my pillow so I can sleep very well !<\/p>\n

Now if you see a fakeproc on your server, that mean your server is Hacked ! but nothing really dangerous, keep hunting !<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

In less than a month, after migrating to a new server, one of my accounts have been compromised ! The problem that the server goes online with a default configuration, that I wasn\u2019t expecting that dangerous ! And the time to configure it correctly was so long, as it was under attack from day Zero […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[96,147,193,221],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/posts\/5674"}],"collection":[{"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/comments?post=5674"}],"version-history":[{"count":0,"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/posts\/5674\/revisions"}],"wp:attachment":[{"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/media?parent=5674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/categories?post=5674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hbyconsultancy.com\/wp-json\/wp\/v2\/tags?post=5674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}