Alternative for chattr

nimafire · August 24, 2019, 10:32am

Hello
im working on "remover script" which try to remove "kthrotlds MINER VIRUS"
in next part of my remover script i have to work on files that it destroyed,
virus use chattr to open and lock files and replace them with malicious content

im looking for a solution to remove chattr and disable this command and use another alternative to lock file, with or without password.
virus has remove files content and replace it with its code, overshadowed files are cron files,

jim_mcnamara · August 24, 2019, 12:42pm

Pure opinion on my part:
The hackers who wrote the exploit have more than probably put it in all kinds of places. You miss one hiding place and your machine is still subject to disruption. You have a VERY small chance of purging everything.
Do this instead:

Restore the system to a known good backup
Implement security personnel practices to prevent future infections
Implement malware prevention code - there are freebies like ClamAV. See ClamavNet
Maintain a good periodic backup routine with mass storage devices kept securely out of harm's way.

nimafire · August 25, 2019, 1:19am

mm have you read this article?
kthrotlds CVE-2019-10149 Exim/cPanel | Server 24/7
its new Bitcoin mining virus and im working hard to remove it and yes, im succeed, and try to write shell script as cleaner script but my problem is "chattr" command which is used by virus.
i need higher lock command or script to lock files to prevent virus from open and lock files with chattr command

MadeInGermany · August 25, 2019, 3:34am

Did you update/fix the exim?
Did you check/clean all the root crontab files? /etc/crontab, files in /var/spool/cron/ and /etc/cron.d/ and /etc/cron.{hourly,daily,weekly}/

chattr IS a higher command.
Once a file is made immutable by chattr it cannot be modified by the usual chmod/chown and setfacl commands.

nimafire · August 25, 2019, 5:19am

version of virus that our server and several servers around world is hacked by this virus is more complicated than what they notice on that link,
so you mean there is no way to have lock function instead of chattr ?
its stupid because virus run chattr -i it self to unlock files and import dirty code ,
it unlock cron files and then lock them

Neo · August 25, 2019, 6:06am

If you are being attacked or infected by malware which uses chattr , I suggest you create a wrapper around (or replace) chattr and log the events.

For example, I once was tracking malware which used curl , so I replaced curl with this:

cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/mystuff.php  $@

cat  /usr/bin/mystuff.php
<?php
error_reporting(0);
//$ip = $_SERVER['REMOTE_ADDR'];
$ip = '';
$script = '';
$url = '';
if(isset($_SERVER) AND FALSE)
{
$script = $_SERVER['SCRIPT_FILENAME'];
$url  = $_SERVER['REQUEST_URI'];
}
$arg = json_encode($argv);
//error_log(date(DATE_RFC822)." ARGV ".$arg.' SCRIPT '.$script.' URI '.$url. "\n", 3, '/var/log/debug/my_hack_tripper_upper2.log');
error_log(date(DATE_RFC822)." ARGV ".$arg."\n", 3, '/var/log/debugger/my_hack_tripper_upper.log');

?>

The reason for this is I want to know deeper what is going on when someone has managed to inject some malware onto a server. So, normally, if I find out the malware uses curl or chattr , for example, I will write a wrapper and log processes like in the example above.

If you follow the "anti malware instructions" they want you to kill everything and start deleting files.

I find it better to "trap and trace" before deleting and killing; especially if you are not running a process which is so critical that the malware is really doing major harm (at the time of discovery).

We used to call this strategy, which I developed in cyber defense two decades ago, as "the blackhole strategy" which means to use information to your advantage and not let any hackers know you are on to them.

In your case, I do not know the criticality of your server, but if it was me; I would write a wrapper which logs as much information as I could and track down the processes which might be calling your process, etc.

In the case of my example code above, I do not exec curl because I already tracked down the malware and finished my analysis and, so I did not not need the binary wrapper, but only logging.

And so, since I do not require curl every day (and a lot of malware uses curl to download other malware), I simply log every time curl is called; and if I need curl in the shell I call it from some obscure name like "neos_curl" which is curl just copied to neo_curl.

You can consider the same or similar strategy for chattr.

In my long-in-the-tooth view of cyber defense, it is best to log, trap and trace hacker and malware versus just deleting and cleaning up quickly. You can gain a lot of knowledge about the malware if you trap and trace the processes, log the traps and traces, all without disrupting the malware process (or you can disrupt if it your risk mitigation policy dictates you must).

You can wrap and log or just log (as in the example above).

Cyber defense is a lot like kung fu - do not let your emotions or fear or anger control the situation. Use logic and the actions of the malware against the malware, keeping your cool and calm, to understand and defeat the malware, on your terms. As for me, I find anger, fear and emotional outbursts a sign of weakness (not strength). In cyber defense, you are in control. Trap and trace the malware and you can know how and when (and from where and perhaps who) it effects your system.

Hope that bit of knowledge was useful.

Cheers.

nimafire · August 27, 2019, 10:29am

mm awsome method i havent hear abut it
and a question regard your method,
most od binery are not writable to add this header:

cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/mystuff.php  $@

like check this:

[root@server bin]# vi /usr/bin/curl
^?ELF^B^A^A^@^@^@^@^@^@^@^@^@^B^@>^@^A^@^@^@é#@^@^@^@^@^@@^@^@^@^@^@^@^@°\^B^@^@^@^@^@^@^@^@^@@^@8^@    ^@@^@^^^@^]^@^F^@^@^@^E^@^@^@@^@^@^@^@^@^@^@@^@@^@^@^@^@^@@^@@^@^@^@^@^@ø^A^@^@^@^@^@^@ø^A^@^@^@^@^@^@^H^@^@^@^@^@^@^@^C^@^@^@^D^@^@^@8^B^@^@^@^@^@^@8^B@^@^@^@^@^@8^B@^@^@^@^@^@^\^@^@^@^@^@^@^@^\^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^A^@^@^@^E^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@@^@^@^@^@^@|D^B^@^@^@^@^@|D^B^@^@^@^@^@^@^@ ^@^@^@^@^@^A^@^@^@^F^@^@^@`M^B^@^@^@^@^@`Mb^@^@^@^@^@`Mb^@^@^@^@^@Ä^E^@^@^@^@^@^@ð^F^@^@^@^@^@^@^@^@ ^@^@^@^@^@^B^@^@^@^F^@^@^@xM^B^@^@^@^@^@xMb^@^@^@^@^@xMb^@^@^@^@^@<80>^B^@^@^@^@^@^@<80>^B^@^@^@^@^@^@^H^@^@^@^@^@^@^@^D^@^@^@^D^@^@^@T^B^@^@^@^@^@^@T^B@^@^@^@^@^@T^B@^@^@^@^@^@D^@^@^@^@^@^@^@D^@^@^@^@^@^@^@^D^@^@^@^@^@^@^@Påtd^D^@^@^@*,^B^@^@^@^@^@*,B^@^@^@^@^@*,B^@^@^@^@^@t^C^@^@^@^@^@^@t^C^@^@^@^@^@^@^D^@^@^@^@^@^@^@Qåtd^F^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^P^@^@^@^@^@^@^@Råtd^D^@^@^@`M^B^@^@^@^@^@`Mb^@^@^@^@^@`Mb^@^@^@^@^@*^B^@^@^@^@^@^@*^B^@^@^@^@^@^@^A^@^@^@^@^@^@^@/lib64/ld-linux-x86-64.so.2^@^D^@^@^@^P^@^@^@^A^@^@^@GNU^@^@^@^@^@^B^@^@^@^F^@^@^@ ^@^@^@^D^@^@^@^T^@^@^@^C^@^@^@GNU^@qp<9a><92>û@<89>:¹û{®x<8c>û�<96>^X<8f>^C^C^

Neo · August 27, 2019, 10:41am

You do not edit the binary.

No where in my post did I mention editing a binary file That "wrong thinking" is your (wrong) idea

Read my post carefully again and think about the concept of what I am suggesting.

You do not need to edit any binary file to do as I have suggested.

But, at least you are trying. That's good. Try more!

nimafire · September 1, 2019, 9:37am

oh. ok i will check you post again

--- Post updated at 09:37 AM ---

ok i get what you mean
question is is it possible to log binery?
your solution is awesome when we dont require curl , however if i need curl and want to log ?

Neo · September 1, 2019, 9:56am

Of course it is possible.

You just call (exec) curl as normal in the script (wrapped around the binary, not inside the binary).

You should know that any unix or linux command can be executed in a script.

This is really very basic stuff you are asking about!