Server Compromisd
Hello :)
One of my servers were hacked recently.The hacker has encrypted all files under directories '/home' and '/var/lib/mysql'.
Hacker has put a banner with the following content:
MySQL server fails with following error:
He had deleted all log files including lastlog,wtmp,utmp,secure ....etc. Had any one came accross these type of hacks earlier ? Is there any resolution for this ? Is Server reload the only option to recover from this situation ? Does cPanel has any other log files to track this activity ? Please help . Thank You.
#cat /root/cryptoshell.message
---------------------------------------------------------------------------
>>>>> WARNING <<<<<<
1 - DON"T DELETE CRYPTOSHELL FILES THAT ARE LOCATED IN "/ETC" FOLDER. THEY WILL BE REQUIRED TO RECOVER YOUR FILES.
2 - ANY ATTEMPT TO TRACK THIS SOFTWARE WILL LEAD TO THE IMMEDIATE DESTRUCTION OF THE PRIVATE KEY. WE USE COUNTLESS SERVERS AND DOMAINS, SO DON"T WASTE YOUR TIME"
---------------------------------------------------------------------------
The important files of this server has been encrypted using a unique public key RSA-2048.
Encrypted files include databases and users file (in home directory).
Here is a complete list of encrypted files: /etc/cryptoshell.encrypted.list
The single copy of the private key, which will allow you to decrypt the files, are located on a secret server on the Internet, and it will be destroyed in the specified time.
To obtain the private key to decrypt files on this server, you need to pay 2 BTC.
After payment, follow the steps below to decrypt all files.
===========================================================================
BE FAST!! YOUR PRIVATE KEY WILL BE DESTROYED IN: 2014-04-03 - 04:57:48 UTC+4
===========================================================================
---------------------------------------------------------------------------
>>>>> PAYMENT <<<<<<
Amount: 2 BTC
Bitcoin address: xxxxxxxxxxxxxxxxx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
>>>>> DECRYPTION <<<<<<
1 - Confirm the payment. Run this command with BitCoin transaction ID: /root/cryptoshell_decrypt TRANSACTION_ID
2 - The software will confirm that the transaction ID has been sent. After this process, you will need to wait for 40 minutes to try run the same command again.
3 - When the transaction ID is approved, the software will start to decrypt all encrypted files.
----------------------------------------------------------------------------
=================================================================================
MySQL server fails with following error:
========
/etc/init.d/mysql restart
rm: cannot remove `/var/lib/mysql/server.hostname.pid': Operation not permitted
ERROR! MySQL server process #?
????5^H?;??x?N?[ap??b???bQ???E???:?****1U??6??
V"?K????z!c??????????GDkU??^??????=@W??
,?"?Z?!??6??qf[
0?v?q?$?H?z?????
???R??&\??u+Q???X?V6???5y>?????8`gv?$?p.=???w??a:?K???rS??3\p4?n??5??qzQ?,??????%z^??q?;S?G? is not running!
rm: cannot remove `/var/lib/mysql/server.hostname.com.pid': Operation not permitted
Starting MySQL SUCCESS!
========
He had deleted all log files including lastlog,wtmp,utmp,secure ....etc. Had any one came accross these type of hacks earlier ? Is there any resolution for this ? Is Server reload the only option to recover from this situation ? Does cPanel has any other log files to track this activity ? Please help . Thank You.
-
Re: Server Compromised What is the content of this file? /root/cryptoshell_decrypt
Did you check for another root account? or for rootkit? What is the result of executing this command?lsattr /var/lib/mysql/server.hostname.pid #Replace server.hostname.pid with the right file name0 -
Hello, Thank you for your reply. I think it is CryptoLocker infection.This is the most dangerous malware i ever seeen.It has removed the backup files too.So there is no chance of a recovery. The cryptoshell_decrypt is a binary file.The contents of this file are posted below. ================ # file cryptoshell_decrypt cryptoshell_decrypt: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped # strings cryptoshell_decrypt /lib64/ld-linux-x86-64.so.2 CxIk libcurl.so.4 __gmon_start__ _Jv_RegisterClasses curl_easy_setopt curl_easy_cleanup curl_easy_init _fini curl_easy_perform libstdc++.so.6 pthread_cancel _ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_RS3_ _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEED1Ev _ZNSs5eraseEN9__gnu_cxx17__normal_iteratorIPcSsEES2_ _ZNKSs4findERKSsm _ZNSaIcED1Ev _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strERKSs _ZNSt8ios_base4InitD1Ev _ZNSolsEPFRSoS_E _ZNKSt9basic_iosIcSt11char_traitsIcEE4failEv _ZNSt14basic_ifstreamIcSt11char_traitsIcEEC1EPKcSt13_Ios_Openmode __gxx_personality_v0 _ZNKSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strEv _ZNKSs5c_strEv _ZNSspLEc _Znwm _ZNSsaSERKSs _ZSt3cin __cxa_rethrow _ZNKSs4sizeEv _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEEC1ESt13_Ios_Openmode _ZdlPv _ZNSolsEPFRSt8ios_baseS0_E __cxa_begin_catch _ZSt20__throw_length_errorPKc _ZNSs6resizeEm _ZNSsC1Ev _ZNKSt9basic_iosIcSt11char_traitsIcEEcvPvEv _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_ __cxa_end_catch _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E _ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E _ZNSsaSEPKc _ZNKSs6substrEmm _ZNKSsixEm _ZNSsD1Ev _ZNSsC1EPKcRKSaIcE _ZNSsixEm _ZSt4cout _ZNKSs6lengthEv _ZNSs6appendERKSs _ZNSaIcEC1Ev _ZNSsC1ERKSs _ZNSs5beginEv _ZSt17__throw_bad_allocv _ZNSt8ios_base4InitC1Ev _ZNKSs4findEcm _ZNSt14basic_ifstreamIcSt11char_traitsIcEED1Ev _ZNSolsEd _ZNSolsEi _ZNSolsEl _ZNSs6appendEPKcm libm.so.6 libgcc_s.so.1 _Unwind_Resume libc.so.6 srand fopen ftell time rewind __cxa_atexit isalnum fseek fputs fclose remove system fwrite fread atoi sleep strcmp __libc_start_main __xstat libpthread.so.0 _edata __bss_start _end GCC_3.0 GLIBC_2.2.5 CXXABI_1.3 GLIBCXX_3.4 fff. AUATSH 8[A\A] AUATSH <=t- X[A\A] AUATSH 8[A\A] AUATSH 8[A\A] AUATSH H[A\A] ATSH 0[A\ ATSH 0[A\ ATSH 0[A\ ATSH 0[A\ AWAVAUATSH [A\A]A^A_ AUATSH [A\A] ATSH AVAUATSH [A\A]A^ ATSH ATSH ATSH ATSH ATSH ATSH ATSH ATSH @[A\ ATSH AVAUATSH [A\A]A^ AVAUATSH [A\A]A^ AVAUATSH [A\A]A^ AVAUATSH [A\A]A^ ATSH ATSH 0[A\ AUATSH gpg --no-tty --batch --yes --quiet --passphrase --output .dec --decrypt " 2>&1 > /dev/null chattr -ia " " && echo " " >> /etc/cryptoshell.decrypted.list && cat .dec" > rm -rf " .dec" &hash= &transaction_id= &passphrase=true for i in `gpg --list-secret-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-secret-keys "$i" ; done for i in `gpg --list-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-keys "$i" ; done &key=true /etc/cryptoshell.key gpg --quiet --import /etc/cryptoshell.key 2>&1 > /dev/null &decrypted=true&files= /etc/bash_profile_backup cat /etc/bash_profile_backup > /root/.bash_profile /etc/cryptoshell.id /etc/cryptoshell.transaction [31m Okay...all files have been decrypted. Goodbye! " 2>&1 > /dev/null & mysql mysqld postgresql chkconfig off cpanel service stop start File list not found! - /etc/cryptoshell.encrypted.list An error has occurred on decrypt files. WARNING: Of the encrypted files, files have been decrypted. Do you want to run decryption process again? [y/n] - Error to get passphrase. - Error on download private key. ----------------------- added Transaction ID has been sent! Wait for 40 minutes and try run the same command again. If your transaction has been approved, the software will decrypt all files. waiting Your transaction ID is awaiting approval to continue. Try again in 40 minutes. Don't run this program more than once in less than 40 minutes or our servers will reject your connection forever. [32m Your transaction ID has been approved! Do you want to start the file decryption right now? WARNING: The file decryption may take several minutes to complete. Make sure that all affected applications is stopped (MYSQL, PostgreSQL, cPanel, etc), or the process may fail. Error to get transaction result. Try again later or contact us. Error to get transaction result. Try again later. Error! CryptoShell files not found on system. WARNING: Any attempt to track this software will lead to the immediate destruction of the private key by the server. We used countless servers and domains, so don't waste your time ... ---------- To decrypt all files, you'll need to execute this software with the Bitcoin transaction ID. Read more about payment information on file: /root/cryptoshell.message Do you have sure that the transaction ID is Couldn't find server. vector::_M_insert_aux /cgi-bin/api?t=cts ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ zPLR
============== Attributes of /var/lib/mysql/server.hostname.com.pid (# orginal hostname replace) -bash-4.1# lsattr /var/lib/mysql/server.hostname.com.pid ----ia-A-----e- /var/lib/mysql/server.hostname.com.pid ================== No rootkits found Chkrootkit scan details : Searching for suspect PHP files...EACCELER .@????"P-S$P-Sg ?X?)J? "P-S$P-S?****?)J?/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php??)J???)J???????)J?????7} ??)J?&???@??>YF5T??)J? ??+?0?captcha_wordEACCELER .@?????sR??sR?9,?"!{ ??sR??sR??1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!?#! add_link0(!?#! EACCELER .@????"P-S$P-Sg ?X?)J? "P-S$P-S?****?)J?/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php??)J???)J???????)J?????7} ??)J?&???@??>YF5T??)J? ??+?0?captcha_wordEACCELER .@?????sR??sR?9,?"!{ ??sR??sR??1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!?#! add_link0(!?#!
=======================0 -
Hello, CryptoLocker / Ransomware malwares are one of the most destructive malware i ever seen. This malware will encrypt all your datas under "/home" and "/var/lib/mysql" with strong asymmetric encryption technique. CryptoLocker appears to only affect Windows computers.But now a days it is targeted to linux machines also.I had seen two or three servers with in this week effected by this malware.This malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.So your backup will also be effected by this malware, Which means total destruction for your data's. [QUOTE]It is even worst than symlink attacks.Please beware !
Please read this article0 -
Hello :) Generally speaking, if your server was hacked from the root level, or root access was obtained, the best practice is to reinstall the OS/cPanel. You may want to consult with a qualified security specialist if you need help determining the point of attack. Thank you. 0 -
Just out of curiosity, which OS was in use, RedHat? CloudLinux? 0 -
Okay, does anyone have any other information about this, specifically regarding the statement above, "But now a days it is targeted to linux machines also." I have just finished searching every security bulletin/alert system I can find, and no where else have I found any agreement with the above statement. The only remote possibility I can find regarding this involves an infected Windows machine that is directly networked (drive mapped?) to a Linux machine, then the files on the Linux drives can become encrypted as well. So if anyone has any URLs/pages that contain more info, particularly about Linux servers compromised by CryptoLocker, I'd certainly like to see it. Thanks. 0 -
[quote="jols, post: 1640822">If anyone has any URLs/pages that contain more info, particularly about Linux servers compromised by CryptoLocker, I'd certainly like to see it. Thanks.
Same here. Thankfully I have not seen this on any linux systems yet, nor have I heard about it from any other hosting companies that I communicate with.0
Please sign in to leave a comment.
Comments
7 comments