Linux backdoor : systemd-daemon & gvfsd-helper

119 x served & 57 x viewed

Je viens de lire l’article : https://www.bleepingcomputer.com/news/security/new-stealthy-linux-malware-used-to-backdoor-systems-for-years/

Command-and-control servers historically used by the malware have domains registered six years ago, in December 2015,  all of them

FileName MD5 Detection First Seen in VT
systemd-daemon 1d45cd2c1283f927940c099b8fab593b 0/61 2018-05-16 04:22:59
systemd-daemon 11ad1e9b74b144d564825d65d7fb37d6 0/58 2018-12-25 08:02:05
systemd-daemon 5c0f375e92f551e8f2321b141c15c48f 0/56 2020-05-08 05:50:06
gvfsd-helper 64f6cfe44ba08b0babdd3904233c4857 0/61 2021-01-18 13:13:19

J’ai donc rapidement fait :

# sudo find / -name 'systemd-daemon'
# sudo find / -name 'gvfsd-helper'

Aucun n’est présent …

Nouveau scan sur Ngnix : wp-login.php (wordpress)

110 x served & 11 x viewed

Je viens de voir que certaines IP faisaient du scan sur le login de wordpress :

#egrep "wp-login.php" error.*.log* | awk '{print $10}' | sed 's/:/ /g' | awk '{print $1}' | sort -n | uniq
54.39.22.135 -> Canada. 
62.171.179.56 -> Germany
93.113.111.100 -> England
103.241.205.1 -> Indonesia
128.199.122.54 -> Singapore
139.162.7.223 -> Singapore
139.59.58.116 -> India
159.89.109.162 -> Germany
201.143.63.92 -> Mexico
202.169.26.237 -> Malaysia
206.189.93.93 -> Singapore
211.43.12.188 -> Korea

Donc je vais filtrer ses IP …. pour rappel voici mon filtre complet.

# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Sun Mar 28 18:20:28 2021
*filter
:INPUT ACCEPT [48747901:83300813551]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9152769:771480779]
-A INPUT -s 112.126.90.41/32 -j DROP
-A INPUT -s 116.147.2.110/32 -j DROP
-A INPUT -s 122.14.209.13/32 -j DROP
-A INPUT -s 158.69.13.199/32 -j DROP
-A INPUT -s 193.112.88.67/32 -j DROP
-A INPUT -s 210.21.218.26/32 -j DROP
-A INPUT -s 223.75.249.2/32 -j DROP
-A INPUT -s 27.50.160.35/32 -j DROP
-A INPUT -s 49.233.63.234/32 -j DROP
-A INPUT -s 91.242.37.16/32 -j DROP
-A INPUT -s 103.87.167.253/32 -j DROP
-A INPUT -s 113.160.229.252/32 -j DROP
-A INPUT -s 123.201.235.83/32 -j DROP
-A INPUT -s 156.221.147.68/32 -j DROP
-A INPUT -s 171.236.213.49/32 -j DROP
-A INPUT -s 176.240.226.165/32 -j DROP
-A INPUT -s 202.90.133.210/32 -j DROP
-A INPUT -s 216.104.201.88/32 -j DROP
-A INPUT -s 175.172.174.191/32 -j DROP
-A INPUT -s 123.132.65.176/32 -j DROP
-A INPUT -s 103.145.13.43/32 -j DROP
-A INPUT -s 175.21.153.128/32 -j DROP
-A INPUT -s 178.63.34.189/32 -j DROP
-A INPUT -s 74.120.14.36/32 -j DROP
-A INPUT -s 34.240.212.8/32 -j DROP
-A INPUT -s 167.248.133.52/32 -j DROP
-A INPUT -s 162.142.125.52/32 -j DROP
-A INPUT -s 197.53.220.102/32 -j DROP
-A INPUT -s 134.209.87.169/32 -j DROP
-A INPUT -s 66.151.211.226/32 -j DROP
-A INPUT -s 61.40.0.0/16 -j DROP
-A INPUT -s 66.210.251.136/32 -j DROP
-A INPUT -s 202.215.160.75/32 -j DROP
-A INPUT -s 81.68.159.121/32 -j DROP
-A INPUT -s 178.129.246.3/32 -j DROP
-A INPUT -s 46.209.56.107/32 -j DROP
-A INPUT -s 156.197.215.223/32 -j DROP
-A INPUT -s 156.216.50.199/32 -j DROP
-A INPUT -s 192.241.224.104/32 -j DROP
-A INPUT -s 192.241.206.242/32 -j DROP
-A INPUT -s 216.245.193.22/32 -j DROP
-A INPUT -s 36.27.208.157/32 -j DROP
-A INPUT -s 81.68.106.157/32 -j DROP
-A INPUT -s 143.110.212.186/32 -j DROP
-A INPUT -s 54.39.22.135/32 -j DROP
-A INPUT -s 62.171.179.56/32 -j DROP
-A INPUT -s 93.113.111.100/32 -j DROP
-A INPUT -s 103.241.205.1/32 -j DROP
-A INPUT -s 128.199.122.54/32 -j DROP
-A INPUT -s 139.162.7.223/32 -j DROP
-A INPUT -s 139.59.58.116/32 -j DROP
-A INPUT -s 159.89.109.162/32 -j DROP
-A INPUT -s 201.143.63.92/32 -j DROP
-A INPUT -s 202.169.26.237/32 -j DROP
-A INPUT -s 206.189.93.93/32 -j DROP
-A INPUT -s 211.43.12.188/32 -j DROP
COMMIT
# Completed on Sun Mar 28 18:20:28 2021

Virus via Skype : Lien Google -> Lien vers xn--p1ai -> Virus

172 x served & 16 x viewed

Via Skype je recois une url ver google, cette url renvoi vers un site xn--2–9lcqk.xn--p1ai (185.212.128.141 : Pays-Bas)  et de ce site vers http://income-method.net/ (Russie) et pour finir un virus remonte ….

Misère, merci la Russie pour cette merde ….

Propriété de income-method.net

Disponibilité Attribué
Date d’enregistrement 04/01/2021
Date d’expiration 04/01/2022
Adresse IP 5.8.47.2
Source VeriSign

Propriété de l’adresse IP 185.212.128.141

Localisation Pays-Bas
Réputation 71 %
Anonymat Aucun détection
Usage Attribué
Source RIPE NCC
Nom d’hote sk.cc

Nouveau scan sur Ngnix : system_api.php ( Drupal )

192 x served & 22 x viewed

Dans les logs :

143.110.212.186 - - [20/Jan/2021:20:33:15 +0100] "GET /system_api.php HTTP/1.1" 404 490 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
143.110.212.186 - - [20/Jan/2021:20:33:15 +0100] "GET /system_api.php HTTP/1.1" 404 4079 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
143.110.212.186 - - [20/Jan/2021:20:33:16 +0100] "GET /system_api.php HTTP/1.1" 404 4078 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Je filtre donc l’IP :

# iptables -A INPUT -s 143.110.212.186 -j DROP 
# iptables-save > /etc/iptables/rules.v4

Propriété de l’adresse IP 143.110.212.186

Localisation États-Unis
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote 143.110.212.186