Server Compromisd

[vipin]

Hello


One of my servers were hacked recently.The hacker has encrypted all files under directories '/home' and '/var/lib/mysql'.

Hacker has put a banner with the following content:

#cat /root/cryptoshell.message
---------------------------------------------------------------------------
>>>>> WARNING <<<<<< 
1 - DON’T DELETE CRYPTOSHELL FILES THAT ARE LOCATED IN “/ETC” FOLDER. THEY WILL BE REQUIRED TO RECOVER YOUR FILES.
2 - ANY ATTEMPT TO TRACK THIS SOFTWARE WILL LEAD TO THE IMMEDIATE DESTRUCTION OF THE PRIVATE KEY. WE USE COUNTLESS SERVERS AND DOMAINS, SO DON’T WASTE YOUR TIME…
---------------------------------------------------------------------------

The important files of this server has been encrypted using a unique public key RSA-2048. 
Encrypted files include databases and users file (in home directory).

Here is a complete list of encrypted files: /etc/cryptoshell.encrypted.list

The single copy of the private key, which will allow you to decrypt the files, are located on a secret server on the Internet, and it will be destroyed in the specified time.

To obtain the private key to decrypt files on this server, you need to pay 2 BTC. 
After payment, follow the steps below to decrypt all files.

===========================================================================
BE FAST!! YOUR PRIVATE KEY WILL BE DESTROYED IN: 2014-04-03 - 04:57:48 UTC+4
===========================================================================

---------------------------------------------------------------------------
>>>>> PAYMENT <<<<<< 
Amount: 2 BTC
Bitcoin address: xxxxxxxxxxxxxxxxx
---------------------------------------------------------------------------

---------------------------------------------------------------------------
>>>>> DECRYPTION <<<<<< 
1 - Confirm the payment. Run this command with BitCoin transaction ID: /root/cryptoshell_decrypt TRANSACTION_ID
2 - The software will confirm that the transaction ID has been sent. After this process, you will need to wait for 40 minutes to try run the same command again.  
3 - When the transaction ID is approved, the software will start to decrypt all encrypted files.
----------------------------------------------------------------------------


=================================================================================

MySQL server fails with following error:

========

/etc/init.d/mysql restart
rm: cannot remove `/var/lib/mysql/server.hostname.pid': Operation not permitted
 ERROR! MySQL server process #�
                                ����5^H�;��x�N�[ap��b���bQ���Eӕ��:�****1U��6��
                                                                                   V"�K����z!cϲ��Ҟ�Н����GDkU��^����?�[email protected]��
,�"ͰZ�!��6��qf[
                0�v�q�$�H�z�攢���
                                 ���R��&\��u+<�D-zI����������kh��ن?�o+���(�y��u�k�1?�
�~��!��D�q��R;�V�{�x�C+룘z�P��_���yi��w�j���#>Q���X�V6���5y>�����8`gv�$�p.=…��wυ�a:�K���rS��3\p4�n��5��qzQ�,������%z^��q�;S�G� is not running!
rm: cannot remove `/var/lib/mysql/server.hostname.com.pid': Operation not permitted
Starting MySQL SUCCESS! 


========

He had deleted all log files including lastlog,wtmp,utmp,secure ....etc.

Had any one came accross these type of hacks earlier ? Is there any resolution for this ? Is Server reload the only option to recover from this situation ? Does cPanel has any other log files to track this activity ?

Please help .

Thank You.

 

[es2alna]

Re: Server Compromised

What is the content of this file?

/root/cryptoshell_decrypt

Did you check for another root account? or for rootkit?

What is the result of executing this command?

lsattr /var/lib/mysql/server.hostname.pid #Replace server.hostname.pid with the right file name

 

[vipin]

Hello,

Thank you for your reply.

I think it is CryptoLocker infection.This is the most dangerous malware i ever seeen.It has removed the backup files too.So there is no chance of a recovery.

The cryptoshell_decrypt is a binary file.The contents of this file are posted below.


================

# file cryptoshell_decrypt
cryptoshell_decrypt: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped


# strings cryptoshell_decrypt
/lib64/ld-linux-x86-64.so.2
CxIk
libcurl.so.4
__gmon_start__
_Jv_RegisterClasses
curl_easy_setopt
curl_easy_cleanup
curl_easy_init
_fini
curl_easy_perform
libstdc++.so.6
pthread_cancel
_ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_RS3_
_ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEED1Ev
_ZNSs5eraseEN9__gnu_cxx17__normal_iteratorIPcSsEES2_
_ZNKSs4findERKSsm
_ZNSaIcED1Ev
_ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strERKSs
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
_ZNKSt9basic_iosIcSt11char_traitsIcEE4failEv
_ZNSt14basic_ifstreamIcSt11char_traitsIcEEC1EPKcSt13_Ios_Openmode
__gxx_personality_v0
_ZNKSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strEv
_ZNKSs5c_strEv
_ZNSspLEc
_Znwm
_ZNSsaSERKSs
_ZSt3cin
__cxa_rethrow
_ZNKSs4sizeEv
_ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEEC1ESt13_Ios_Openmode
_ZdlPv
_ZNSolsEPFRSt8ios_baseS0_E
__cxa_begin_catch
_ZSt20__throw_length_errorPKc
_ZNSs6resizeEm
_ZNSsC1Ev
_ZNKSt9basic_iosIcSt11char_traitsIcEEcvPvEv
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
__cxa_end_catch
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E
_ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E
_ZNSsaSEPKc
_ZNKSs6substrEmm
_ZNKSsixEm
_ZNSsD1Ev
_ZNSsC1EPKcRKSaIcE
_ZNSsixEm
_ZSt4cout
_ZNKSs6lengthEv
_ZNSs6appendERKSs
_ZNSaIcEC1Ev
_ZNSsC1ERKSs
_ZNSs5beginEv
_ZSt17__throw_bad_allocv
_ZNSt8ios_base4InitC1Ev
_ZNKSs4findEcm
_ZNSt14basic_ifstreamIcSt11char_traitsIcEED1Ev
_ZNSolsEd
_ZNSolsEi
_ZNSolsEl
_ZNSs6appendEPKcm
libm.so.6
libgcc_s.so.1
_Unwind_Resume
libc.so.6
srand
fopen
ftell
time
rewind
__cxa_atexit
isalnum
fseek
fputs
fclose
remove
system
fwrite
fread
atoi
sleep
strcmp
__libc_start_main
__xstat
libpthread.so.0
_edata
__bss_start
_end
GCC_3.0
GLIBC_2.2.5
CXXABI_1.3
GLIBCXX_3.4
fff.
AUATSH
8[A\A]
AUATSH
<=t-
X[A\A]
AUATSH
8[A\A]
AUATSH
8[A\A]
AUATSH
H[A\A]
ATSH
0[A\
ATSH
0[A\
ATSH
0[A\
ATSH
0[A\
AWAVAUATSH
[A\A]A^A_
AUATSH
[A\A]
ATSH
AVAUATSH
[A\A]A^
ATSH
ATSH
ATSH
ATSH
ATSH
ATSH
ATSH
ATSH
@[A\
ATSH
AVAUATSH
[A\A]A^
AVAUATSH
[A\A]A^
AVAUATSH
[A\A]A^
AVAUATSH
[A\A]A^
ATSH
ATSH
0[A\
AUATSH
<yt(
[A\A]
ATSH
[A\
ATSH
ATSH
AVAUATSH
[A\A]A^
ATSH
`[A\
ATSH
[A\
AVAUATSH
[A\A]A^
ATSH
0[A\
fffff.
l$ L
t$(L
|$0H
http://www.timeapi.org/utc/now?%5Cm__%5Cy__%5CY
&iscts=true
iscts
info
http://
/etc/system.vladimir.cts.conf
/etc/cryptoshell.decrypted.list
/etc/cryptoshell.encrypted.list
[32m
DECRYPTING
[37m
- (
) ->
gpg --no-tty --batch --yes --quiet --passphrase
--output
.dec
--decrypt
" 2>&1 > /dev/null
chattr -ia "
" &&
echo "
" >> /etc/cryptoshell.decrypted.list
&&
cat
.dec" >
rm -rf "
.dec"
&hash=
&transaction_id=
&passphrase=true
for i in `gpg --list-secret-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-secret-keys "$i" ; done
for i in `gpg --list-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-keys "$i" ; done
&key=true
/etc/cryptoshell.key
gpg --quiet --import /etc/cryptoshell.key 2>&1 > /dev/null
&decrypted=true&files=
/etc/bash_profile_backup
cat /etc/bash_profile_backup > /root/.bash_profile
/etc/cryptoshell.id
/etc/cryptoshell.transaction
[31m
Okay...all files have been decrypted. Goodbye!
" 2>&1 > /dev/null &
mysql
mysqld
postgresql
chkconfig
off
cpanel
service
stop
start
File list not found! - /etc/cryptoshell.encrypted.list
An error has occurred on decrypt files.
WARNING: Of the
encrypted files,
files have been decrypted.
Do you want to run decryption process again?
[y/n]
- Error to get passphrase.
- Error on download private key.
-----------------------
added
Transaction ID has been sent! Wait for 40 minutes and try run the same command again. If your transaction has been approved, the software will decrypt all files.
waiting
Your transaction ID is awaiting approval to continue. Try again in 40 minutes.
Don't run this program more than once in less than 40 minutes or our servers will reject your connection forever.
[32m
Your transaction ID has been approved!
Do you want to start the file decryption right now?
WARNING: The file decryption may take several minutes to complete. Make sure that all affected applications is stopped (MYSQL, PostgreSQL, cPanel, etc), or the process may fail.
Error to get transaction result. Try again later or contact us.
Error to get transaction result. Try again later.
Error! CryptoShell files not found on system.
WARNING: Any attempt to track this software will lead to the immediate destruction of the private key by the server.
We used countless servers and domains, so don't waste your time ...
----------
To decrypt all files, you'll need to execute this software with the Bitcoin transaction ID.
Read more about payment information on file: /root/cryptoshell.message
Do you have sure that the transaction ID is
Couldn't find server.
vector::_M_insert_aux
/cgi-bin/api?t=cts
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
zPLR

==============



Attributes of /var/lib/mysql/server.hostname.com.pid (# orginal hostname replace)

-bash-4.1# lsattr /var/lib/mysql/server.hostname.com.pid
----ia-A-----e- /var/lib/mysql/server.hostname.com.pid


==================


No rootkits found

Chkrootkit scan details :


Searching for suspect PHP files...

EACCELER	[email protected]����"P-S$P-Sg	�<�X�)J� "P-S$P-S�****�)J�/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php��)J���)J�������)J�����7}
                                  ��)J�&���@��>YF5T��)J�
                                                                        ��<�+�0�captcha_wordEACCELER	[email protected]�����sR��sR�9,�"!{ ��sR��sR��1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!�#!	add_link0(!�#!
EACCELER	[email protected]����"P-S$P-Sg	�<�X�)J� "P-S$P-S�****�)J�/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php��)J���)J�������)J�����7}
                                  ��)J�&���@��>YF5T��)J�
                                                                        ��<�+�0�captcha_wordEACCELER	[email protected]�����sR��sR�9,�"!{ ��sR��sR��1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!�#!	add_link0(!�#!

=======================

 

[vipin]

Hello,

CryptoLocker / Ransomware malwares are one of the most destructive malware i ever seen. This malware will encrypt all your datas under "/home" and "/var/lib/mysql" with strong asymmetric encryption technique. CryptoLocker appears to only affect Windows computers.But now a days it is targeted to linux machines also.I had seen two or three servers with in this week effected by this malware.This malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.So your backup will also be effected by this malware , Which means total destruction for your data's.

It is even worst than symlink attacks.Please beware !

Please read this article https://www.us-cert.gov/ncas/alerts/TA13-309A and take appropriate security measures.


Thank You.

 

[cPanelMichael]

Hello

Generally speaking, if your server was hacked from the root level, or root access was obtained, the best practice is to reinstall the OS/cPanel. You may want to consult with a qualified security specialist if you need help determining the point of attack.

Thank you.

 

[jols]

Just out of curiosity, which OS was in use, RedHat? CloudLinux?

 

[jols]

Okay, does anyone have any other information about this, specifically regarding the statement above, "But now a days it is targeted to linux machines also."

I have just finished searching every security bulletin/alert system I can find, and no where else have I found any agreement with the above statement. The only remote possibility I can find regarding this involves an infected Windows machine that is directly networked (drive mapped?) to a Linux machine, then the files on the Linux drives can become encrypted as well.

So if anyone has any URLs/pages that contain more info, particularly about Linux servers compromised by CryptoLocker, I'd certainly like to see it. Thanks.

 

[quizknows]

If anyone has any URLs/pages that contain more info, particularly about Linux servers compromised by CryptoLocker, I'd certainly like to see it. Thanks.

Same here. Thankfully I have not seen this on any linux systems yet, nor have I heard about it from any other hosting companies that I communicate with.