The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Compromisd

Discussion in 'Security' started by vipin, Mar 31, 2014.

  1. vipin

    vipin Active Member

    Joined:
    Aug 23, 2013
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello :)


    One of my servers were hacked recently.The hacker has encrypted all files under directories '/home' and '/var/lib/mysql'.

    Hacker has put a banner with the following content:


    Code:
    #cat /root/cryptoshell.message
    ---------------------------------------------------------------------------
    >>>>> WARNING <<<<<< 
    1 - DON’T DELETE CRYPTOSHELL FILES THAT ARE LOCATED IN “/ETC” FOLDER. THEY WILL BE REQUIRED TO RECOVER YOUR FILES.
    2 - ANY ATTEMPT TO TRACK THIS SOFTWARE WILL LEAD TO THE IMMEDIATE DESTRUCTION OF THE PRIVATE KEY. WE USE COUNTLESS SERVERS AND DOMAINS, SO DON’T WASTE YOUR TIME…
    ---------------------------------------------------------------------------
    
    The important files of this server has been encrypted using a unique public key RSA-2048. 
    Encrypted files include databases and users file (in home directory).
    
    Here is a complete list of encrypted files: /etc/cryptoshell.encrypted.list
    
    The single copy of the private key, which will allow you to decrypt the files, are located on a secret server on the Internet, and it will be destroyed in the specified time.
    
    To obtain the private key to decrypt files on this server, you need to pay 2 BTC. 
    After payment, follow the steps below to decrypt all files.
    
    ===========================================================================
    BE FAST!! YOUR PRIVATE KEY WILL BE DESTROYED IN: 2014-04-03 - 04:57:48 UTC+4
    ===========================================================================
    
    ---------------------------------------------------------------------------
    >>>>> PAYMENT <<<<<< 
    Amount: 2 BTC
    Bitcoin address: xxxxxxxxxxxxxxxxx
    ---------------------------------------------------------------------------
    
    ---------------------------------------------------------------------------
    >>>>> DECRYPTION <<<<<< 
    1 - Confirm the payment. Run this command with BitCoin transaction ID: /root/cryptoshell_decrypt TRANSACTION_ID
    2 - The software will confirm that the transaction ID has been sent. After this process, you will need to wait for 40 minutes to try run the same command again.  
    3 - When the transaction ID is approved, the software will start to decrypt all encrypted files.
    ----------------------------------------------------------------------------
    
    
    =================================================================================
    
    MySQL server fails with following error:

    Code:
    ========
    
    /etc/init.d/mysql restart
    rm: cannot remove `/var/lib/mysql/server.hostname.pid': Operation not permitted
     ERROR! MySQL server process #�
                                    ����5^H�;��x�N�[ap��b���bQ���Eӕ��:�****1U��6��
                                                                                       V"�K����z!cϲ��Ҟ�Н����GDkU��^����?�=@W��
    ,�"ͰZ�!��6��qf[
                    0�v�q�$�H�z�攢���
                                     ���R��&\��u+<�D-zI����������kh��ن?�o+���(�y��u�k�1?�
    �~��!��D�q��R;�V�{�x�C+룘z�P��_���yi��w�j���#>Q���X�V6���5y>�����8`gv�$�p.=…��wυ�a:�K���rS��3\p4�n��5��qzQ�,������%z^��q�;S�G� is not running!
    rm: cannot remove `/var/lib/mysql/server.hostname.com.pid': Operation not permitted
    Starting MySQL SUCCESS! 
    
    
    ========
    
    He had deleted all log files including lastlog,wtmp,utmp,secure ....etc.

    Had any one came accross these type of hacks earlier ? Is there any resolution for this ? Is Server reload the only option to recover from this situation ? Does cPanel has any other log files to track this activity ?

    Please help .

    Thank You.
     
  2. es2alna

    es2alna Well-Known Member

    Joined:
    Mar 30, 2014
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Re: Server Compromised

    What is the content of this file?
    Code:
    /root/cryptoshell_decrypt
    Did you check for another root account? or for rootkit?

    What is the result of executing this command?
    Code:
    lsattr /var/lib/mysql/server.hostname.pid #Replace server.hostname.pid with the right file name
     
  3. vipin

    vipin Active Member

    Joined:
    Aug 23, 2013
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for your reply.

    I think it is CryptoLocker infection.This is the most dangerous malware i ever seeen.It has removed the backup files too.So there is no chance of a recovery.

    The cryptoshell_decrypt is a binary file.The contents of this file are posted below.


    ================

    Code:
    # file cryptoshell_decrypt
    cryptoshell_decrypt: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
    
    
    # strings cryptoshell_decrypt
    /lib64/ld-linux-x86-64.so.2
    CxIk
    libcurl.so.4
    __gmon_start__
    _Jv_RegisterClasses
    curl_easy_setopt
    curl_easy_cleanup
    curl_easy_init
    _fini
    curl_easy_perform
    libstdc++.so.6
    pthread_cancel
    _ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_RS3_
    _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEED1Ev
    _ZNSs5eraseEN9__gnu_cxx17__normal_iteratorIPcSsEES2_
    _ZNKSs4findERKSsm
    _ZNSaIcED1Ev
    _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strERKSs
    _ZNSt8ios_base4InitD1Ev
    _ZNSolsEPFRSoS_E
    _ZNKSt9basic_iosIcSt11char_traitsIcEE4failEv
    _ZNSt14basic_ifstreamIcSt11char_traitsIcEEC1EPKcSt13_Ios_Openmode
    __gxx_personality_v0
    _ZNKSt18basic_stringstreamIcSt11char_traitsIcESaIcEE3strEv
    _ZNKSs5c_strEv
    _ZNSspLEc
    _Znwm
    _ZNSsaSERKSs
    _ZSt3cin
    __cxa_rethrow
    _ZNKSs4sizeEv
    _ZNSt18basic_stringstreamIcSt11char_traitsIcESaIcEEC1ESt13_Ios_Openmode
    _ZdlPv
    _ZNSolsEPFRSt8ios_baseS0_E
    __cxa_begin_catch
    _ZSt20__throw_length_errorPKc
    _ZNSs6resizeEm
    _ZNSsC1Ev
    _ZNKSt9basic_iosIcSt11char_traitsIcEEcvPvEv
    _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
    __cxa_end_catch
    _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
    _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E
    _ZSt7getlineIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E
    _ZNSsaSEPKc
    _ZNKSs6substrEmm
    _ZNKSsixEm
    _ZNSsD1Ev
    _ZNSsC1EPKcRKSaIcE
    _ZNSsixEm
    _ZSt4cout
    _ZNKSs6lengthEv
    _ZNSs6appendERKSs
    _ZNSaIcEC1Ev
    _ZNSsC1ERKSs
    _ZNSs5beginEv
    _ZSt17__throw_bad_allocv
    _ZNSt8ios_base4InitC1Ev
    _ZNKSs4findEcm
    _ZNSt14basic_ifstreamIcSt11char_traitsIcEED1Ev
    _ZNSolsEd
    _ZNSolsEi
    _ZNSolsEl
    _ZNSs6appendEPKcm
    libm.so.6
    libgcc_s.so.1
    _Unwind_Resume
    libc.so.6
    srand
    fopen
    ftell
    time
    rewind
    __cxa_atexit
    isalnum
    fseek
    fputs
    fclose
    remove
    system
    fwrite
    fread
    atoi
    sleep
    strcmp
    __libc_start_main
    __xstat
    libpthread.so.0
    _edata
    __bss_start
    _end
    GCC_3.0
    GLIBC_2.2.5
    CXXABI_1.3
    GLIBCXX_3.4
    fff.
    AUATSH
    8[A\A]
    AUATSH
    <=t-
    X[A\A]
    AUATSH
    8[A\A]
    AUATSH
    8[A\A]
    AUATSH
    H[A\A]
    ATSH
    0[A\
    ATSH
    0[A\
    ATSH
    0[A\
    ATSH
    0[A\
    AWAVAUATSH
    [A\A]A^A_
    AUATSH
    [A\A]
    ATSH
    AVAUATSH
    [A\A]A^
    ATSH
    ATSH
    ATSH
    ATSH
    ATSH
    ATSH
    ATSH
    ATSH
    @[A\
    ATSH
    AVAUATSH
    [A\A]A^
    AVAUATSH
    [A\A]A^
    AVAUATSH
    [A\A]A^
    AVAUATSH
    [A\A]A^
    ATSH
    ATSH
    0[A\
    AUATSH
    <yt(
    [A\A]
    ATSH
    [A\
    ATSH
    ATSH
    AVAUATSH
    [A\A]A^
    ATSH
    `[A\
    ATSH
    [A\
    AVAUATSH
    [A\A]A^
    ATSH
    0[A\
    fffff.
    l$ L
    t$(L
    |$0H
    http://www.timeapi.org/utc/now?%5Cm__%5Cy__%5CY
    &iscts=true
    iscts
    info
    http://
    /etc/system.vladimir.cts.conf
    /etc/cryptoshell.decrypted.list
    /etc/cryptoshell.encrypted.list
    [32m
    DECRYPTING
    [37m
    - (
    ) ->
    gpg --no-tty --batch --yes --quiet --passphrase
    --output
    .dec
    --decrypt
    " 2>&1 > /dev/null
    chattr -ia "
    " &&
    echo "
    " >> /etc/cryptoshell.decrypted.list
    &&
    cat
    .dec" >
    rm -rf "
    .dec"
    &hash=
    &transaction_id=
    &passphrase=true
    for i in `gpg --list-secret-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-secret-keys "$i" ; done
    for i in `gpg --list-keys --with-colons --fingerprint | grep "^fpr" | cut -d: -f10`; do gpg --batch --delete-keys "$i" ; done
    &key=true
    /etc/cryptoshell.key
    gpg --quiet --import /etc/cryptoshell.key 2>&1 > /dev/null
    &decrypted=true&files=
    /etc/bash_profile_backup
    cat /etc/bash_profile_backup > /root/.bash_profile
    /etc/cryptoshell.id
    /etc/cryptoshell.transaction
    [31m
    Okay...all files have been decrypted. Goodbye!
    " 2>&1 > /dev/null &
    mysql
    mysqld
    postgresql
    chkconfig
    off
    cpanel
    service
    stop
    start
    File list not found! - /etc/cryptoshell.encrypted.list
    An error has occurred on decrypt files.
    WARNING: Of the
    encrypted files,
    files have been decrypted.
    Do you want to run decryption process again?
    [y/n]
    - Error to get passphrase.
    - Error on download private key.
    -----------------------
    added
    Transaction ID has been sent! Wait for 40 minutes and try run the same command again. If your transaction has been approved, the software will decrypt all files.
    waiting
    Your transaction ID is awaiting approval to continue. Try again in 40 minutes.
    Don't run this program more than once in less than 40 minutes or our servers will reject your connection forever.
    [32m
    Your transaction ID has been approved!
    Do you want to start the file decryption right now?
    WARNING: The file decryption may take several minutes to complete. Make sure that all affected applications is stopped (MYSQL, PostgreSQL, cPanel, etc), or the process may fail.
    Error to get transaction result. Try again later or contact us.
    Error to get transaction result. Try again later.
    Error! CryptoShell files not found on system.
    WARNING: Any attempt to track this software will lead to the immediate destruction of the private key by the server.
    We used countless servers and domains, so don't waste your time ...
    ----------
    To decrypt all files, you'll need to execute this software with the Bitcoin transaction ID.
    Read more about payment information on file: /root/cryptoshell.message
    Do you have sure that the transaction ID is
    Couldn't find server.
    vector::_M_insert_aux
    /cgi-bin/api?t=cts
    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    zPLR
    ==============



    Attributes of /var/lib/mysql/server.hostname.com.pid (# orginal hostname replace)

    -bash-4.1# lsattr /var/lib/mysql/server.hostname.com.pid
    ----ia-A-----e- /var/lib/mysql/server.hostname.com.pid


    ==================


    No rootkits found

    Chkrootkit scan details :


    Searching for suspect PHP files...


    Code:
    EACCELER	.@����"P-S$P-Sg	�<�X�)J� "P-S$P-S�****�)J�/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php��)J���)J�������)J�����7}
                                      ��)J�&���@��>YF5T��)J�
                                                                            ��<�+�0�captcha_wordEACCELER	.@�����sR��sR�9,�"!{ ��sR��sR��1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!�#!	add_link0(!�#!
    EACCELER	.@����"P-S$P-Sg	�<�X�)J� "P-S$P-S�****�)J�/home/demo/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/temp/6SuahXHh1DpcRRvE.php��)J���)J�������)J�����7}
                                      ��)J�&���@��>YF5T��)J�
                                                                            ��<�+�0�captcha_wordEACCELER	.@�����sR��sR�9,�"!{ ��sR��sR��1"p#!/home/demo/public_html/wp-admin/includes/bookmark.ph%!�#!	add_link0(!�#!
    =======================
     
    #3 vipin, Apr 1, 2014
    Last edited: Apr 2, 2014
  4. vipin

    vipin Active Member

    Joined:
    Aug 23, 2013
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    CryptoLocker / Ransomware malwares are one of the most destructive malware i ever seen. This malware will encrypt all your datas under "/home" and "/var/lib/mysql" with strong asymmetric encryption technique. CryptoLocker appears to only affect Windows computers.But now a days it is targeted to linux machines also.I had seen two or three servers with in this week effected by this malware.This malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.So your backup will also be effected by this malware , Which means total destruction for your data's.

    Please read this article https://www.us-cert.gov/ncas/alerts/TA13-309A and take appropriate security measures.


    Thank You.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Generally speaking, if your server was hacked from the root level, or root access was obtained, the best practice is to reinstall the OS/cPanel. You may want to consult with a qualified security specialist if you need help determining the point of attack.

    Thank you.
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Just out of curiosity, which OS was in use, RedHat? CloudLinux?
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, does anyone have any other information about this, specifically regarding the statement above, "But now a days it is targeted to linux machines also."

    I have just finished searching every security bulletin/alert system I can find, and no where else have I found any agreement with the above statement. The only remote possibility I can find regarding this involves an infected Windows machine that is directly networked (drive mapped?) to a Linux machine, then the files on the Linux drives can become encrypted as well.

    So if anyone has any URLs/pages that contain more info, particularly about Linux servers compromised by CryptoLocker, I'd certainly like to see it. Thanks.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Same here. Thankfully I have not seen this on any linux systems yet, nor have I heard about it from any other hosting companies that I communicate with.
     
Loading...

Share This Page