jeffv via plug on 4 Sep 2023 10:48:35 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Malware Webshell Infection. - Advice Needed


Dunno if you have, but research may turn up the vector.

Perhaps this would be a start.
https://github.com/MegaBedder/wsoshell


Just for fun
11 search engines for cybersecurity research you can use right now
https://www.helpnetsecurity.com/2023/08/29/search-engines-cybersecurity-research/



On 9/4/23 11:34, Casey Bralla via plug wrote:
Thank you all for the excellent advice.  I've shut down the server and will rebuild it from scratch (after checking the web logs as suggested here).  But I'm confused by the attack vector.

As some have mentioned, I have had a passwordless rsync daemon running on the compromised server.  (I have my public key stored in the .ssh/authorized_keys file.)  I also had a very long and (presumably) secure root password.  But I had assumed that the the key exchange on the rsync login would be even harder to crack than the password.  I really like the idea of automatically backing up via rsync (I've got a script that does that to several systems) and would like to continue.

How is this insecure?  I thought it was basically ssh with a local key and essentially uncrackable unless you're the NSA.

Maybe I could restrict rsync to only allow passwordless login from my IP?

I would appreciate any advice on how to do automated remote backups without requiring a login.  I'm backing up to a rsync server on my home network, on a verizon home internet connection, so my rsync server has to initiate the connection to the web server.

TIA!

On 2023-09-03 05:16 PM, Isaac Bennetch via plug wrote:
See below…

On Sun, Sep 3, 2023 at 4:59 AM Casey Bralla via plug <plug@lists.phillylinux.org> wrote:

    This morning, I received this eMail.  Originally I thought it was
    a scam, but looks like it might be true. Here is the eMail (with
    redacted specifics)


        Hello Casey,
        Your cloud server that is hosting: [URL] and [URL] has been
        compromised on 2022-05-28 at 21:58, server time. I am not the
        threat actor, i stumbled across your server in a Shodan search.
        Your server with IP [IP Address] and [URL] has directory
        listing enabled and you can see a webshell present there,
        wso.php, This probably happened because your server shares the
        webroot with rsync without authentication, someone used this
        to upload the webshell.


You’ve gotten good advice from the others but I will just chime in that this part is worth checking out. Do you have rsyncd running or some way an unauthenticated user could rsync files? I would investigate that first before rebuilding the system. It seems to me that given how helpful the email has tried to me, it could be true that rsync is a way to get in. On the other hand, that could be false information, so you’d have to investigate it and make your own decisions.

Isaac


        The webshell has a default password of ghost287, is ran with
        the permissions of the www-data user so it's not possible to
        do heavy damage without escalating privileges but i highly
        encourage you to remove it to prevent further problems for
        your server.
        Please answer if you need help to remove the webshell.
        Kind regards

    The file wso.php was present in /var/www along with another text
    file that looked like it had a password in it.  I've deleted those
    files.  But I'm wondering what my next course of action should be?

    Should I completely shutdown and rebuild the servers (not too
    hard, I've got copies of the important files)?

    Should I ask the author of this eMail for help as he offered?

    Should I delete the 2 files and forget about it?

    Obviously, I will be changing passwords, but could a bad person
    already have penetrated enough to see me change them and get the
    new passwords also?

    Any advice would be appreciated.


-- LEGAL NOTICE: This eMail contains private, personal, and/or privileged
    information and is only for the intended recipient(s).  In fact, you
    really should consider yourself honored to even be cc'd on this
    tremendously important communication.  The author spent literally
    seconds composing this magnificent opus of rational thought and
    deductive logic.  Unfortunately, it has probably been based on
    inaccurate data, which really stinks because this eMail would have been
    truly awesome!  If you have received this eMail in error, we
    respectfully DEMAND that you immediately delete it and inform the sender
    that you have received it in error.  Then, just to be safe, you should
    reformat your hard drive, shave your head, renounce all material
    possessions (which are really controlling your life anyway), and join an
    end-of-times cult somewhere.  Once there, you must reconsider all the
    terrible choices you've made in your life, and promise never to confuse
    "sex" with "gender" again.  Of course, this assumes you have already
    come to terms with your inherent whiteness, AND that you have learned
    the lyrics to The Internationale. "Arise, wretched of the earth!  Arise,
    convicts of hunger..."
    (https://en.wikipedia.org/wiki/The_Internationale  <https://efdgdfh.r.bh.d.sendibt3.com/tr/cl/9zg1PgtcNUkkHCD5jmA4e7Y_WSyMJQZ9UqfeFYxHJOEQXGJaehiGMQD2M8fN6DThmQK6OJcRkDdHjOLJW75HK00svxuI2YAecDT9vk5HP6YeeLhKaknGdxibAEoXD-qf4v9yEmQKYrPZAahGSaJNKloDQg2R0Ry6FeYSgNilUmIdPpgoNmeKVBFXPXpuaE46Raig4ZrcVoHrNGZQWI_sovAHYrgQ_W6H0hxDiDY7lXTY9rI6hOWDk4crKMuCuk0r7LbueUs>)
    We sincerely hope you are able to get your medication stabilized and no
    longer have that recurring dream where you're alone in a large crowd,
    standing naked in a vat of chocolate Yoo-hoo.  BTW, Yoo-hoo really is an
    underrated beverage.  It’s chocolatey, yet suprisingly refreshing. Pick
    up a 6-pack today, and tell your friends!

    ___________________________________________________________________________
    Philadelphia Linux Users Group         -- http://www.phillylinux.org
    Announcements -
    http://lists.phillylinux.org/mailman/listinfo/plug-announce
    General Discussion  --
    http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --http://www.phillylinux.org
Announcements -http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --http://lists.phillylinux.org/mailman/listinfo/plug

--
LEGAL NOTICE:  This eMail contains private, personal, and/or privileged
information and is only for the intended recipient(s).  In fact, you
really should consider yourself honored to even be cc'd on this
tremendously important communication.  The author spent literally
seconds composing this magnificent opus of rational thought and
deductive logic.  Unfortunately, it has probably been based on
inaccurate data, which really stinks because this eMail would have been
truly awesome!  If you have received this eMail in error, we
respectfully DEMAND that you immediately delete it and inform the sender
that you have received it in error.  Then, just to be safe, you should
reformat your hard drive, shave your head, renounce all material
possessions (which are really controlling your life anyway), and join an
end-of-times cult somewhere.  Once there, you must reconsider all the
terrible choices you've made in your life, and promise never to confuse
"sex" with "gender" again.  Of course, this assumes you have already
come to terms with your inherent whiteness, AND that you have learned
the lyrics to The Internationale. "Arise, wretched of the earth!  Arise,
convicts of hunger..."
(https://en.wikipedia.org/wiki/The_Internationale)
We sincerely hope you are able to get your medication stabilized and no
longer have that recurring dream where you're alone in a large crowd,
standing naked in a vat of chocolate Yoo-hoo.  BTW, Yoo-hoo really is an
underrated beverage.  It’s chocolatey, yet suprisingly refreshing. Pick
up a 6-pack today, and tell your friends!


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug