Total Pageviews

Sunday, 30 July 2017

Check Your Server for Malware from SSH Attacks

Defending against SSH brute force attacks is an important task for any dedicated server or virtual private server (VPS) owner. We all know that cleaning a compromised server can be extremely difficult, requiring a full wipe and reinstall, or restore from a clean backup。
What do the attackers do after breaking into a server? Well, most of them would try to download malicious programs and use the server to do bad things. But what programs do they download?
To help answer this question, I have compiled a list that summarizes malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded those malware after "breaking in", and tried to run them (usually with nohup). Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious stuff.
Hosted on GitHub, the list includes malwares' MD5 checksums, first/last seen dates, occurrences and possible filenames. You may use it to check for infected files on servers. However, please note that this list is by no means complete or accurate, and may contain false positives. Use at your own risk!
Example steps to check files in a directory:
1 - Browse to my list above, copy all lines and save to a file, e.g. mwlist.txt. Alternatively, you can download it.
2 - Cut out and sort the MD5 checksums of the list and save to a new file:
grep ^[^#] mwlist.txt | cut -f1 -d ' ' | sort > mwlist-md5.txt  
3 - Generate MD5 checksums of all files in a directory (e.g. /etc, or change to any directory you want to check):
find /etc -type f -print0 | xargs -0 md5sum > hash-etc.txt  
4 - Cut out and sort the MD5 checksums:
cut -f1 -d ' ' hash-etc.txt | sort > hash-etc-md5.txt  
5 - Use comm to find common lines between the two files:
comm -12 mwlist-md5.txt hash-etc-md5.txt  
6 - Output from Step 5 shows any matching checksums between my list and files in the chosen directory. If not empty, identify individual file names with the following. Replace EACH_LINE_IN_OUTPUT with those from Step 5's output:
grep "EACH_LINE_IN_OUTPUT" hash-etc.txt  
7 - Proceed to terminate the infected files' processes and remove them from your system, at your discretion。

No comments:

Post a Comment

Note: only a member of this blog may post a comment.