Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: Mayhem Infection & steps for troubleshooting  (Read 1329 times)

0 Members and 1 Guest are viewing this topic.

aneeshs

  • Guest
Mayhem Infection & steps for troubleshooting
« on: December 16, 2017, 03:43:43 pm »

Mayhem is a malicious bot effecting web servers and its infection follows the method of deeply infecting the server by compiling a shared object and running as a service. This allows the infection to function under limited privileges and is difficult to mitigate, even after the files are restored from a backup.

This malware normally targets vulnerable CMS installations like WordPress, Joomla etc and conducts abusive network activities using a compromised web user account. It uploads malicious files to the server, launches subsequent processes and tries to establish brute-force attacks against other web pages.

Identify the Infection:

1. The malicious processes created by the infection uses the HTTP port (usually 80) to establish sessions to various websites. The active session may be listed by:
Code: [Select]
# lsof -Pni | grep ":80 " | grep -v "LISTEN"

host      21895    abuser   30u  IPv4 327155191      0t0  TCP serverip:59927->victimip:80 (ESTABLISHED)
host      21895    abuser   54u  IPv4 327155485      0t0  TCP serverip:39584->victimip:80 (ESTABLISHED)
host      21895    abuser   57u  IPv4 327156257      0t0  TCP serverip:53746->victimip:80 (ESTABLISHED)
host      21895    abuser   70u  IPv4 327156393      0t0  TCP serverip:40465->victimip:80 (ESTABLISHED)
host      21895    abuser   80u  IPv4 327156062      0t0  TCP serverip:37758->victimip:80 (ESTABLISHED)

2. Now for finding the path of the infected website, use the command below:
Code: [Select]
# lsof -p 21895 | egrep "cwd|DEL"

host     and the compromised use abuser  cwd    DIR  9,2   95945663 /home/abuser/public_html/wp-content/uploads/dir (deleted)
host    21895 abuser  DEL    REG  9,2   95946182 /home/abuser/public_html/wp-content/uploads/dir/rss-aggr.so
host    21895 abuser  DEL    REG  9,2   95946184 /home/abuser/public_html/wp-content/uploads/dir/.sd0
host    21895 abuser  DEL    REG  9,2   95946183 /home/abuser/public_html/wp-content/uploads/dir/bruteforce.so

So it can be verified that the malicious PID is 21895 and the compromised user is "abuser". The usual files or extensions in the infected accounts directory may be like:

.sd0
bruteforceng.so
rss-aggr.so
bruteforce.so
1.sh
a PHP script for the malware installer
a PHP WSO Webshell (php backdoor)

File names may change from one infection to another and the best possible way to find them are to search for the most recently created/modified files on the server.

Stop the Infection:

The infection can be stopped in several steps.
1. Kill the malicious process
2. Delete the malicious files
3. Run Maldet scan after deleting the infected files
4. Inspect and clean the compromised user crontab as it may contain an auto-restart cronjob
5. Secure your website by updating CMS installations, fixing the permissions and correcting the misconfigurations.
6. Monitor system processes and suspend the infected user account to stop outgoing attacks until a full investigation is performed.

Thanks for reading :)
Logged
Pages: [1]   Go Up
« previous next »