Mayhem is a malicious bot effecting web servers and its infection follows the method of deeply infecting the server by compiling a shared object and running as a service. This allows the infection to function under limited privileges and is difficult to mitigate, even after the files are restored from a backup.
This malware normally targets vulnerable CMS installations like WordPress, Joomla etc and conducts abusive network activities using a compromised web user account. It uploads malicious files to the server, launches subsequent processes and tries to establish brute-force attacks against other web pages.
Identify the Infection:1. The malicious processes created by the infection uses the HTTP port (usually 80) to establish sessions to various websites. The active session may be listed by:
# lsof -Pni | grep ":80 " | grep -v "LISTEN"
host 21895 abuser 30u IPv4 327155191 0t0 TCP serverip:59927->victimip:80 (ESTABLISHED)
host 21895 abuser 54u IPv4 327155485 0t0 TCP serverip:39584->victimip:80 (ESTABLISHED)
host 21895 abuser 57u IPv4 327156257 0t0 TCP serverip:53746->victimip:80 (ESTABLISHED)
host 21895 abuser 70u IPv4 327156393 0t0 TCP serverip:40465->victimip:80 (ESTABLISHED)
host 21895 abuser 80u IPv4 327156062 0t0 TCP serverip:37758->victimip:80 (ESTABLISHED)
2. Now for finding the path of the infected website, use the command below:
# lsof -p 21895 | egrep "cwd|DEL"
host and the compromised use abuser cwd DIR 9,2 95945663 /home/abuser/public_html/wp-content/uploads/dir (deleted)
host 21895 abuser DEL REG 9,2 95946182 /home/abuser/public_html/wp-content/uploads/dir/rss-aggr.so
host 21895 abuser DEL REG 9,2 95946184 /home/abuser/public_html/wp-content/uploads/dir/.sd0
host 21895 abuser DEL REG 9,2 95946183 /home/abuser/public_html/wp-content/uploads/dir/bruteforce.so
So it can be verified that the malicious PID is 21895 and the compromised user is "abuser". The usual files or extensions in the infected accounts directory may be like:
.sd0
bruteforceng.so
rss-aggr.so
bruteforce.so
1.sh
a PHP script for the malware installer
a PHP WSO Webshell (php backdoor)
File names may change from one infection to another and the best possible way to find them are to search for the most recently created/modified files on the server.
Stop the Infection:The infection can be stopped in several steps.
1. Kill the malicious process
2. Delete the malicious files
3. Run Maldet scan after deleting the infected files
4. Inspect and clean the compromised user crontab as it may contain an auto-restart cronjob
5. Secure your website by updating CMS installations, fixing the permissions and correcting the misconfigurations.
6. Monitor system processes and suspend the infected user account to stop outgoing attacks until a full investigation is performed.
Thanks for reading