anatomyofreallinuxintrusion-alonso2016

2025-02-06

Anatomy of a Real Linux Intrusion Part II: OpenSSH trojanized toolkit

by Angel Alonso

https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html

Notes
This is Abafar as highlighted in sshbackdors-dumont2018
honeypot
Raspberry Pi 3
HonSSH
SSH MiTM
SSH scanning
SSH brute force
IRC bouncer
cybercrime
command and control
trojan
rootkit
anti-forensics
sniffer
IP address IoC
after credentials were obtained via brute forcing, the attackers came back from a separate IP address at a later time
unset HISTFILE, export HISTFILE=/dev/null
… hidden directory
wget
adding malicious nameserver to /etc/resolv.conf
cat /etc/issue enumeration
attacker made typos on command line
attacker changed password of admin user to “modrepo”, then “modrepo1” (possibly due to complexity rules?)
gcc
attacker checked if gcc worked by compiling small C program
if compiler isn’t installed, attacker installs one using yum, apt, yast, or zypper
sed
curl
bash script
Romanian language comments in code samples
attribution by language
trojanizing OpenSSH
dropper pulls architecture-specific files: ARMv7, mips64, vyos64, vyos,
Vyos
OpenSSH
backdoors scp, sftp, ssh, sshd binaries
stack strings
auth-passwd.c altered to include hard-coded password PRtestD for any user
logs user, password, and IP of incoming ssh connections
logs to etc/X11.pr hidden file
does not log connections if backdoor password was used: sshlogin.c
removes logs /var/log/messages, /var/log/secure, /var/log/fastlog, /var/log/wtmp
goprem.c: setgid(0); setuid(0); execl("/bin/sh:, 0); generic privesc
timestomps /usr/sbin/sshd, /usr/bin/ssh, /usr/bin/sftp, /usr/bin/scp
chmod 777
http[:]//gopremium.mooo[.]com/ hosted several of the files
events.c: masquerades a process as kernel thread “[pdflush-0]”
events.c: runs /usr/sbin/ptty every 3600 seconds, checking in to C2
malware is able to update itself
/usr/sbin/env shell script is malicious
/etc/init/env.conf
possible source code: https://github.com/jivoi/openssh-backdoor-kit/tree/master/openssh-5.9

Links to this note

Notes

anatomyofreallinuxintrusion-alonso2016

2025-02-06

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit