Description:
A Mayhem infection opens your server into participating in abusive network activities using a compromised website user account.
The malware targets vulnerable websites (usually Content Management Systems "CMS" like wordpress or joomla), uploads malicious files in the content and launches a process to perform web attacks (bruteforce) against other websites (victims).
How to detect the infection?
1- Identifying the malicious running process:
The malicious process creates a lot of sessions to different victims websites (likely port 80). You have to list the active sessions and identify those related to a massive outgoing traffic targetting remote IPs on port 80.
Example:
lsof -Pni | grep ":80 " | grep -v "LISTEN"
host 25531 baduser 30u IPv4 327155191 0t0 TCP serverip:59927->victimip:80 (ESTABLISHED)
host 25531 baduser 54u IPv4 327155485 0t0 TCP serverip:39584->victimip:80 (ESTABLISHED)
host 25531 baduser 57u IPv4 327156257 0t0 TCP serverip:53746->victimip:80 (ESTABLISHED)
host 25531 baduser 70u IPv4 327156393 0t0 TCP serverip:40465->victimip:80 (ESTABLISHED)
host 25531 baduser 80u IPv4 327156062 0t0 TCP serverip:37758->victimip:80 (ESTABLISHED)
[...]
2- Identify the path to the infected website:
Example:
lsof -p 25531 | egrep "cwd|DEL"
host 25531 baduser cwd DIR 9,2 0 95945663 /home/baduser/public_html/wp-content/uploads/dir (deleted)
host 25531 baduser DEL REG 9,2 95946182 /home/baduser/public_html/wp-content/uploads/dir/rss-aggr.so
host 25531 baduser DEL REG 9,2 95946184 /home/baduser/public_html/wp-content/uploads/dir/.sd0
host 25531 baduser DEL REG 9,2 95946183 /home/baduser/public_html/wp-content/uploads/dir/bruteforce.so
In this example, the malcious process is 25531 and the compromised user is "bad user". The infected website folder usually contains one or several of the following files:
- .sd0
- bruteforceng.so
- rss-aggr.so
- bruteforce.so
- 1.sh
- a PHP script for the malware installer
- a PHP WSO Webshell (php backdoor)
As the file names change from an infection to another, we recommend to search for all recently created/modified files in the website folder and look for any suspicious content.
IMPORTANT: Antivirus software may or may not detect malicious files.
How to stop the infection?
- Kill the malicious process.
- Remove (delete) the malicious files (manually remove the identified files and run an additional maldet scan).
- Inspect and clean the compromised user crontab (sometimes, it contains a auto-restart cronjob).
- Secure your website (update the installation, fix the owner/permissions misconfigurations etc.).
- As a preventive mesure, you have to maintain your CMS.
We strongly recommend you regulary monitor your processes and suspend the infected user account to stop outgoing attacks until a full investigation is performed.
0 Comments