While doing some threat hunting I found a server reaching out to pastebin (this was over an hour):
src_ip=<ip> url=hxxp://pastebin[.]com/raw/<snip> count=34
It wasn’t a long running process, but it certainly happened a lot. The paste content was 127.0.0.1:80, which looked like a typical CNC control message. netstat wasn’t doing it, so lsof to the rescue!
I ran this on the server:
sudo watch -n1 lsof -n -i:80 -i:8080 -r1 -sTCP:^LISTEN | grep -v <ip>:http | tee -a ~/pastebin-find.txt
Here’s what the options mean:
-n Don't resolve IPs to DNS
-i Filter by port
-r Repeat every second
-sTCP^LISTEN Ignore listening ports
After a while, Found this connection:
curl 2591557 <username> 3u IPv4 2063098490 0t0 TCP <ip>:39950->104.20.209.21:http (ESTABLISHED)
Unsurprisingly, there was wordpress instance on the server!
It took a bit of fixing to kill the thing off - after suspending the website and nuking its ability to run things from there, it kept running. It turns out, there was a cron entry which would try and restart the “watcher” process every so often:
* * * * * pidof byte || exec /home/<username>/byte > /dev/null
Where byte was a little executable that’d try and grab a monero miner and pass back some analytics to another hacked website.
After the cron entry was killed off, the processes ended and the files deleted (after archiving, for IOCs) it was done.
Time for cake!