Pastebin Grabbing Badness

While doing some threat hunting I found a server reaching out to pastebin (this was over an hour):

src_ip=<ip> url=hxxp://pastebin[.]com/raw/<snip> count=34

It wasn’t a long running process, but it certainly happened a lot. The paste content was 127.0.0.1:80, which looked like a typical CNC control message. netstat wasn’t doing it, so lsof to the rescue!

I ran this on the server:

sudo watch -n1 lsof -n -i:80 -i:8080 -r1 -sTCP:^LISTEN | grep -v <ip>:http | tee -a ~/pastebin-find.txt

Here’s what the options mean:

-n  Don't resolve IPs to DNS
-i  Filter by port
-r  Repeat every second
-sTCP^LISTEN    Ignore listening ports

After a while, Found this connection:

curl    2591557 <username> 3u  IPv4 2063098490      0t0  TCP <ip>:39950->104.20.209.21:http (ESTABLISHED)

Unsurprisingly, there was wordpress instance on the server!

It took a bit of fixing to kill the thing off - after suspending the website and nuking its ability to run things from there, it kept running. It turns out, there was a cron entry which would try and restart the “watcher” process every so often:

* * * * * pidof byte || exec /home/<username>/byte > /dev/null

Where byte was a little executable that’d try and grab a monero miner and pass back some analytics to another hacked website.

After the cron entry was killed off, the processes ended and the files deleted (after archiving, for IOCs) it was done.

Time for cake!



#work #hunting #linux