Linux – Compromised server with malware “/usr/bin/fuck” and “/usr/bin/fake.cfg”

linuxmalwareSecurity

I am not asking what to do with an compromised box.
Specifically, I am asking if anybody has experience with hack/malware amongst other files leaves files "/usr/bin/fake.cfg" and "/usr/bin/fuck". I can see in part what it is doing and how. I realize the most appropriate course of action is to disconnect from internet, salvage, rebuild.

I am curious to learn more about this particular incursion. I do not often get hacked or find myself on compromised machines – that I have this opportunity I would like to turn it into a learning opportunity.

Does anybody have and experience with this particular incursion? Any suggestions where I might look.

A million years ago the FBI used to keep a useful database of this sort of thing. Since 911 it has become pretty useless.

Ideas?

Best Answer

Out of curiosity I found this, were they discuss the analysis of a malware attack.

http://remchp.com/blog/?p=52

About fake and fuck, often attackers load up tools to facilitate their work.

About fake.cfg, there is indeed an util in Linux called fake.

$apt-cache search fake | grep ^fake
fake - IP address takeover tool

Fake is a utility that enables the IP address be taken over by bringing up a second interface on the host machine and using gratuitous arp. Designed to switch in backup servers on a LAN.

So I do suspect fake could be a way of:
- evading firewall rules;
- reaching to other networks;
- generating packets/spam using multiple IPs of your network at a time to evade blacklists/fail2ban/apache mod evasive when attacking other servers in the Internet at large.

As for fuck, the objectives are less clear.

I found this:

https://github.com/nvbn/thefuck

Magnificent app which corrects your previous console command.

The fuck command uses rules substitution to run the previous command with modifications. I am supposing here that it is used as a basic tool to automate/obfuscate in history/monitoring some of the actual commands run by the attackers.

In addition to debuggers that others already mentioned, to follow up their activity, I do recommend using strace, sysdig or dtrace4linux. They are fantastic tools to follow up the nitty gritty of kernel calls.

For following up all files opened in the compromised I/O, you run:

sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open

Snoop file opens as they occur (with sysdig)

From:

http://www.sysdig.org/wiki/sysdig-examples/

Sysdig has the ability to show everything, including buffers of files being written, or data sent over the network.

Needless to say, you should backup and isolate the server before running those commands.

Best Answer

Related Solutions

linux – Difference Between /bin and /usr/bin Directories

Linux – Merging /usr/bin and /usr/sbin into /bin (GNU/Linux)

Related Question