March 19, 2013 Hatem Ben Yacoub

Fakeproc, Your account has been Hacked !

In less than a month, after migrating to a new server, one of my accounts have been compromised ! The problem that the server goes online with a default configuration, that I wasn’t expecting that dangerous ! And the time to configure it correctly was so long, as it was under attack from day Zero !! Amazing !!

Now problems began with a high CPU usage of a strange perl script :

top - 11:52:49 up 7 days, 7:44, 1 user, load average: 24.32, 32.21, 43.65
Tasks: 191 total, 33 running, 158 sleeping, 0 stopped, 0 zombie
Cpu(s): 67.2%us, 30.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 2.5%si, 0.0%st
Mem: 2957096k total, 1704808k used, 1252288k free, 51492k buffers
Swap: 2064376k total, 33484k used, 2030892k free, 560352k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12145 username 20 0 30144 2404 1184 R 3.4 0.1 55:36.48 perl
12152 username 20 0 30144 2400 1184 R 3.4 0.1 55:38.94 perl
12161 username 20 0 30144 2416 1184 R 3.4 0.1 55:38.34 perl
15413 username 20 0 42864 6688 1040 R 3.4 0.2 101:02.36 perl
15414 username 20 0 40772 6540 900 R 3.4 0.2 101:02.72 perl
15416 username 20 0 42864 6708 1052 R 3.4 0.2 101:02.74 perl
1777 username 20 0 31660 3244 524 R 3.1 0.1 0:25.63 perl

Server started swapping, CPU usage is very high, I have noticed the fakeproc but couldn’t find anything about it. Some online links talk about a malicious perl IRC bot. The command below gave me more details about what’s going on :

[email protected] [~]# ps -ef | grep username
username 323 1 0 Mar18 ? 00:00:01 fakeproc
username 1777 1 3 11:40 ? 00:00:25 fakeproc
username 3787 1 0 04:33 ? 00:00:02 fakeproc
username 5916 1 0 05:06 ? 00:00:09 fakeproc
username 10625 1 0 Mar18 ? 00:00:01 fakeproc
username 12127 1 0 Mar18 ? 00:00:00 fakeproc
username 12128 12127 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 53 0 2>&1 3>&1
username 12129 12128 4 Mar18 ? 00:55:38 perl h.txt kill-9.us 53 0
username 12134 1 0 Mar18 ? 00:00:00 fakeproc
username 12135 12134 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 0 0 2>&1 3>&1
username 12138 12135 4 Mar18 ? 00:55:39 perl u.txt kill-9.us 0 0
username 12143 1 0 Mar18 ? 00:00:00 fakeproc
username 12144 12143 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 80 0 2>&1 3>&1
username 12145 12144 4 Mar18 ? 00:55:36 perl u.txt kill-9.us 80 0
username 12150 1 0 Mar18 ? 00:00:00 fakeproc
username 12151 12150 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 6667 0 2>&1 3>&1
username 12152 12151 4 Mar18 ? 00:55:39 perl h.txt kill-9.us 6667 0
username 12159 1 0 Mar18 ? 00:00:00 fakeproc
username 12160 12159 0 Mar18 ? 00:00:00 sh -c perl u.txt kill-9.us 7000 0 2>&1 3>&1
username 12161 12160 4 Mar18 ? 00:55:38 perl u.txt kill-9.us 7000 0

There is even a shell script running (sh) but I’ll come back to it shortly. Now what’s this fakeproc is doing ? I have removed known connection from the result, but seems that there are so many connections using this fakeproc !

[email protected] [~]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 myserver:33619 host.server*id3098.com:http ESTABLISHED 323/fakeproc
tcp 0 0 myserver:41844 baribal.dima.hu:ircu-3 ESTABLISHED 15413/fakeproc
tcp 0 283 myserver:58660 r*nger-f*rums.com:http ESTABLISHED 5916/fakeproc
tcp 0 0 myserver:41720 bariba*.di*a.hu:ircu-3 ESTABLISHED 12127/fakeproc
tcp 0 0 myserver:33543 119.235.255.174:http ESTABLISHED 30138/fakeproc
tcp 0 0 myserver:41776 bariba*.di*a.hu:ircu-3 ESTABLISHED 10625/fakeproc
tcp 0 0 myserver:55179 205.234.134:afs3-fileserver ESTABLISHED 323/fakeproc
tcp 0 0 myserver:42577 205.234.134.222:ircu-3 ESTABLISHED 15273/fakeproc
tcp 0 0 myserver:39287 gvo239240.gvodatacente:http ESTABLISHED 10625/fakeproc
tcp 0 0 myserver:35723 www.fcc.gov:http ESTABLISHED 3787/fakeproc

And no comment on the last line ! Quick look at log files reveal the source of the infection :

[email protected] [~]# tail -f /var/log/cron
Mar 19 12:11:01 new CROND[3385]: (username) CMD (/home/username/.mails/.httpd/use.upd >/dev/null 2>&1)
Mar 19 12:12:01 new CROND[3414]: (username) CMD (/home/username/.mails/.httpd/use.upd >/dev/null 2>&1)
Mar 19 12:13:01 new CROND[3421]: (username) CMD (/home/username/.mails/.httpd/use.upd >/dev/null 2>&1)

Cool ! If you are curious to see what’s inside this malicious file here is a glimpse :

[email protected] [~]# cat /home/username/.mails/.httpd/use.upd
if test -r /home/username/.mails/.httpd/pid.use; then
pid=$(cat /home/username/.mails/.httpd/pid.use)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/username/.mails/.httpd
./hat.run &>/dev/null
[email protected] [~]# cat /home/username/.mails/.httpd/use.run
./xh -s "/usr/local/apache/bin/httpd -DSSL" ./httpd -m use

Now all is good, and I’m able to locate bunch of malicious files :

[email protected] [/home/username/.mails]# ls .httpd/
./ crot* doc/ filesys/ use use.dir use.upd* httpd* logs/ README start* tcl* text/ xh*
../ dalnet.conf efnet.conf fuck* use.d use.run* help/ language/ quakenet.conf scripts/ t3394* terobot.conf tmp/

That’s exactly the malicious perl IRC bot that I was reading about! Anyway, from all accounts on the server only One account have been compromised, which mean that the infection is very limited. I used my fav antivirus (rm -Rf) then rebooted to normal ! I don’t have any default config anymore, passwords should be easy to guess, so don’t loose your time 😉 Best of all, I have nothing really important on my server, especially that I’m keeping backups of all data under my pillow so I can sleep very well !

Now if you see a fakeproc on your server, that mean your server is Hacked ! but nothing really dangerous, keep hunting !

Tagged: , , ,

About the Author

Hatem Ben Yacoub Energy Engineer, Entrepreneur, ICT & eGov Consultant with over 15 years experience. Independent Open Data expert.

(HBY) Consultancy