Posted: May 14th, 2018
A Mayhem infection opens your server into participating in abusive network activities using a compromised website user account.
The malware targets vulnerable websites (usually Content Management Systems "CMS" like wordpress or joomla), uploads malicious files in the content and launches a process to perform web attacks (bruteforce) against other websites (victims).
How to detect the infection?
1) Identifying the malicious running process:
The malicious process creates a lot of sessions to different victims websites (likely port 80). You have to list the active sessions and identify those related to a massive outgoing traffic targetting remote IPs on port 80.
Example:
lsof -Pni | grep ":80 " | grep -v "LISTEN"
host 25531 baduser 30u IPv4 327155191 0t0 TCP serverip:59927->victimip:80 (ESTABLISHED)
host 25531 baduser 54u IPv4 327155485 0t0 TCP serverip:39584->victimip:80 (ESTABLISHED)
host 25531 baduser 57u IPv4 327156257 0t0 TCP serverip:53746->victimip:80 (ESTABLISHED)
host 25531 baduser 70u IPv4 327156393 0t0 TCP serverip:40465->victimip:80 (ESTABLISHED)
host 25531 baduser 80u IPv4 327156062 0t0 TCP serverip:37758->victimip:80 (ESTABLISHED)
[...]
2) Identify the path to the infected website:
Example:
lsof -p 25531 | egrep "cwd|DEL"
host 25531 baduser cwd DIR 9,2 0 95945663 /home/baduser/public_html/wp-content/uploads/dir (deleted)
host 25531 baduser DEL REG 9,2 95946182 /home/baduser/public_html/wp-content/uploads/dir/rss-aggr.so
host 25531 baduser DEL REG 9,2 95946184 /home/baduser/public_html/wp-content/uploads/dir/.sd0
host 25531 baduser DEL REG 9,2 95946183 /home/baduser/public_html/wp-content/uploads/dir/bruteforce.so
In this example, the malicious process is 25531 and the compromised user is "bad user". The infected website folder usually contains one or several of the following files:
> .sd0
> bruteforceng.so
> rss-aggr.so
> bruteforce.so
> 1.sh
> a PHP script for the malware installer
> a PHP WSO Webshell (php backdoor)
As the file names change from an infection to another, we recommend to search for all recently created/modified files in the website folder and look for any suspicious content.
IMPORTANT: Antivirus software may or may not detect malicious files.
How to stop the infection?
1) Kill the malicious process.
2) Remove (delete) the malicious files (manually remove the identified files and run an additional maldet scan).
3) Inspect and clean the compromised user crontab (sometimes, it contains a auto-restart cronjob).
4) Secure your website (update the installation, fix the owner/permissions misconfigurations etc.).
5) As a preventive measure, you have to maintain your CMS.
We strongly recommend you regularly monitor your processes and suspend the infected user account to stop outgoing attacks until a full investigation is performed.
Reference:
http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html
https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Mayhem