Guide to Mayhem Infection

Posted:  May 14th, 2018

 

A Mayhem infection opens your server into participating in abusive network activities using a compromised website user account.

 

The malware targets vulnerable websites (usually Content Management Systems "CMS" like wordpress or joomla), uploads malicious files in the content and launches a process to perform web attacks (bruteforce) against other websites (victims).

 

How to detect the infection?

 

1) Identifying the malicious running process:

 

The malicious process creates a lot of sessions to different victims websites (likely port 80). You have to list the active sessions and identify those related to a massive outgoing traffic targetting remote IPs on port 80.

 

Example:

 

lsof -Pni | grep ":80 " | grep -v "LISTEN"

host      25531    baduser   30u  IPv4 327155191      0t0  TCP serverip:59927->victimip:80 (ESTABLISHED)

host      25531    baduser   54u  IPv4 327155485      0t0  TCP serverip:39584->victimip:80 (ESTABLISHED)

host      25531    baduser   57u  IPv4 327156257      0t0  TCP serverip:53746->victimip:80 (ESTABLISHED)

host      25531    baduser   70u  IPv4 327156393      0t0  TCP serverip:40465->victimip:80 (ESTABLISHED)

host      25531    baduser   80u  IPv4 327156062      0t0  TCP serverip:37758->victimip:80 (ESTABLISHED)

[...]

 

2) Identify the path to the infected website:

 

Example:

 

lsof -p 25531 | egrep "cwd|DEL"

host    25531 baduser  cwd    DIR       9,2        0  95945663 /home/baduser/public_html/wp-content/uploads/dir (deleted)

host    25531 baduser  DEL    REG       9,2           95946182 /home/baduser/public_html/wp-content/uploads/dir/rss-aggr.so

host    25531 baduser  DEL    REG       9,2           95946184 /home/baduser/public_html/wp-content/uploads/dir/.sd0

host    25531 baduser  DEL    REG       9,2           95946183 /home/baduser/public_html/wp-content/uploads/dir/bruteforce.so

 

In this example, the malicious process is 25531 and the compromised user is "bad user". The infected website folder usually contains one or several of the following files:

 

    > .sd0

    > bruteforceng.so

    > rss-aggr.so

    > bruteforce.so

    > 1.sh

    > a PHP script for the malware installer

    > a PHP WSO Webshell (php backdoor)

 

As the file names change from an infection to another, we recommend to search for all recently created/modified files in the website folder and look for any suspicious content.

 

IMPORTANT: Antivirus software may or may not detect malicious files.

 

How to stop the infection?

 

1) Kill the malicious process.

 

2) Remove (delete) the malicious files (manually remove the identified files and run an additional maldet scan).

 

3) Inspect and clean the compromised user crontab (sometimes, it contains a auto-restart cronjob).

 

4) Secure your website (update the installation, fix the owner/permissions misconfigurations etc.).

 

5) As a preventive measure, you have to maintain your CMS.

 

We strongly recommend you regularly monitor your processes and suspend the infected user account to stop outgoing attacks until a full investigation is performed.

 

Reference:

 

http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html

https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Mayhem