Hunting XOR DDoS and other Malware with RKHunter on CentOS 7

Hello penguins, on this article we are going to learn to hunt rootkits with Rootkit Hunter, among other threats, you will be able to use it to find signs of some variants of the XOR.DDoS malware, that is currently being used to create botnets with Linux systems for massive distributed denial of service attacks.

Table of Contents

Install Download Patch - (optional ) Install

Configure tests logs whilelists misc

Run flags cron scheduling



Install

Download Rkhunter, try cURL to do this.

curl http://nbtelecom.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz -o rkhunter-1.4.2.tar.gz

Then extract the contents of the package.

tar zxvf rkhunter-1.4.2.tar.gz

Enter tarball directory.

cd rkhunter-1.4.2

Patch (Optional)

This step will against will patch the rkhunter script and its database to look for the XOR DDoS Linux malware. This patch is based on the port and files found on the reports made by Akamai, Avast and Malware Must Die.

Enter on the files directory under rkthunter directory.

cd files

Install the patch utility with yum.

yum install patch

Now download the patch.

curl http://sourceforge.net/p/rkhunter/patches/44/attachment/rkhunter.patch -o rkhunter.patch

Alternatively, you can copy and past the contents of the rkhunter.patch file from here.

--- rkhunter 2014-03-12 17:54:55.000000000 -0300 +++ rkhunter.new 2015-10-02 17:01:25.040000000 -0300 @@ -7797,6 +7797,19 @@ # + # XOR.DDoS + XORDDOS_FILES="/lib/udev/udev + /lib/udev/debug + /etc/cron.hourly/cron.sh + /etc/cron.hourly/udev.sh + /lib/libgcc4.so + /var/run/udev.pid + /var/run/sftp.pid" + XORDDOS_DIRS= + XORDDOS_KSYMS= + + + # 55808 Variant A W55808A_FILES="/tmp/.../r /tmp/.../a" @@ -11907,6 +11920,13 @@ return fi + # XOR.DDoS Rootkit + SCAN_ROOTKIT="XOR.DDoS - Rootkit" + SCAN_FILES=${XORDDOS_FILES} + SCAN_DIRS=${XORDDOS_DIRS} + SCAN_KSYMS=${XORDDOS_KSYMS} + scanrootkit + # 55808 Trojan - Variant A --- backdoorports.dat 2010-11-13 20:41:19.000000000 -0300 +++ backdoorports.dat.new 2015-10-02 17:10:24.086000000 -0300 @@ -12,6 +12,7 @@ 2001:Scalper:UDP: 2006:CB Rootkit or w00tkit Rootkit SSH server:TCP: 2128:MRK:TCP: +3502:Possible XOR.DDoS Botnet Malware:TCP: 6666:Possible rogue IRC bot:TCP: 6667:Possible rogue IRC bot:TCP: 6668:Possible rogue IRC bot:TCP:

Apply the patch on the rkhunter script and backdoors.dat files with the following command.

patch < rkhunter.patch

Patch is done, now go back to the tarball root directory to continue the install.

cd ..

Install files

Run the installer script with the following parameters to install it under /usr/local.

./installer.sh --install --layout /usr/local

You can also use the --examples flag to show more layout information and examples or and the --show option instead of the --install to show what is to be installed on your layout.

Install Unhide (recommended)

The unhide and unhide-tcp utilities will look for hidden process and ports, while not mandatory, it is highly recommended as most sophisticated rootkits will hide their presence.

First, we need to install GNU Compiler Collection.

yum install gcc

Install glibc-static, needed to create the striped binaries.

yum install glibc-static

Compile unhide-linux.

gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

Compile unhide-tcp.

gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp

Install the files under /usr/local/bin and create a symbolic link to unhide.

cp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide && cd -

Configure

On this section I will show some of the options found on the rkhunter.conf file, the options are separated in group and their description are simplified, read the actual description on the file and if you are unsure just ignore as default options should be enough, most of them are commented.

You are encouraged to do a first run before do the actual changes on the configuration file, this will give you a better comprehension of how rkhunter works and the possibility to identify some false positives to be whitelisted on the configuration file.

Just call rkhunter with the -c or --check parameters.

rkhunter -c

As you can see on the image above, there will be some warnings about files like egrep or ifup to be script instead of ELF binaries, however they are legitimate system files and most of the options on the configuration file are about how make rkhunter ignore such occurrences.

Tests

The following options ENABLE_TESTS and DISABLE_TESTS sets what types of testes are to be made, enable all and then disable the undesired ones. It is a good idea to have at least suspscan disabled by default as it is prone to false positives.

ENABLE_TESTS=ALL DISABLE_TESTS=suspscan

Secure Shell



It's never a good idea to enable root login on SSH connections, use su/sudo instead, otherwise set this to yes.

ALLOW_SSH_ROOT_USER=no

The version 1 of the SSH protocol is known to be insecure, set this to 1 need to ignore this protocol check

ALLOW_SSH_PROT_V1=0

Network ports

Allowed network ports with format protocol:port

PORT_WHITELIST

Set the whitelist for some programs with the syntax path_to_binary:protocol:port_number

PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801

Application Version

This option let you run some outdated applications, this is generally not recommended and you must be sure that the application is safe before you put it on this list.

APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29

Sniffers

Allow the use of sniffers, software that capture network packets.

Allow the following process to listen to the network, as the following line.

ALLOWPROCLISTEN=/usr/sbin/snort-plain

This will allow the listed network interface to listen to the network in promiscuous mode.

ALLOWPROMISCIF=eth0

Files

You will need create some exceptions to the tests made by rkhunter, the following options let you to bypass tests to specific objects, such as files, directories.

Allow some hidden directories.

ALLOWHIDDENDIR=/etc/.java

Allow some hidden files.

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz

This whitelist will allow some files to be scripts instead of an ELF binary.

SCRIPTWHITELIST=/usr/sbin/ifdown SCRIPTWHITELIST=/usr/sbin/ifup SCRIPTWHITELIST=/usr/bin/egrep SCRIPTWHITELIST=/usr/bin/fgrep SCRIPTWHITELIST=/usr/bin/ldd

Allow file to be world writable.

WRITEWHITELIST=/usr/bin/date

Allow file to have attributes changes.

ATTRWHITELIST=/usr/bin/date

Allow process to query deleted files.

ALLOWPROCDELFILE=/sbin/cardmgr

Log Options

This will define which file to log to.

LOGFILE=/var/log/rkhunter.log

Set this one to 1 if you want to continue logging on the same file every time rkhunter runs, default is 0, that will append '.old' to the log file and create a new one.

APPEND_LOG=0

If you want to keep the log file when there is something wrong, set the following option to 1.

COPY_LOG_ON_ERROR=0

Uncomment and set the log facility if you want to use syslog.

USE_SYSLOG=authpriv.warning

By default, whitelisted itens will report ok on tests, if you want to highlight whitlisted items you must set this option to 1.

WHITELISTED_IS_WHITE=0

Operating System options

Set the package manager option to RPM on Red Hat like systems, which include CentOS.

PKGMGR=RPM

Enable this to report warning when operating system changes version/release.

WARN_ON_OS_CHANGE

Should we update our database when operating system change?

UPDT_ON_OS_CHANGE

Where to find the operating system release file, set to /etc/redhat-release on CentOS.

OS_VERSION_FILE=/etc/redhat-release

Locking

If you are likely to have more than one rkhunter running at the same time you should enable this option to enable the use of lock files and avoid database corruption.

USE_LOCKING=0

If you enabled the use of locks, then you should set a timeout to avoid deadlocks.

LOCK_TIMEOUT

Should we warn about locked sessions?

SHOW_LOCK_MSGS

Startup and Superdeamon

Where is the inetd config file.

INETD_CONF_PATH=/etc/inetd.conf

Which services are allowed to run through the inetd.

INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd

Xinetd config file.

XINETD_CONF_PATH=/etc/xinetd.conf

RC startup files paths.

STARTUP_PATHS=/etc/rc.d /etc/rc.local

Accounts

The file that contains the shadowed passwords.

PASSWORD_FILE=/etc/shadow

Allow user accounts other than root to have UID 0.

UID0_ACCOUNTS=toor rooty

Allow accounts without password.

PWDLESS_ACCOUNTS=abc

Syslog

Syslog config file.

SYSLOG_CONFIG_FILE=/etc/syslog.conf

Allow syslog to log remotely.

ALLOW_SYSLOG_REMOTE_LOGGING=0

Reports

Report the number of warnings?

SHOW_SUMMARY_WARNINGS_NUMBER

Show the total time needed to run the tests?

SHOW_SUMMARY_TIME

To receive mail reports when rkhunter find something you must set the following options as well as to have a mail application.

Who will receive the email.

MAIL-ON-WARNING=your-email@your.domain

Which command used to send email.

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

Running rkhunter

OK, at this point you should already had run rkhunter at least once, now take a look at some other flags that can be used with rkhunter.

Check Your Changes

After you are done with the configuration, run rkhunter with the -C or --check-config flag to check for any error in the file.

rkhunter -C

Properties Update

Now, and every time you change the configuration file, make sure to update the file properties database.

rkhunter --propupd

Report Warnings Only.

rkhunter --rwo

Sometimes you want to run only a specific test, for this try --list tests to get the names of the available tests and then use the --enable flag followed by the test name.

rkhunter --list tests

The following option will disable the key press prompt.

rkhunter --sk

To run rkhunter on a cronjob use the --cronjob flag, create the executable file /etc/cron.daily/rkhunter.sh with the following contents to do a daily check

#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob -c ) >> /dev/null 2>&1

Conclusion

This should get you started with rkhunter, providing you with one more security layer, however this will not be enough if you neglect basic security principles as well as if you put every warning you met on whitelists instead of mitigating the problems. Also have in mind that rkhunter will help you to prevent you machines to become members of a Linux botnet but will not protect your site from being target of a DDoS campaign. Thanks for reading!