Sub‐Ticket ID #345: Investigate Possible Security Breach – Service Outage on DB‐A server - GriffinKat/group-a GitHub Wiki

A malicious script located on the Apps server that is taking up diskspace

Step 1: Locate the malicious script running on the Apps server

It is located in

/usr/local/bin/tmp

{15898EFF-F1F0-49EE-A20D-88B42C6F27C5}

Here we can see the script

{174498D7-78E6-4637-A9C5-03678FB17322}

stat /usr/local/bin/tmp/sim_disk_attack.sh

This command verifies that it is running

It has a process ID of 557544 showing it is active

{048CA846-E0E8-4D13-A227-F9C8AB6E1FFD}

Step 2: Stop the malicious script running

Run the command

sudo kill -9 557544

The -9 denotes forcefully killing a process

557544 is the process ID of the script we want to stop running

{5B3B7AAC-6281-4778-AE7F-3C323BC52BFA}

The script is designed to re-start automatically

As shown by running

pgrep -a -f sim_disk_attack.sh

{A7026CCA-2D04-45DE-8997-59BB721A79F6}

The script now has a new process ID even after killing its old one

This command reveals that it is running as a service

sudo grep -r sim_disk_attack /etc/systemd/system/

{22F252CC-3F9A-44D9-913B-B3A011C73B55}

Stop the service using the command

sudo systemctl stop simdiskattack.service

{495CBCDA-BD67-4CF5-98FA-F69A999AB96D}

Disable the service using the command

sudo systemctl disable simdiskattack.service

{AC37CABF-6F5B-4BB7-8E2C-DE25ADCDEC5D}

Step 3: Removing the service file

Run these commands to remove the service file

sudo rm /etc/systemd/system/simdiskattack.service

sudo systemctl daemon-reload

sudo systemctl mask simdiskattack.service

{05814320-6E4A-4DF7-9123-D7F762357AC4}

{2F1A78EF-C801-4E2B-BB5A-AE103DBA30A0}

Step 4: Deleting the Scripts

Run these commands to delete both scripts

sudo rm -f /usr/local/bin/sim_disk_attack.sh

sudo rm -f /usr/local/bin/tmp/sim_disk_attack.sh

{4C9A80D6-1C65-41CB-B8BD-474DFD6C9AE2}

{2C623834-D4E1-4239-A0ED-63FE535BE159}

This command removes the directory the script was in

sudo rmdir /usr/local/bin/tmp

{5DF399E4-E604-4B90-A437-3692A5D20C81}

Step 5: Removing Diskbom

The diskbom directory also needs to be removed as it is filling the diskspace

This command will delete it

sudo rm -rf /var/tmp/diskbom/

{3DC18276-4DA3-4AEA-AE39-61E6CFBD3C0B}

Disk Space Check is now displayed as 'OK' in Nagios

{1A2750A3-0EFD-4EAF-8822-0532EB6DFB5E}

OwnCloud redirection from login

The ownCloud configuration has been altered to redirect users to the default Apache2 page and it showing a critical error in Nagios

Troubleshooting

The owncloud.conf file appears to be altered

sudo nano /etc/apache2/sites-available/owncloud.conf

{83CBA536-203A-490E-BC0F-393CD05191A9}

The port number of the virtual host has been changed to 443, it should be 80

{D598E5AB-54A5-4E63-9CF8-DD17B255737E}

After this has been remedied restart the service

sudo systemctl restart apache2.service

This has not fixed the issue

Looking at the logs shows there are permission issues with the config file

An attempt to change the permissions of this file was not successful

The file appears to be immutable, this can be changed with the command

chattr -i /var/www/owncloud/config/config.php

The file permissions can now be changed and the system restarted

{963C6179-8CBE-44D0-987E-AB81EF76AE2B}

OwnCloud is now accessible

Nagios is showing the service status as 'OK'

{5E7E130A-CD5D-4EB1-BC45-FFD92EC907C8}

Ticket Reference

https://rt.dataraster.com/Ticket/Display.html?id=345&results=d3285ed05718aaa80f48585d83af00eb