Backdoor.Linux.Bew.a and Client BitCoin


Here is a little post about an infection found on servers that I have been administering recently.
It all starts with an alert by email from Munin freshly set up. Munin is an rddtools grapher who sends alerts when thresholds are exceeded, in this case it was the CPU.
Which is super convenient.

Les graphs :

hack_serveurs2 suddenly, a little tour on the server and I launch top and there the drama, I see a bfgminer process, which looks like a Bitcoin client from the name.

hack_serveurs3 I take a look at the processes and there I see a .bbb – which is not good.
Files starting with. under Linux are hidden.
The latter is executed as root.


So I launch the command

find / -regextype egrep -regex ".*/.[a-z0-9_.-]+$" -exec file {} ;|grep executable

in order to list the hidden files likely to be executables.
Bingo is crowded:

/usr/local/psa/tmp/…/.tar: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
/usr/local/psa/tmp/…/.bbb: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
/usr/local/psa/tmp/…/.ew3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
/usr/local/psa/tmp/…/.true: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped

A small recovery of files and scan on VirusTotal, we find a certain Backdoor.Linux.Bew.a whose detections are quite moldy:

Some files date from June 2013.

There is also a crond launched by Apache.


The bitcoin process is in defunct, we can’t kill it directly.
You must kill the parent process (here httpd).

hack_serveurs4 hack_serveurs8

Note that ps does not show everything, at least it shows the process names with the desired names, suddenly it is possible to use already existing process names.
pstree lets see this:


A small egrep -r “base64 | eval | deflate | REQUEST” * php and there are some PHP Backdoor on the sites:hack_serveurs6 hack_serveurs7

It appears that the malware has been dropped on a Parallels Plesk Panel vulnerability
Note that the servers (fifteen) had no firewall, it does not help either.

When you know it is relatively conspicuous, especially by linking the processes the command find helps a lot.
We see here the importance of a minimum of monitoring tools that can warn of the presence of a Bitcoin client when the latter is a bit too much.


A small edit with a variant, cpio: open errors when using yum.

hack_linux_permissions This is because we cannot write in certain folders, in particular / usr / bin and / sbin
Hackers added s (secure deletion) i (immutable) a (append only) attributes in extended permissions.

The lsattr command is used to list the attributes and the chattr command to modify them, all the extended attributes must be removed at once: chattr -R -i -a -s


Leave a Comment