World is currently struggling to get out of the chaos created due to a virus infecting human bodies and for a long time similar chaos exists in the virtually connected world of the Internet. These chaos are created in the connected system of internet through malware, viruses, ransomware, etc. which are programmed to infect the computers to retrieve critical information for devilish needs.
Recently, I faced similar chaos where one of my WordPress websites faced attack by botnets. Yes, you got it correct botnets were behind the attack, I know many of you might have heard of it in your cyber security lessons but never would have faced it practically.
“Internet is a jungle filled with predators, one weak move can make you prey”
Why you should read this blog?
In this blog, I will be sharing my experience that how I got rid of this attack and how these botnets infects WordPress and many such websites panels through a malware (mwebp_64 & jmagik_64) and then uses the infected system to intrude into other systems.
Decoding the attack
So let the thrill begin, I will be explaining how the attack pattern looks like what are the steps you can take to know whether this malware has infected your website manager. Since my project used WordPress hence I will be explaining it in reference to it.
Steps to detect the attack
- Check the resource of your system like network in/out and cpu usage which abnormally goes high if your system is infected, now a days this can be easily analysed in cloud providers console.
- If resource usage is abnormally high, SSH into the system and run sudo netstat -peanut in order to check the foreign address for higher network out. If you see random IP’s getting hit on their port 80/443 that means your infected system has started intrusion attack on other such system.
- Run the command ps -ef | grep stealth, if you see any process id associated with this stealth process take a note of it. Lets assume process id to be 7333.
- Lastly go to /proc/7333/ and perform sudo ls -la exe to backtrack what is the binary running this process. If you see something like mwebp or jmagik as the binary name, then bingo your server is under attack.
How did malware infect the system?
In March 2020, high download of theme alternate-lite took place on various WordPress websites, reason for this was basically attackers installed these themes on WordPress website whose admin panel password were brute-forced successfully by them.
What went wrong in alternate-lite?
- In every theme which you choose has customiser.php in it with the help of which you can perform customisations in theme. These themes can be founded inside wp-content directory
- The attackers managed to get rid of this theme and replaced the code of customiser.php with the code which helps in downloading the binaries. This replaced code is a script which downloads the binaries of malware (mwebp_64 and jmagik_64) on specific path of your system with help of downloader. Below is how the code looks like:
3. This script can be easily executed as all the content of the wp-content folder is on the discoverable path and can be accessed on http or https something like: http://domain_name/wp-content/themes/alternate-lite/inc/customizer.php hence attackers/bots executes this script on your domain and keep on abusing your system.
How does the intrusion attack happens from infected system?
The botnet system as mentioned and shown in the diagram works in coordination with CNC servers or centralised servers which is guiding the attack. Through a chain of protocols, the communication between the CNC and the infected machine happens. This malicious communication between two machines is done with the help of malware. In the above attack too, the following chain of the protocol are followed:
- After infecting the machine http://cnc/project/active signal is sent to CNC to let him know that machine is infected.
- Followed by which CNC ask for machine architecture using http://cnc/bots/chkVersion?currVers=3.03\&arch=linux
- Then, CNC assign the role to infected machine which they have defined on their end like wpchk; wbrt; etc which signifies that whether brute force login needs to be done or admin panel needs to be searched by infected machine.
- After the machine gets role, CNC sends the series of IP’s which needs to be intruded by the infected machine, infected machine performs the action according to the role assigned and hence intrusion attack starts with this chain of events.
Big Question: How to rescue yourself
Definitely, this attack is a well-structured attack by professional CNC servers and hence it needs to be dealt with more professionally. Following are the steps you can take to get rid of it.
- First and foremost remove/delete the alternate-lite theme so that the on fly malware downloads can be prevented.
- Kill all the stealth process running on your machine and get rid of it immediately.
- Monitor your system well for abnormally high resource utilisations by setting alerts.
- Locate all other files of wordpress which are infected in last 15–30 days and check that whether they contains genuine or malicious code.
- Block all unnecessary outgoing and incoming ports which are barely used by your server.
- Harden all your folders of wordpress which are exposed and rarely needed by you, namely wp-content, wp-includes, wp-admin, uploads etc. Hardening of rules can be done by configuring .htaccess file on root of these folders.
- Check for all the core wordpress files for the malicious code and get rid of it.
- Last but not the least change your admin password and keep it significantly strong so that it can’t be brute-forced.
So, these are some steps that you can take to recover your machine from this attack and if you still think that there might be some backdoors try to set up the WordPress from scratch on another server by following all necessary security steps.
Conclusion
Network Security is the most debatable topic these days, many institutions are suffering from the ill effects of network security and day-in and day-out fighting with it. While we are developing multiple new applications we tend to forget the security of our system, but I suggest that it’s time for developers to start thinking about security on top of their minds before anything else. Internet is an open jungle and anytime your predators can attack you so be-aware and adopt SOP for security in your organisations.
PS: This attack helped me in uplifting my know-how of the Linux system in more better way and practical way. 😉