Two days later, another connection was made, and this time, the attacker decided to resurrect the database by a complete reinstall: He (or she) started by erasing all the logs in the hope that this would quickly fix the issue, but the logs show the database also encountered some serious issues and was corrupted:ġ70910 8:47:43 mysqld got signal 6 The user behind this connection came to free up some disk space. Not coincidentally, there was a connection to the machine just a few hours after the database died: The MariaDB (fork of MySQL) database-which stored the data acquired by the backdoor-ran out of disk space. ![]() InnoDB: Error number 122 means 'Disk quota exceeded'. InnoDB: Check also that the disk is not full or a disk quota exceeded. InnoDB: Check that your OS and file system support files of this size. InnoDB: Operating system error number 122. InnoDB: 1048576 bytes should have been written, only 0 were written. Version: '5.5.52-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Serverġ70910 8:47:40 InnoDB: Error: Write to file. The database didn’t contain data older than September 12 th, so we originally thought someone might have deleted the data to avoid being traced, but then we found this log:ġ70830 20:36:17 /usr/libexec/mysqld: ready for connections. ![]() Jul 31 06:32:53 systemd: Started First Boot Wizard.Īlthough the server was up and running since the end of July, data gathering started on August 11 th, in preparation of the release of the compromised CCleaner executable file:Īug 11 07:36:52 seassdvz3 mariadb-prepare-db-dir: Initializing MySQL databaseĪug 11 07:36:52 seassdvz3 mariadb-prepare-db-dir: Installing MariaDB/MySQL system tables in '/var/lib/mysql'. While analyzing the data, we noticed that there were only a few days’ worth of data in the logs, and we wondered why? We knew the server was installed on July 31 st so there had to be more than a month’s worth of data since then: Shortly after receiving the initial notification about the incident from Morphisec, we reached out to law enforcement agencies to help us take down the Command and Control (CnC) server and get access to its contents. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload. Technical update and ongoing analysis of the APT security incidentĮxperts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts ( CCleaner and Avast posts), we are starting a series of technical blog posts describing details and technical information that we encountered during our analysis.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |