In a previous article, we showed how to block specific domains at the DNS level using iptables. Today, we will expand into that and show how to also block HTTP requests for a specific domain (or URL) in there.
Iptables String Matching
Iptables string matching is very powerful and easier to use than the hex-string module we used before. When you specify -m string –string, it will activate the string module and inspect at the packet content for the keyword you are looking for.
SFTP is a file transfer protocol. It wraps the File Transfer Protocol (FTP) inside the Secure Shell (SSH) protocol. This allows the communication to be protected as it moves from one point to another.
PSA: Using FTP is considered an insecure transfer protocol and should be avoided.
This article assumes you are trying to create new SFTP users on your linux machine. In this example we’ll be using Ubuntu 18.04.
Enabling and Creating SFTP users:
To enable SFTP you have to enable it inside your SSH configuration file. It’s often located here: /etc/ssh/sshd_config. Open the file and add the following to the end of the configuration file:
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Match group sftp
An abstraction layer that allows you to invoke remote commands. In this instance, we’re invoking sftp-server.
Allows you to limit actions in shell, in this instance we’re limiting the actions to a specific group – sftp. Only those users inside the SFTP group will be able to SFTP into the server.
This is a special case for remote tunneling. Unfortuantely it can be used maliciously by a bad actor, so it’s recommended your disable unless you know what you’re doing.
“TCP Forwarding” allows you to encapsulate any other protocol (based on TCP of course) inside an already established SSH connection. There are a lot of reasons for this, but we don’t want to allow SFTP users to use this without appropriate planning.
The remote system can only execute a set of statically defined commands. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory.
Once you add this to the SSH config file you need to restart OpenSSH:
service ssh restart
Now you need to add new SFTP users, and apply the user to the right group.
useradd -m [newsftpuser] -g sftp
Set the password:
Now you can test your SFTP connection, from a different server:
The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.
This is the full list so far:
soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
18.104.22.168: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.
We will keep updating this list as the domains change and the attacks mutate.
Which basically contacts botsvsbrowsers.biz/Statistic/Stat.php on every page load, giving the client IP address, and URLand it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably servingother malicious code as well.
So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address 22.214.171.124), you know it is malicious.
A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.
So most web security tools have some signatures to look for it (specially on WordPress).
Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:
And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allowsthen to bypass many security filters.
It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anythingfrom pwiki-stat or similar variations, it is likely fake. The official (and trusted one)is http://piwik.org/.