Saturday, March 21, 2015

HACK - A Service Terminating Bash Script

Background - CCDC 2015

Recently, the Bloomsburg Cyber Defense Club (BCDC) partook in the National CyberWatch Mid-Atlantic CCDC Qualifiers. If you don't know what CCDC is, it can be summed up with computer defenders (blue team) trying to keep hackers (red team) from taking over four computers on the same network while both teams also complete various capture the flag events. While we didn't come close to taking gold, we put up a good fight and placed 4th of 9 in our round.

Gee, this is embarrassing...
This being my second year competing, I thought I would have been more prepared than I was for the previous one. While we had been practically owned this year, I believe it had to do something with us being in the final round. This allowed the red team to harden their technique and know exactly how to get into our computers, as they had spent 9 hours in the previous three rounds trying to get in to replications of the same machines. While Bloomsburg lost that day, we had gotten a taste of a real challenge and will be more prepared for next year.

How I Lost My Linux Machine

One of the things we faced during the competition was a hacker who seemed to have our services persistently down. No matter how hard we tried to start our apache2 and mysql services, they would always stop themselves in one second. It looked a lot like this:

Being shutdown...
We assumed this had to be a bash script, but we didn't know how to find it. We thought we could find it using top and ps, but top ended up being a cluttered mess of nothing important and we ended up finding only a generic "bash" process with ps. Had we terminated bash, we would have lost everything. This is especially the case considering that we only had access to these machines via ssh.
A fruitless process list.
No luck with top either.
Not knowing how to stop the script or even where to look, we were left unable to complete our injects for the qualifier round. This was absolutely disappointing. After the competition, I thought to myself, "How could we have stopped it?" This was soon followed by another question, "How could I recreate it?" Both of these questions will be answered. In order to recreate it, we need to have a good understanding on how Linux services work.

Linux Services - How They Work

Most of the common Linux distributions can start and stop services by using the built-in Linux program "service." You can get a list of every service on your Linux box by using the --status-all flag. From the results, [+] means running, [-] means offline, and [?] means it is unknown if the service is working.
  • user@linux ~ $ sudo service service_name action
  • user@linux ~ $ service --status-all
The list goes on and on...
You need to place the name of the service you want to manipulate at service_name. Some examples include apache2, mysql, or sshd. These are all names of services that your Linux box can run.

Next you need to decide what action you want your service to carry out. To see whether or not the service is running, we ask for the status of a service. To turn a service on or off, we use the actions start and stop. You can also restart a service.
Stopping and starting apache2.

Recreating the Bash Script

The first thing to creating a bash script is creating the file used to house our code. Usually a script file name ends with the extension ".sh" for "shell," but you can name it whatever you want if you want to be sneaky. You may use any text editor, but I prefer using nano. First, navigate to your desired directory and create the text file by using the following command:
  • user@linux ~/Desktop $ nano
Now that we have nano open, we can start our script. To make sure that the shell you are using knows which interpreter to use (bash), we add a pointer to it. This step is not always necessary, but is considered conventional. We start our script with the following line:
  • #!/bin/bash
Next we want our code to repeat over and over. We need a while true loop to accomplish this automatic process. This loop will go on forever until the service is terminated by a user, which the red team would hope never happens. We use the following syntax for a loop in bash:
  • while true; do
    • Code Goes Here...

  • done
Within our loop should be the code that we want to repeat. We want to attempt to terminate specific services over and over, effectively keeping them down. While we could do some magic with grep and services --status-all, there would be some major disadvantages. One such problem would be the termination of the ssh service, which would kick the hacker out of the shell they are currently in and therefore stop the script from running. We will be specific with the services we want to keep down: apache2 and mysql. We must use what we learned before about stopping services and put that within the loop:
  • sudo service apache2 stop
  • sudo service mysql stop
The script as it is now would function as we want. The only problem with it now is that it never takes a break from trying to take down the services. This is bad because it could use a noticeable amount of CPU and would appear in programs like top, which would give us away. To avoid this, we only want the script to run once per second. Putting the following line within the loop will do just that:
  • sleep 1
The finished script looks like this:

Very simple, but very threatening.

Now we can exit nano by pressing CTRL+X, and save it by typing Y. With our script completed, we must now make it an executable. We can do this by running the chmod command:
  • user@linux ~ $ sudo chmod +x
This will allow us to run our script as a bash file. Now to run it, we use the following syntax:
  • user@linux ~ $ ./
And now it should run, terminating your services forever! It is unnoticeable both to top and a typical ps. Note that you can always stop a bash script or program by pressing CTRL+Z.

This will cause headaches to those it is used on.


This script is exactly what I believe the red team used on us during the competition. Feel free to recreate this script or download it from my website. I do not take any responsibility for actions and damage that is caused by the misuse of this script. I only distribute it for those who wish to learn from it. Use it at your own risk. 

As it stands, it would be pointless to recreate this attack without finding out how to stop it. I have found a method of doing so, but it requires creating a defensive bash script. I will save it for a future blog post.

Thanks for reading!