Background - CCDC 2015
Recently, the Bloomsburg Cyber Defense Club (BCDC) partook in the National CyberWatch Mid-Atlantic CCDC Qualifiers. If you don't know what CCDC is, it can be summed up with computer defenders (blue team) trying to keep hackers (red team) from taking over four computers on the same network while both teams also complete various capture the flag events. While we didn't come close to taking gold, we put up a good fight and placed 4th of 9 in our round.Gee, this is embarrassing... |
How I Lost My Linux Machine
One of the things we faced during the competition was a hacker who seemed to have our services persistently down. No matter how hard we tried to start our apache2 and mysql services, they would always stop themselves in one second. It looked a lot like this:Being shutdown... |
A fruitless process list. |
No luck with top either. |
Linux Services - How They Work
Most of the common Linux distributions can start and stop services by using the built-in Linux program "service." You can get a list of every service on your Linux box by using the --status-all flag. From the results, [+] means running, [-] means offline, and [?] means it is unknown if the service is working.
- user@linux ~ $ sudo service service_name action
- user@linux ~ $ service --status-all
The list goes on and on... |
Next you need to decide what action you want your service to carry out. To see whether or not the service is running, we ask for the status of a service. To turn a service on or off, we use the actions start and stop. You can also restart a service.
Stopping and starting apache2. |
Recreating the Bash Script
The first thing to creating a bash script is creating the file used to house our code. Usually a script file name ends with the extension ".sh" for "shell," but you can name it whatever you want if you want to be sneaky. You may use any text editor, but I prefer using nano. First, navigate to your desired directory and create the text file by using the following command:
- user@linux ~/Desktop $ nano autoServiceTerminate.sh
Now that we have nano open, we can start our script. To make sure that the shell you are using knows which interpreter to use (bash), we add a pointer to it. This step is not always necessary, but is considered conventional. We start our script with the following line:
- #!/bin/bash
Next we want our code to repeat over and over. We need a while true loop to accomplish this automatic process. This loop will go on forever until the service is terminated by a user, which the red team would hope never happens. We use the following syntax for a loop in bash:
- while true; do
- Code Goes Here...
- done
Within our loop should be the code that we want to repeat. We want to attempt to terminate specific services over and over, effectively keeping them down. While we could do some magic with grep and services --status-all, there would be some major disadvantages. One such problem would be the termination of the ssh service, which would kick the hacker out of the shell they are currently in and therefore stop the script from running. We will be specific with the services we want to keep down: apache2 and mysql. We must use what we learned before about stopping services and put that within the loop:
- sudo service apache2 stop
- sudo service mysql stop
The script as it is now would function as we want. The only problem with it now is that it never takes a break from trying to take down the services. This is bad because it could use a noticeable amount of CPU and would appear in programs like top, which would give us away. To avoid this, we only want the script to run once per second. Putting the following line within the loop will do just that:
- sleep 1
The finished script looks like this:
Very simple, but very threatening. |
- user@linux ~ $ sudo chmod +x autoServiceTerminate.sh
- user@linux ~ $ ./autoServiceTerminate.sh
This will cause headaches to those it is used on. |
Conclusion
This script is exactly what I believe the red team used on us during the competition. Feel free to recreate this script or download it from my website. I do not take any responsibility for actions and damage that is caused by the misuse of this script. I only distribute it for those who wish to learn from it. Use it at your own risk.As it stands, it would be pointless to recreate this attack without finding out how to stop it. I have found a method of doing so, but it requires creating a defensive bash script. I will save it for a future blog post.
Thanks for reading!
-Dan