I’m about 2 years into my career as a sysadmin, looking to take a soc analyst 2 role. However, I’m currently dealing with a nightmare on my home network. Currently every machine has modified kernels not if my doing and upon boot in forensics mode I find bsd software as well as remote jmx and Jconsole terminals. This has been going on for a few months and right when I think I’ve cleared out the remote attackers leftovers more pop up. I wrote scripts to only allow one user, scripts that kick any non native users every minute, scripts that remove open jdk every minute; to no avail. I’ve tried cronjobs and caja events. Upon boot I can see that the remote attacker essentially has his own file system, and I cannot remove his vfs no matter what I’ve tried. Either that or I’ll get device is busy so not removing alert. Even after shutting down ssh (mostly tcp protocols) the tune time environment for java still persists, clever exploit for sure. My question is where do I begin in this mess? I’ve lost so much already trying to replace what is infected I even moved and got new isp hoping that would resolve the issue. I’m feeling hopeless and I’m not going to take this job as it’s remote; until I know my home network is secure.
I’ve tried port forwarding through several routers with lease expirations every 3 minutes but still I’ll get dos and the source address appeared to be from my isps dns server, diving deeper I found out about fiked and wrote a script to compile the lists and ran a traceroute to find the real source address. I need help on what to do from here, the attacker is using 9 proxy’s:vpn to port through so he must really not want to be caught. I also kept excellent logs on the network traffic to wire shark if anyone would like to take a peak.
All in all I’m out about 14k in phones, computers, and 9k in bitcoin. At this point I just want my life back so please if anyone can spare me any advice on how to prevent the jmx mbeans exploit or maybe even honeypot this annoyance I’m all in it’s been since novemember ffs.
Tl:dr I’m being exploited via mbeans jmx through artifacts, he is trying to change kernels using multi call; I’m out of ideas please help.
No comments:
Post a Comment