So yesterday I finally got around to getting Wazuh deployed in a docker container on my home network. It took a couple attempts because I don’t do anything the right way the first time. Once I R’d TFM (yes, I did put a link to what RTFM means because I recently met a dev who had never heard that term before. #lucky10k) and actually paid attention instead of asking chatgpt for a config, it came up pretty easily and seems pretty reliable. (He said with less than 24hrs of uptime. 🤞)
I haven’t gotten to installing any kind of Network monitoring yet, but I did install the agent on one Fedora based machine, one Ubuntu Server, and a Macbook Air. They are all phoning home over tailscale, so theoretically they will check in from anywhere in the world. Since I never leave my apartment, I don’t know when I’ll get to test this. It might be dumb, but not as dumb as deploying Wazuh BEFORE I do the network overhaul, which is what I just did. I’m hoping Tailscale’s “MagicDNS” (seriously, that’s what they call it.) will allow me to keep consistency even when IP’s change since everything is hostname based. Maybe someday I’ll test what happens when I get a new machine and reuse the old machine’s name. But that’s a blog post for the distant, post RAMPOCALYPSE, future.
ANYWAY… You’re here because I said I got trojaned. TL;DR, I don’t think I did. (I made you read enough useless fluff already, I’m not going to bury the lede any deeper.)
I logged into Wazuh this morning to see what’s going on. And while I still have a lot of tuning to do, I did see “Trojaned version of file detected.” And, great news - whatever view I was on didn’t immediately tell me WHICH FILE IT WAS. Sadly I can’t find my way back to that view now to give you the specifics, because my first thought wasn’t “Oh, I need to document this for the blog” it was “FUCK!!!!! WHICH FILE IS IT????”
Go to the “Malware Detection” View in the “Endpoint Security” Tab if this happens to you.
So I clicked around aimlessly for a minute or two and finally discovered that /usr/sbin/passwd, /usr/bin/passwd, /sbin/passwd, and /bin/passwd failed the rootcheck and are (allegedly) trojaned versions. Now, unlike my college roommate I didn’t immediately think "I need to cut the wires to the hard drive because I found a text file" (True story, and he didn’t actually cut the wires, and yes, I was responsible for the text file. #trollingSinceThe90s ) - I decided to take a hash of the file and ship it off to VirusTotal(VT) #not_sponsored.
The md5 and sha256 hash (yeah, I did both because… 🤷) both came back as clean, and both definitely the passwd file according to VT. So then I did a kagi search for why I’m seeing this. Looks like there’s a regex that matches a pattern.
Full disclosure, I did not do proper forensics here, I just ran the hashes locally on the potentially compromised machine. So it is possible that I am popped and there’s some fancy malware that returns the hash of the legit file, but Horses/Zebras.
So remember kids, if it’s not DNS, and it’s REALLY not DNS, it’s probably regex. #theMoreYouKnow 🌈