Skip to main content
E
EricPeterCH
Participating Frequently
October 5, 2022
Answered

Alert with auditd64.bin

  • October 5, 2022
  • 3 replies
  • 998 views

Dear Community,

We have received a high alert from our Palo Alto protection tool.

We have 2 questions:

- who knows the IP address 45.77.185.211:443?

- who knows what the system file auditd64.bin does? This file is used in the following command line: "cmd" /c "cd /d "C:/ColdFusion2016/cfusion/bin/"&c:\windows\system\auditd64.bin 2>&1"

Thank you in adavance for your assistance,

Eric

    This topic has been closed for replies.
    Correct answer Dave Watts

    This is probably not going to be that satisfactory a response.

     

    For the first question, to find out more about any IP address, you can use standard IP network tools like nslookup, dig, and whois. When I use nslookup like in the first attached screenshot, with "set type=PTR" so I can convert an IP address to a DNS name instead of the other way around, and with "set debug" so I get more complete information, it tells me that the PTR record for 211.185.77.45.in-addr.arpa resolves to 45.77.185.211.vultrusercontent.com. Then when I did an SOA search in nslookup for vultrusercontent.com. (the . at the end is important to include actually, see the 2nd screenshot), it told me the authoritative name server was ns1.vultr.com among other things. Anyway, I don't get anything when I try to connect to the IP address and port using a browser or openssl, so my guess is that (a) this isn't a legitimate server, and (b) this is part of a way for an attacker to collect data from your server and send it back to the attacker.

     

    The second question I can't answer, as I don't have that file in front of me. So, it appears not to be part of the standard Windows 10 OS install. But the command line you posted is a bit questionable even though I obviously can't run it. You might want to do a couple of things here. First, right-click on the file in Windows Explorer to see what it says in there - where it came from, when it was put there, who signed it if anyone. I would hope that it's signed. Second, can you provide some context for that command line you copied came from? Was it part of a larger program?

     

    Anyway, in the meantime I would try to quarantine this server and use a fresh one that doesn't have the auditd64.bin file on it and ideally can't connect to arbitrary HTTPS listeners. (Your server should ideally have a whitelist that allows it to connect to only allowed servers. This is kind of a pain to set up, but your Palo Alto people might be able to set it up if they're handling outbound traffic.) If you can't easily replace the server, at least get the whitelist in place so the attacker can't exfiltrate data. Then, figure out a replacement approach.

     

    Dave Watts, Eidolon LLC

    3 replies

    E
    EricPeterCHAuthor
    Participating Frequently
    October 7, 2022

    Hello,

    Sorry to distrb you again but our security officer found the following command and he is asking me if it's a legitimate command:

    "cmd.exe" /c "cd /d "C:/ColdFusion2016/cfusion/bin/"&cmd /s /c "net group Domain Admins /domain"" "2>&1

    Thank you in advance

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    October 7, 2022

    This sounds like someone running the cfexecute command, which is then doing that net group command. Is that trouble? Maybe yes, maybe no. If somehow it's the work of someone doing it for good, it's not. If instead it's work no one there recognizes, then I'd be worried...and all the more given your earlier troubles.

     

    Something you've not clarified is what update of cf2016 you have in place. If it's not the latest (update 17 from March 2021), there are vulns that may have been leveraged. Even if applied, there have been no further updates since then, as 2021 was the end of its 5-year life (cf2018 support/updates end in July 2023, and cf2021 in Nov 2024, all 5 years after they came out).

     

    Then there's the question of what Java version cf is running. It could be quite old, given that cf2016 came out originally 6 yrs ago. There are many resources on updating that, from Adobe, myself, and others. Or I can help you get both the cf and Java updates in place in less than a half hour (perhaps less than 15 mins), via remote screenshare consulting.

     

    Granted, when making such a change, it's best to do it in a test environment, to do some testing of your app on the new version/s, but given your troubles/concerns you may not have that luxury. 

     

    Still another thing to consider is better securing your cf. By default, cf runs as the local system user, which is what would allow that net command above to work. That can be changed, in perhaps just a few mins, with a new user that's given far less privileges--just enough to run cf and no more. There's a lockdown guide for cf explaining dozens of things, but that one is key (along with the updates). For those on cf2018, there's a new autolockdown tool which does EVERYTHING in the lockdown guide, for better or worse. 

     

    I know you said in your previous note you were going to cf2021. Doing that MIGHT address SOME of the issues you're facing, but even in that move much of what I say above will still apply. So again, if you want things implemented more completely, with guided assistance, you need not go it alone, nor await back and forth here. We could meet even today. More at carehart.org/consulting. Dave may also be available for consulting. 

    /Charlie (troubleshooter, carehart. org)
      E
      EricPeterCHAuthor
      Participating Frequently
      October 7, 2022

      Hello,

      Thank you Dave and Charlie, we have decided to setup a new CF server with CF 2021.

      The projects will be migrated to this new server.

      D
      Community Expert
      Dave WattsCommunity ExpertCorrect answer
      Community Expert
      October 5, 2022

      This is probably not going to be that satisfactory a response.

       

      For the first question, to find out more about any IP address, you can use standard IP network tools like nslookup, dig, and whois. When I use nslookup like in the first attached screenshot, with "set type=PTR" so I can convert an IP address to a DNS name instead of the other way around, and with "set debug" so I get more complete information, it tells me that the PTR record for 211.185.77.45.in-addr.arpa resolves to 45.77.185.211.vultrusercontent.com. Then when I did an SOA search in nslookup for vultrusercontent.com. (the . at the end is important to include actually, see the 2nd screenshot), it told me the authoritative name server was ns1.vultr.com among other things. Anyway, I don't get anything when I try to connect to the IP address and port using a browser or openssl, so my guess is that (a) this isn't a legitimate server, and (b) this is part of a way for an attacker to collect data from your server and send it back to the attacker.

       

      The second question I can't answer, as I don't have that file in front of me. So, it appears not to be part of the standard Windows 10 OS install. But the command line you posted is a bit questionable even though I obviously can't run it. You might want to do a couple of things here. First, right-click on the file in Windows Explorer to see what it says in there - where it came from, when it was put there, who signed it if anyone. I would hope that it's signed. Second, can you provide some context for that command line you copied came from? Was it part of a larger program?

       

      Anyway, in the meantime I would try to quarantine this server and use a fresh one that doesn't have the auditd64.bin file on it and ideally can't connect to arbitrary HTTPS listeners. (Your server should ideally have a whitelist that allows it to connect to only allowed servers. This is kind of a pain to set up, but your Palo Alto people might be able to set it up if they're handling outbound traffic.) If you can't easily replace the server, at least get the whitelist in place so the attacker can't exfiltrate data. Then, figure out a replacement approach.

       

      Dave Watts, Eidolon LLC

      Dave Watts, Eidolon LLC
      E
      EricPeterCHAuthor
      Participating Frequently
      October 6, 2022

      Dear Dave,

      Many thans to you for the helpful replies, we have isolated the server as suggested. We have additionaly found that 2 windows user accounts have been created (1 with local admin rights) on this server. We have a strategy meeting later on, I will keep you informed.

      BR,

      Eric

      E
      EricPeterCHAuthor
      Participating Frequently
      October 6, 2022

      Hello,

      Can someone pleaase confirm if the following command is valid:

      coldfusion.exe -nohup -ntservice "ColdFusion 2016 Application Server-StartEvent" -startByNTService

      Our security speicalist think it could be an attacker command.

      Thank yo in advance,

      Eric

       

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices