Alert with auditd64.bin

Report · Oct 05, 2022

Dear Community,

We have received a high alert from our Palo Alto protection tool.

We have 2 questions:

- who knows the IP address 45.77.185.211:443?

- who knows what the system file auditd64.bin does? This file is used in the following command line: "cmd" /c "cd /d "C:/ColdFusion2016/cfusion/bin/"&c:\windows\system\auditd64.bin 2>&1"

Thank you in adavance for your assistance,

Eric

Report · Oct 05, 2022

This is probably not going to be that satisfactory a response.

For the first question, to find out more about any IP address, you can use standard IP network tools like nslookup, dig, and whois. When I use nslookup like in the first attached screenshot, with "set type=PTR" so I can convert an IP address to a DNS name instead of the other way around, and with "set debug" so I get more complete information, it tells me that the PTR record for 211.185.77.45.in-addr.arpa resolves to 45.77.185.211.vultrusercontent.com. Then when I did an SOA search in nslookup for vultrusercontent.com. (the . at the end is important to include actually, see the 2nd screenshot), it told me the authoritative name server was ns1.vultr.com among other things. Anyway, I don't get anything when I try to connect to the IP address and port using a browser or openssl, so my guess is that (a) this isn't a legitimate server, and (b) this is part of a way for an attacker to collect data from your server and send it back to the attacker.

The second question I can't answer, as I don't have that file in front of me. So, it appears not to be part of the standard Windows 10 OS install. But the command line you posted is a bit questionable even though I obviously can't run it. You might want to do a couple of things here. First, right-click on the file in Windows Explorer to see what it says in there - where it came from, when it was put there, who signed it if anyone. I would hope that it's signed. Second, can you provide some context for that command line you copied came from? Was it part of a larger program?

Anyway, in the meantime I would try to quarantine this server and use a fresh one that doesn't have the auditd64.bin file on it and ideally can't connect to arbitrary HTTPS listeners. (Your server should ideally have a whitelist that allows it to connect to only allowed servers. This is kind of a pain to set up, but your Palo Alto people might be able to set it up if they're handling outbound traffic.) If you can't easily replace the server, at least get the whitelist in place so the attacker can't exfiltrate data. Then, figure out a replacement approach.

Dave Watts, Eidolon LLC

Report · Oct 05, 2022

Dear Dave,

Many thans to you for the helpful replies, we have isolated the server as suggested. We have additionaly found that 2 windows user accounts have been created (1 with local admin rights) on this server. We have a strategy meeting later on, I will keep you informed.

BR,

Eric

Report · Oct 06, 2022

Hello,

Can someone pleaase confirm if the following command is valid:

coldfusion.exe -nohup -ntservice "ColdFusion 2016 Application Server-StartEvent" -startByNTService

Our security speicalist think it could be an attacker command.

Thank yo in advance,

Eric

Report · Oct 06, 2022

It's valid, being the process started by the windows service for cf.

If this sec person is only viewing a list of processes (like with tasklist), they could switch to using task manager to readily see that the process was in support of a service, by right-clicking it and choosing "go to service", to see that its running on behalf of a service. For more, see a resource like:

https://www.howtogeek.com/405806/windows-task-manager-the-complete-guide/

/Charlie (troubleshooter, carehart.org)

Report · Oct 06, 2022

Hi, @Charlie Arehart ! Odds are, this security specialist isn't even touching the console, this is from an audit log of some sort. But that security specialist should at least learn what baseline services are running on this server, if said specialist wants to make sure it's secure!

Dave Watts, Eidolon LLC

Report · Oct 06, 2022

Fair enough, Dave. That's why I'd said, "if this sec person is only viewing a list of processes (like with tasklist)", but I realize that in going on to talk about Task Mgr, that led you to want to clarify that they may not be on the box at all. I was implying that possibility, if not stating it. And like you go on to say, the sec person could at least check what's running on the machine (especially due to services) as a baseline.

Indeed, my answer was directed as much to Eric, as something that he too could have looked into--assuming he has any access to that machine and Task Manager (and permission to see processes other than only his own, etc.)

/Charlie (troubleshooter, carehart.org)

Report · Oct 06, 2022

Like @Charlie Arehart said, yes, this is a legitimate command for a server running ColdFusion. It's literally the command run when you start the service. I'm going to make a recommendation here: your security specialist needs to know the baseline state of the servers being secured, in order to detect something out of the ordinary. Too many security people are blithely ignorant of what's actually running on their servers until something bad happens. This is not a good thing for security specialists to do!

Dave Watts, Eidolon LLC

Report · Oct 06, 2022

I didn't think this through too closely before, but you might also want to look at this bin file in Dependency Walker: https://www.dependencywalker.com/

Dave Watts, Eidolon LLC

Report · Oct 06, 2022

Hello,

Thank you Dave and Charlie, we have decided to setup a new CF server with CF 2021.

The projects will be migrated to this new server.

Report · Oct 07, 2022

Hello,

Sorry to distrb you again but our security officer found the following command and he is asking me if it's a legitimate command:

"cmd.exe" /c "cd /d "C:/ColdFusion2016/cfusion/bin/"&cmd /s /c "net group Domain Admins /domain"" "2>&1

Thank you in advance

Report · Oct 07, 2022

This sounds like someone running the cfexecute command, which is then doing that net group command. Is that trouble? Maybe yes, maybe no. If somehow it's the work of someone doing it for good, it's not. If instead it's work no one there recognizes, then I'd be worried...and all the more given your earlier troubles.

Something you've not clarified is what update of cf2016 you have in place. If it's not the latest (update 17 from March 2021), there are vulns that may have been leveraged. Even if applied, there have been no further updates since then, as 2021 was the end of its 5-year life (cf2018 support/updates end in July 2023, and cf2021 in Nov 2024, all 5 years after they came out).

Then there's the question of what Java version cf is running. It could be quite old, given that cf2016 came out originally 6 yrs ago. There are many resources on updating that, from Adobe, myself, and others. Or I can help you get both the cf and Java updates in place in less than a half hour (perhaps less than 15 mins), via remote screenshare consulting.

Granted, when making such a change, it's best to do it in a test environment, to do some testing of your app on the new version/s, but given your troubles/concerns you may not have that luxury.

Still another thing to consider is better securing your cf. By default, cf runs as the local system user, which is what would allow that net command above to work. That can be changed, in perhaps just a few mins, with a new user that's given far less privileges--just enough to run cf and no more. There's a lockdown guide for cf explaining dozens of things, but that one is key (along with the updates). For those on cf2018, there's a new autolockdown tool which does EVERYTHING in the lockdown guide, for better or worse.

I know you said in your previous note you were going to cf2021. Doing that MIGHT address SOME of the issues you're facing, but even in that move much of what I say above will still apply. So again, if you want things implemented more completely, with guided assistance, you need not go it alone, nor await back and forth here. We could meet even today. More at carehart.org/consulting. Dave may also be available for consulting.

/Charlie (troubleshooter, carehart.org)

Report · Oct 07, 2022

It's 99% likely to be another malicious command. The "net group" command with the "/domain" switch only runs on domain controllers, and I really really hope your CF server isn't a domain controller. That would be ... trouble. On the bright side, it's really unlikely to do anything on a machine that isn't a domain controller. And ideally, if your CF server is accepting requests from the internet - an untrusted network to say the least - it shouldn't even be in the same domain as your other stuff.

@Charlie Arehart is right about not running CF as local system, which isn't even really a user - it's a security context that gives you full local administrative rights. That said, I don't know if it would run that command, since that's a Windows networking command and needs appropriate Windows networking functionality, which local system doesn't have. Still though, you should NEVER run CF as local system, even though that's the default behavior. You can drastically dial down what CF can do by creating a regular local user with no administrative rights, give that user something along the lines of read/write/execute/delete (RWXD) over CF (ex: C:\ColdFusion2021\) and IIS (ex: c:\inetpub\wwwroot) and R over C:\Windows and its subdirectories, I think. Maybe RWX for a couple of other directories like C:\Windows\Fonts. Read the lockdown guide for the exact directories and permissions. In the worst case, CF would be able to interfere with itself and IIS and nothing else.

Dave Watts, Eidolon LLC

Adobe Community

Alert with auditd64.bin

1 Correct answer