Shulou(Shulou.com)06/02 Report--

The purpose of this article is to share with you an example analysis of the security threats faced by the Linux system on the Internet. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

I. Overview

As one of the five mainstream operating systems, Linux currently accounts for more than 80% of the server market. With the development of cloud computing and IoT, Linux, as the mainstream underlying operating system in the field of the Internet of things, the application scenarios involved will increase geometrically.

Through long-term monitoring of various service ports on the global Internet, the Anheng Information Security data brain team found that more than 50 million of Linux hosts worldwide have exposed SSH ports, of which the United States and China have the largest number of exposures, and these servers will face severe network attacks, such as port scanning, password burst, vulnerability scanning, and so on. It is observed that a large amount of scanning traffic in the whole network detects the SSH or database ports of the system every day, and once the detection is successful, it will burst to obtain the permissions of the host. Captured Linux hosts are often used for mining and DDoS attacks, as well as for capturing more "broilers" through the spread of intranet worms. This phenomenon will seriously affect the security of cyberspace. It is suggested that in the subsequent process of network security awareness and governance, we should strengthen the security and standardized control of such systems and clean up the zombie hosts in a timely manner.

Main points:

1. More than 50 million Linux system hosts in the whole network expose SSH ports and suffer severe port scanning and blasting threats.

two。 The system remote management port and database port are frequently attacked by hackers.

3. Weak passwords and default passwords of proprietary devices (such as cisco, Pi, db2as) are still the first choice for hackers.

4. The attack sources for Linux systems are mainly concentrated in Europe, China, the United States, South Korea and other countries, and most of the attack systems are Linux hosts.

After the collapse of the 5.Linux host, it is mostly used to dig mines, launch DDoS attacks and intranet worms spread to capture broilers, the most common Trojans are Gates Trojan horse, raspberry pie and so on.

II. Severe security risks faced by Linux system and its impact 2.1 A large number of Linux system servers are exposed throughout the network.

For a long time, Linux operating system has a wide range of applications:

1. As an enterprise server application

It can be used as enterprise architecture www server, database server, load balancing server, DNS server. It not only makes the enterprise reduce the operating cost, but also ensures the high stability and high reliability of the system.

two。 As an embedded Linux system application system

From Internet devices (routers, switches, firewalls, load balancers) to dedicated control systems (vending machines, mobile phones, PDA, various household appliances), Linux systems have a wide range of applications. In recent years, Linux operating system has successfully become one of the mainstream embedded development platforms, infiltrating into telecommunications, finance, education and other industries. Major hardware manufacturers and large / super-large Internet enterprises are using Linux system as their server-side program running platform.

In August, the Anheng Security data brain team used the Sumap platform to detect a large number of devices with SSH ports open on the Internet. The probe found that a total of 51689792 ports were exposed worldwide, including 11964730 in China.

The geographical distribution TOP10 of its SSH port exposure is as follows:

The region and number of SSH ports exposed in the top three are:

14448205 in the United States, 11964730 in China and 2710689 in Germany.

The United States and China have the largest number of open SSH ports, far ahead of other countries. A large number of open SSH ports expose the Linux system on the Internet, greatly increasing the risk faced by the system.

2.2 most systems suffer from high-frequency persistent attacks.

After analyzing a large number of attacks on Linux systems, the Anheng Security data brain team found that a single Linux system with exposed ports was subjected to an average of more than 40000 network attacks per day, and most hackers adopted high-frequency persistent attacks, with an average attack frequency of about 5 times per second.

Tracking the intrusion of the Linux system, it is found that a weak password Linux system has been successfully invaded about 17000 times a month. After the successful intrusion, operations such as checking host information, closing the firewall, downloading files and so on are usually carried out, so as to realize the back connection control with the remote C2 host, and then carry out mining or DDoS attacks.

2.3 Overview of mainstream attacks

2.3.1 remote control and database ports are centrally scanned

Port scanning of Linux system is the most commonly used way for attackers. Through scanning, we can find out whether there are vulnerabilities or whether some ports are open on the server, and use vulnerabilities or explosions to attack the server.

The goals of port scanning vary greatly from country to country. The following is an analysis of port scanning in different countries:

* Note: ports 2222 and 2223 are often used for system remote management; port 3306 is used for MYSQL;80 and port 443 is a common port for web servers; port 25 is a SMTP port.

Generally speaking, the intrusive ports focus on remote access and database ports, which shows that most mainstream hackers tend to scan and detect simply and rudely. For the system operation and maintenance personnel, the daily strict port management can avoid risks, but according to the port exposure data, some operation and maintenance personnel are inconscious at the level of security management, leaving opportunities for hackers.

2.3.2 the problem of weak password and default password of proprietary equipment is serious.

Brute force cracking is the most commonly used and easy way to operate. The user names and passwords involved in brute force cracking commonly used in the Linux system are as follows:

From the user name point of view: root, admin, shell, enable, default and other classic weak passwords, still occupy the mainstream.

From the password point of view: system, user, 1234, sh and other default passwords and simple password sequences are the most commonly used blasting passwords for hackers.

In addition to weak passwords, which are commonly used by hackers, the default password blasting of proprietary devices is also a common attack method for hackers. The following is the default password account for commonly used proprietary devices:

Compared with figure 2-4 above (common blasting user names), you can see that there are a large number of default password accounts for proprietary devices.

To sum up, weak password blasting is one of the favorite attack methods for hackers, which has low cost and high success rate. So for us, don't try to be cool all at once, make the password and user name as complex as possible, and change the password at intervals (such as 30 days). Because of the greater value of data, enterprise users should strengthen their employees' awareness of managing passwords. The detection of proprietary equipment and Internet of things has become a common trend, and the security management of these non-server devices is extremely urgent.

2.4 characteristics of attack source area

From a regional point of view, Europe, China, the United States and South Korea are the most concentrated sources of attack for the Linux system. The following is the distribution of the attack source countries:

We track and analyze the systems used by the attackers. The following figure shows the distribution of the attackers' systems:

Detection shows that more than 60% of the known operating systems are Linux, among which there are many zombie hosts that have been exploited.

III. Mining and DDoS attacks are its main purposes

By tracking and observing the data of attack traffic in the Internet for a long time, the Anheng Security data brain team found that the current attacks against Linux hosts are mainly focused on mining and DDoS attacks on broilers. This time, two typical Trojans are selected for brief analysis: Gates Trojan horse and raspberry pie Trojan horse.

3.1 Gates Trojan Horse Analysis

3.1.1 Overview

Billgates Trojan horse attack is the mainstream Trojan horse attack type in Linux system, which is mainly used for DDoS attack or mining. The following is an analysis of recent attacks in Billgates.

On July 30th, 2018, an Heng security data brain team captured a DDoS Trojan horse in a honeypot platform. Its source IP is 61.178.179.93. By exploding the SSH, entering the file system camouflaged by the honeypot, and downloading a Trojan file that can turn the machine into an attacker's broiler, a DDoS attack can be launched.

The situation of its Trojan files is as follows:

According to the analysis, the attacker downloaded it three times and succeeded once.

3.1.2 intrusion process

The hacker first explodes the open SSH service, usually login to port 22, and then enters the file system camouflaged by the honeypot. After entering the system, the attacker first turns off the firewall, then obtains the Trojan from port 45454 of the source IP 61.178.179.93, and starts the Trojan program repeatedly.

The download path of the Trojan is as follows: http://61.178.179.93:45454/Hoogp. Currently, this path can be accessed and downloaded:

The Trojan IP 61.178.179.93, from Gansu, China, has launched a cyber attack and was marked as a malware site by the Anheng threat Intelligence Center.

Through the analysis of Hoogp samples, it is found that it is a malicious file, at the same time, a number of antivirus software also detected that it is a backdoor and DDoS.

3.1.3 Communication behavior

We further analyze the communication behavior of the file and find that the associated domain names are xunyi-gov.cn and DDoS.xunyi-gov.cn, and the domain name xunyi-gov.cn has been marked as BillGates botnet.

There are 5 subdomain names under the website, which are: blog.xunyi-gov.cn;hack.xunyi-gov.cn;www.xunyi-gov.cn;DDoS.xunyi-gov.cn;s.xunyi-gov.cn. Most of its subdomains are marked as remote control or malware.

Reverse check another associated domain name: DDoS.xunyi-gov.cn, and find that it is still marked as malware communication related:

In addition, according to the association analysis results as follows, it is found that the organization controls the communication of a batch of malicious domain names, captures a large number of hosts, and speculates that it is a hacker organization behavior of a certain scale.

3.2Analysis of Raspberry Trojan Horse

3.2.1 Overview

Raspberry pie is a single-chip computer launched in 2017, which is only the size of a credit card and the underlying system is based on Linux.

On July 31, 2018, an Heng security data brain team found a malicious file left by an attacker to invade and mine the raspberry pie system in a honeypot system. by analyzing the log, it was found that the attack IP was 121.153.206.110, which was located in South Korea.

3.2.2 intrusion process

The attacker logged into the honeypot at 14:17:37 on 2018-7-31 with the raspberry pie default account pi and a weak password.

By taking a closer look at the instructions executed by the attacker, it can be found that he obtained a file called "E7wWc5ku" through the scp instruction and saved it under / tmp. Then go to the tmp directory to give the file executable permissions, and call the bash script to execute the file.

3.2.3 behavior analysis

We then fetched and analyzed the full contents of the Shell script, which will mine after killing a bunch of other mining processes and processes that take up system resources.

Kill a bunch of other mining procedures and processes:

Then add a suspicious address to / etc/hosts and resolve the local address to bins.deutschland-zahlung.eu. Then delete the environment variable set by shell, and change the password information of the pi user, and ssh generates the public key to write to the ssh configuration file. The specified DNS is written to a suspicious EOF MARKER file with a string of suspicious domain names, which is considered to be the IRC server

Then hang the EOF MARKER file in the background, download zmap and sshpass, use zmap for intranet detection, continue to use the current machine to scan other machines under the IP list with passwords such as "pi:praspberry" and "pi:praspberryaspberry993311", and upload attack scripts through scp once invaded.

IV. Security governance Brooks no delay

Through the analysis of the current mainstream threats to the Linux system in this paper, it provides a reliable basis for the follow-up standardized management and governance of the system.

4.1 Specification for daily safety operation and maintenance

From the analysis of the serious explosion caused by the exposure of the system remote service or database port in the current Internet, the system port of the server needs to strengthen the standardized management. In daily operation and maintenance, it is necessary to avoid unnecessary opening of application ports, especially remote service ports, database applications and other types that are easy to be detected and exploded. if they must be opened, do a good job of network access control. it can also avoid attacks initiated by illegal addresses. The operation of the standardized management port is simple, but the effect is remarkable.

4.2 Safety specification for Internet of things terminal devices

Linux is used in the underlying system of a large number of Internet of things devices. Compared with the traditional server operation and maintenance management, due to the short development time and immature management mechanism, the security of this kind of system is very weak and the management configuration is confused, especially the default account password problem is particularly prominent. Whether it is the outbreak of the camera black swan incident in the past, or the DDoS attack launched by the terminal equipment of the Internet of things, which led to the network outage in the United States. All of them have fully exposed the non-standard of system security development, configuration and management, so there is an urgent need to promote the equipment security management norms of the Internet of things terminals and force the detection of product safety norms.

4.3 perception and governance of zombie hosts

At present, there are a large number of zombie hosts in the network. due to the lack of detection mechanism for zombie hosts in the network, enterprise networks, IDC computer rooms and all kinds of public / private clouds are faced with the problem that hosts have been controlled and trapped for a long time without knowing it. This phenomenon also allows hackers to wantonly capture broilers, carry out DDoS, mining, intranet penetration and other behaviors. Therefore, using a new type of zombie host detection method to detect whether there is a system collapse in the network has become the most important problem to be solved.

Threat intelligence can widely identify zombie hosts in the network and extract the addresses of lost hosts controlled by malicious hosts through the capture of traffic data in the Internet and the analysis of shared intelligence at home and abroad. it can effectively assist regional regulatory units or organizations to find out whether there are accused zombie hosts in the internal network, carry out cleaning work, and prevent inestimable losses caused by continuous accusation.

The above is an example analysis of the security threats faced by the Linux system on the Internet. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.