Shulou(Shulou.com)06/02 Report--

Hackers how to use SSH weak password attacks to control Linux servers, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

I. Overview

This week, Tencent Security Service Center received help from customers. The Tencent Yujie advanced threat detection system deployed by customers found the perceived information of SSH service collapse. The company's security management staff promptly contacted Tencent security experts to help analyze the threat source.

After obtaining the consent of the customer, the Tencent security engineer remotely collects evidence from the customer's machine, and the client is deployed on the customer's private cloud. Combined with the key logs of Yujie, we find that this is a burst attack with a weak password against the SSH server. Due to the timely discovery, the engineer assisted the customer in isolation and antivirus in time, resulting in no loss.

According to this clue, the Tencent Security threat Intelligence Center conducted an investigation and found that this was an attack launched by a professional hacker organization: after the attacker successfully exploded with the SSH weak password, the attacker would implant the SSH backdoor and the IRCbot backdoor program, and spread horizontally through the SSH weak password in the intranet, and the victim machine received remote instructions to install (including but not limited to) mining and DDoS attack modules.

The hacker group uses infrastructure in a number of countries, including Russia, the United States, France, Romania, the Netherlands, Singapore and so on. It also targets all over the world, with potential targets of about 100, 000 IP a day. A Monroe wallet controlled by the group has dug up nearly 200 Monroe dollars with a market capitalization of about 120000 yuan.

Second, detailed analysis

According to Tencent's Yujie log, the hacker gang successfully broke the weak password after making as many as 4, 000 connection attempts to the target SSH server.

At 17:23, the hacker exploded successfully because the victim's SSH server used a weak password.

We extracted two virus files / dev/shm/.satan and / dev/shm/rp from the victim machine, and analyzed them.

Satan downloads 54.37.70.249/ps and executes it. Ps is a ssh server. After the program starts, it monitors port 22 of the machine, modifies the SSH authorization, allows hackers to log in remotely without secret, and needs to store the hacker's public key on the victim machine.

After being successfully added, the local information is sent to the hacker server with a total of three built-in server addresses.

Zergbase.mooo.com

5.255.86.129 (Netherlands)

Mage.ignorelist.com (USA)

Rp is an encrypted perl code

After decryption, you can see that it is the perl version of the ircbot backdoor.

C&C:146.185.171.227 (Netherlands)

Backdoor features include flood attacks and cloud code execution.

After analysis, it is found that hackers will now send shell programs for mining, and shell will first download 54.37.70.249/dota.tar.gz (the IP is located in France).

Decompressed dota directory structure

After executing dota/.rsync/initall,Install to do some cleaning preparation, execute the init function

Clean up your own mining process in Init and set startup items

Dota/.rsync/a directory structure

Then execute the dota/.rsync/a/a,a script to execute init0,init0 is the shell program designed to end the competition.

After the mining program starts, it will end the process of most mining software, delete other mining software related files, and monopolize resources.

Continue to execute anacron,anacron is a linux platform mining Trojan horse based on xmrig2.14 modification

Ore pool:

5.255.86.129purl 80 (Netherlands)

107.191.99.221 80 (monerohash.com, USA)

Workforce.ignorelist.com

At present, the wallet has been dug up to 195XMR, with a market capitalization of about 120000 yuan at an average price of 20190605.

The execution of dota/.rsync/b/a,b/an and the final execution of ps,ps is the ssh backdoor server mentioned above, which is convenient for hackers to log in remotely without secret ssh.

Then execute the start of the c directory, and download the server address, port, and some dictionaries to be exploded on the network

Three servers poll for downloads:

46.101.113.206 (Russia)

141.85.241.113 (Romania)

Sez.strangled.net (USA)

On the three servers, the path / a / xtr holds the dictionary server address, currently 202.136.170.27 (Singapore), which is updated every few days.

202.136.170.27/a/a stores server addresses and ports that are about to explode. Currently, more than 30,000 IP are attacked in the list. Successful or unsuccessful IP will be deleted from the list, and the target IP is still being replaced and added. We speculate that the daily potential attack IP is about 100, 000.

202.136.170.27/a/b stores a dictionary of weak passwords

Execute the tsm under the directory to pass in the IP and dictionary to be exploded

Remote execution of shell script after successful blasting

Download and execute 54.37.70.249/rp and 54.37.70.249/.satan (54.37.70.249 in France), and repeat the above action on the new victim machine.

III. Safety recommendations

Due to the timely discovery of this incident, the customers who deployed the Tencent Yujie advanced threat detection system did not suffer losses, but traced back to the source and found that about 100, 000 SSH servers were listed as attack targets every day. Tencent security experts advise enterprise users to be highly vigilant and take the following measures to prevent corporate SSH servers from being invaded and controlled by the gang.

1. Log in with a key, not a password

2. Use secure password policies, use high-strength passwords, and do not use weak passwords to prevent hackers from cracking violently.

3. Enable SSH to listen only to the local private network IP

4. Try not to give the server public network IP.

5. It is recommended to deploy Tencent Yujie Advanced threat Detection system. Yujie Advanced threat Detection system is a unique threat intelligence and malicious detection model system developed based on the security capabilities of Tencent Antivirus lab and relying on the massive data of Tencent security in the cloud and end.

The enterprise administrator can also manually remove the virus:

Delete the following files & directories:

/ dev/shm/.satan

/ dev/shm/rp

/ tmp/.X13-unix

/ tmp/dota

Delete startup items:

/ tmp/data/.rsync/a/upd

/ tmp/data/.rsync/b/sync

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.