{"id":546,"date":"2018-01-30T09:40:38","date_gmt":"2018-01-30T09:40:38","guid":{"rendered":"http:\/\/www.cloudcoffer.com\/?p=546"},"modified":"2018-02-26T09:55:02","modified_gmt":"2018-02-26T09:55:02","slug":"honeypot-extraction-digital-currency-mining","status":"publish","type":"post","link":"https:\/\/www.cloudcoffer.com\/?p=546","title":{"rendered":"Honeypot Extraction – Digital Currency Mining"},"content":{"rendered":"

Date of Detection:<\/strong><\/p>\n

2018.1.30<\/p>\n

 <\/p>\n

Description:<\/strong><\/p>\n

Cryptocurrency mining becomes more and more popular. Attackers are widely exploiting victims’ systems to mine digital currencies and making profits. According to the news report<\/a> on February 21st, 2018, even Tesla cloud resources are hacked to run cryptocurrency-mining malware. As CloudCoffer’s honeypots keep detecting this type of exploit and the number of this type of attack is rising, system administrators should really keep an eye on the issue.<\/p>\n

 <\/p>\n

Source IP Addresses:<\/strong><\/p>\n

211.23.165.65, 37.48.110.24<\/p>\n

 <\/p>\n

Target Systems:<\/strong><\/p>\n

    \n
  1. PHP Platforms<\/li>\n
  2. Systems with OS Command Injection Vulnerabilities<\/li>\n<\/ol>\n

     <\/p>\n

    An example of PHP code that\u2019s vulnerable to OS command injection is as follows.<\/p>\n

    <?php\r\n\r\nprint(\"Please select the file to be deleted:\");\r\n\r\n$f1=$_GET['f'];\r\n\r\nsystem(\"rm $f1\");\r\n\r\n?><\/pre>\n
     <\/p>\n
    The following request is an example of a working attack.<\/p>\n
    https:\/\/www.example.com\/del.php?f=garbage.txt;whoami<\/span><\/p>\n
     <\/p>\n
    The system is then controlled to print the effective username of the current user as follows. Attackers can certainly inject any malicious commands instead of whoami. The output of the server is as follows.<\/p>\n
    Please select the file to be deleted:\r\n\r\nroot<\/pre>\n
    <\/h3>\n
     <\/p>\n
    Analysis:<\/strong><\/p>\n
    By exploiting OS command injection vulnerabilities, attackers control victims\u2019 systems to download a .tgz package and decompress the package to absolute paths as follow.<\/p>\n
    \"\"<\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
    The package includes many options for attackers to control victims\u2019 systems and make illegal profits. Further, the attacker intentionally hides the folder by appending a period at the beginning of the name of the directory.<\/p>\n
    The file named .test-unix\/run tries to control victims\u2019 systems to mine digital currencies for the attacker\u2019s wallet.<\/p>\n
     <\/p>\n
    \"\"<\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
    The file named .test-unix\/stop sends users\u2019 system and credential information to the attacker\u2019s email address.<\/p>\n
     <\/p>\n
    \"\"<\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
    To prevent being detected by system administrators, after downloading and decompressing the package, the attackers\u2019 script runs malicious processes and deletes the above files. If victims\u2019 systems are vulnerable, this attack can be fulfilled by sending one http-post request. The attack works for all systems with OS command injection vulnerabilities.<\/p>\n
    The best way to prevent this type of attack is to make sure that the systems are upgraded to the latest version. Further, users need to make sure that their applications are not vulnerable to OS command injection.<\/p>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    Date of Detection: 2018.1.30   Description: Cryptocurrency mining becomes more and more popular. Attackers are widely exploiting victims’ systems to mine digital currencies and making profits. According to the news report on February 21st, 2018, even Tesla cloud resources are hacked to run cryptocurrency-mining malware. As CloudCoffer’s honeypots keep detecting this type of exploit and Read more about Honeypot Extraction – Digital Currency Mining<\/span>[…]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-honeypot"],"_links":{"self":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=546"}],"version-history":[{"count":18,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":568,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions\/568"}],"wp:attachment":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}