MESSAGE
| DATE | 2013-12-17 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] hacked linux boxes
|
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful-exploit-of-a-linux-server-looks-like/
What a successful exploit of a Linux server looks like
How one box was converted into a Bitcoin-mining, DoS-spewing,
bug-exploiting bot.
by Dan Goodin - Dec 17 2013, 3:15pm EST
Internet Crime
Open Source
42
Enlarge
Andre' DiMino
Like most mainstream operating systems these days, fully patched
installations of Linux provide a level of security that requires a fair
amount of malicious hacking to overcome. Those assurances can be
completely undone by a single unpatched application, as Andre' DiMino
has demonstrated when he documented an Ubuntu machine in his lab being
converted into a Bitcoin-mining, denial-of-service-spewing,
vulnerability-exploiting hostage under the control of attackers.
A security researcher with George Washington University, DiMino noticed
several IP addresses attempting to hijack the Linux server by exploiting
a now-patched PHP flaw that gave attackers the ability to remotely
execute commands on vulnerable machines. DiMino was curious to know what
the people behind the attacks intended to do with his machine, so he set
up a "honeypot" box that, for research purposes, ran an older version of
the Web development language.
The attackers' HTTP POST request contained a variety of commands that in
short order downloaded a Perl script that was disguised as a PDF
document file, executed it, and then deleted it. To ensure success, the
attackers repeated the steps using curl, fetch, lwp-get requests. The
Perl script was programmed to sleep for periods of time, presumably to
prevent administrators from noticing anything amiss. Eventually, the
compromised machine connected to an Internet relay chat channel, where
it downloaded another script and executed it. Then he ran forensic
software and snapped lots of screen shots so everyone could follow
along.
In short order, the machine was running a host of apps installed by the
attackers. Some of them hijacked the server hardware to perform the
mathematical operations required to "mine" Bitcoins and another digital
currency known as Primecoin. The server was also equipped with apps to
perform denial-of-service attacks on other machines and to scan other
machines for known vulnerabilities and exploit them when found.
"Across my honeypots, I'll see dozens of these a day, including Linux
ELF [executable and linkable format] files, perlbots, and vintage
shells," DiMino wrote in a blog post published Tuesday. "While these
injected perl and shell scripts are typically considered the patio gnats
of the Internet, more annoying than anything else, they do have the
potential to cause considerable harm."
Not just for Windows anymore
DiMino's anatomy lesson is a graphic demonstration of recent advances in
exploits for Linux. Once primarily the domain of machines running
Windows, point-and-click exploits are used to commandeer machines so
attackers can use them in online crime schemes. The increased horsepower
and bandwidth available in many Linux servers often makes them more
attractive than personal computers running Microsoft OSes. And as has
always been the case, hijacked bots don't come with expensive
electricity bills, and they often make it easy for criminals to cover
their tracks.
The takeaway from the demonstration is just how important it is for
admins working with any OS to stay on top of security patching. DiMino
counsels admins to go a step further by learning how to actively monitor
network activity on the machines they watch over. His blog post provides
instructions for using the Volatility software framework to perform
forensics on server memory. Among other things, it allows users to
identify remote connections and the processes that initiate them.
"Besides ensuring that Internet facing servers are properly patched and
hardened, knowing how to quickly track such a compromise should be part
of best practices," DiMino wrote.
|
|
