This article elaborated: the discovery of a hacker attack, intrusion analysis, counter hack Server, successfully obtain permission and complete evidence of the whole process. Such an invasion is now also very much, especially for a specific system of orientation, but“blind scan”in the attack.
Recently, the security constant security research team is monitoring to a large number of the use of weak passwords on 2 2 port for brute force attacks. After the security team a detailed analysis, we found that on the network a lot of ubnt devices there is a weak password, and a hacker using an automated tool to implant a back door. Ann constant APT network of early warning platform successfully detected this threat attack:
In a 3 on 1 9 May, to a customer network fault feedback, Ann constant the engineer to contact the Customer after the remote emergency response, in the client of a piece of equipment discovered some suspicious shell process.
The analysis found that these shell scripts the main function is through wget to download some suspicious file and run, and finally delete the downloaded file, resulting in a post-evidence of the difficulty.
We try to open comes to the malicious page are as follows:
From the above figure we can see that:
Suspicious ip: 2 2 2.. .62“1 0 0 1 0”file in one day download the 9 1 0 8
Suspicious ip: 1 8 0.. .241“hope9”file in 4 to 8 minutes to download a 3 9 6 times
After analysis, we found two suspicious files are MIPS architectureDDOStools, foreign researchers referred to as“Mr. Black”
The main function is to some of the common GET_Flood, a SYN_Flood, the UDP_Flood, etc. DDOSattack.
The next day, we continue to observe the found one malicious file downloads from the original 9 1 0 8 times into a 1 5 1 7 1