The use of server vulnerability mining black production case study-vulnerability warning-the black bar safety net

BAT represents the use of the Internet to make a fortune the Bright Side, the dark side of the Black output is also exhausted their imagination to maximize your own gain, and in this regard the Black output can be described as the eight Immortals crossing the sea, each show its can. Have to steal data to resell to achieve financial freedom, timely close hand the end up in this life eat and drink not anxious, insatiable in recent increasingly severe blow under the last to eat the prison meal. In addition to the data on the idea, we see also by the extraction device calculates the ability to send some small fortune, recently, days eye lab tracking some through the use of these NDay vulnerabilities to attack the server to obtain control of the automated implantation mining Trojan of the gang, to everyone analysis of a real case.
Hope this little exposure can cause some administrators to Wake up, check your server whether the presence of vulnerabilities, clear the already present in the machine of the malicious code if the vulnerability exists almost certainly have been invaded control, guarantee data and service security.
Java-based Web applications Server had been out a few very easy to use remote command execution vulnerability, such as the following two:
CVE-2015-7450
IBM WebSphere Java Comments Collections component deserialization vulnerability
CVE-2015-4852
Oracle WebLogic Server Java deserialization vulnerability
Vulnerability details it is not here analyzed. Although the technical details and the use of the tool have been disclosed for almost 2 years, but now on the Internet there is also a large number of these vulnerabilitiesWeb server, and these servers will sooner or later become the attacker’s prey. As for the controlled machine will be used to do what exactly it is that attackers will have data that will inevitably be stolen scalping, in addition to this, the server generally has very good hardware configuration, mass storage, high-speed CPU and network connection, and now the price of bitcoin is relatively high, get the server to mining make full use of its computing capacity is also considered black produced of a chicken to eat for the benefit of its own way.
Case
Black output scan IP segment found open a specific port of the server, to confirm the presence of vulnerabilities the Web Application Server exploit control server after downloading a bitcoin mining malware picture, the analysis execution, the server will transition to a mining of broiler chickens.
! [](/Article/UploadPic/2017-3/2017315211310444. png? www. myhack58. com)
Sample from our set up a honeypot, the server open the WebLogic services http://xxx.xx.xx.xxx:7001/: the
! [](/Article/UploadPic/2017-3/2017315211311260. png? www. myhack58. com)
The Log analysis revealed the attacker advantage exists in the WebLogic application server in Java deserialization vulnerability to compromise the server. Get control later, the attacker first executes a script, the script used to download the implementation of a named regedit. exe program, this program will call the powershell. exe to execute the following powershell script:
! [](/Article/UploadPic/2017-3/2017315211312713. png? www. myhack58. com)
powershell code as shown below:
! [](/Article/UploadPic/2017-3/2017315211312591. png? www. myhack58. com)
脚本 首先 会 去 开源 的 网站 去 下载 工具 程序 dd.exe use it to write the file, for most of the main anti-mollusc, dd. exe will be marked as white, and therefore the use of the tool can bypass the part of the detection operation, The lower figure for the dd. exe introduction:
! [](/Article/UploadPic/2017-3/2017315211312114. png? www. myhack58. com)
脚本 还 会 去 https://ooo.0o0.ooo/2017/01/22/58842a764d484.jpg to download a jpg picture:
! [](/Article/UploadPic/2017-3/2017315211312785. png? www. myhack58. com)
And https://ooo. 0o0. ooo/ this site itself is a host for user uploaded files outside the chain of address:
! [](/Article/UploadPic/2017-3/2017315211312429. png? www. myhack58. com)
The website interface as shown in Figure, upload the maximum file limit of 5MB to:
! [](/Article/UploadPic/2017-3/2017315211312244. png? www. myhack58. com)
Download back picture size is 1. 44M, which is of course not just one picture:
! [](/Article/UploadPic/2017-3/2017315211313104. png? www. myhack58. com)
The analysis found that the image offset 0xd82（3458 at the start of a PE file:
! [](/Article/UploadPic/2017-3/2017315211313727. png? www. myhack58. com)
Finally, the script calls the dd. exe put the picture in the PE file is extracted, 并命名为msupdate.exe to: dd.exe if=favicon.jpg of=msupdate.exe skip=3458 bs=1. The
The separated PE is a self-extracting file;
! [](/Article/UploadPic/2017-3/2017315211313210. png? www. myhack58. com)
运行 解压 后 会 去 执行 msupdate.exe to:
! [](/Article/UploadPic/2017-3/2017315211313793. png? www. myhack58. com)
msupdata. exe itself or a self-extracting file:
! [](/Article/UploadPic/2017-3/2017315211313616. png? www. myhack58. com)

[1] [2] next