Linux server discovered bitcoin extortion event, do a good Four Points from a loss-vulnerability warning-the black bar safety net

2018-04-17T00:00:00
ID MYHACK58:62201889988
Type myhack58
Reporter 佚名
Modified 2018-04-17T00:00:00

Description

Following the Windows encountered ransomware virus after the Linux server was bitcoin extortion cases have occurred, you think to pay a ransom just to end? Important warning

Recently, Tencent cloud security team monitoring to the cloud on a Linux server began to appear bitcoin extortion event, this is the first time cloud found on the Linux server by bitcoin ransomware, users access their Linux server will appear as related to the blackmail information, and the discovery server, in addition to the necessary system files some other files are rudely deleted. A brief analysis “Disruptive deception extortion” The analysis found that the hackers main advantage of Redis is not authorization, and other security vulnerability invade server, and then rudely delete files on the server, and then modify the /etc/motd leave the blackmail information. This is the first time cloud found on the Linux bitcoin extortion, relatively than the Windows environment by ransomware file encryption ransomware behavior, under Linux the blackmail is much more brutal, direct deletion of files and non-encrypted files, the entire blackmail more biased in favor of fraud, we called it”disruptive deception extortion”, the actual may even follow the ransomware requires the transfer of bitcoin is also unable to retrieve the file. At the same time this means also that no targeted preparation of ransomware, the cost of implementation is lower; but for the user, damage higher, if there is no timely data files are backed up, the deleted data files may not be able to get back, only to please a third party data recovery company to help recover. Safety recommendations Users are recommended to strengthen host security, protection against this type of event recruitment and lead to data loss and other issues, the specific can refer to the following ways: 1, timely backup data on the server, such as the use of Tencent Cloud to provide the snapshot function, on the server for a snapshot, convenient and even if the server is after the invasion can also be through the snapshot to quickly restore data and operations; 2, troubleshoot the machine to the service on the security, especially some of the external network can access services, avoid causing such as Redis unauthorized access causes the server to be invaded; 3, the server add security group to the access restriction, close the non-white list IP access; if the condition permits, it is recommended to modify the default remote access port, such as 22 modified to 2212, etc., to avoid possible brute force issues; 4, In addition to the above listed outside, the more convenient way is to use Tencent cloud security product security issues found with protection: a) The opening of the cloud mirrors the Professional Edition, the timely discovery server on the security vulnerability at the same time be able to the first time informed of the server intrusion event in response; b) For Web application vulnerability protection can buy Tencent cloud site steward, for Web exploits and attack for protection, avoid by Web vulnerabilities caused by intrusion events; c) you can buy the expert services of the business security test, in advance by security experts found security issues, but also can through in when the event occurs seek security experts for assistance.