Security Diaries All About Security
Related Articles
Everyone is behind cryptocurrency. It doesn’t matter on which coin you are investing, all cryptocurrencies values are getting skyrocketed. There are people buying them and investing in them but some nerds, geeks are into different ways to earn those cryptocurrencies.
Recently website administrators used javascript to use client computing power to mine bitcoins and some other cryptocurrencies but this Monero can be mined without graphics card i.e just using CPU power we can mine these coins.
How is it getting done?
A hacker created a botnet to brute force into WordPress login pages and use their computing power to mine Monero cryptocurrency. This is found when a company got 100,000 login attempts on Monday alone which is scary. Deeping down into investigation Wordfence found there is a process ‘29743’ is using more CPU power than any other process in the task manager and also found thousands of outgoing connections on port 80 i.e server is trying to connect to some thousands of web servers out there.
‘29743’ process is holding a connection with two IP addresses, 66.7.190.236 and 185.61.149.22 in port 9090 and 8080 respectively.
66.70.190.236 address belongs to OVH cloud computing, France and it doesn’t have any domain associated with it. When scanned it has only two ports open. One for SSH and another is 9090 running IRC(Internet Relay Chat) server.
185.61.149.22 belongs to ‘Makonix SIA’, Latvia and this address also don’t have any domain associated with it. When scanned it has many ports open which runs SSH and many other web servers. These all are responded as ‘Mining Proxy Online’ when any request sent.
Wordfence tcpdumped all the files, the memory of running processes and found lots of C&C unencrypted traffic. These files reveal a similar variant malware of ‘Tsunami’ or ‘Kaiten’
Base Station
Wordfence identified total eight servers running Command and Control with IRC running on either port 8080 or 9090.
- 66.70.190.236:9090 muhstik.ovh1
- 142.44.163.168:9090 muhstik.ovh2
- 192.99.71.250:9090 muhstik.ovh3
- 142.44.240.14:9090 muhstik.ovh4
- 202.165.193.211:8080 x.1
- 202.165.193.212:8080 x.2
- 211.103.199.98:8080 x.4
- 121.128.171.44:9090 muhstik.ras1
What does the malware do?
Simply it joins the IRC server setting its username to a string that has information about the hacked server. For example if the hacked server is windows malware sets it username to windows and also other information is also included but I am just saying this for a better understanding of the string that malware sets as username. Malware receives instructions via private messages from other bots
Control
The whole botnet is controlled by these eight servers and the most commands used are like wget, curl, uptime. All these commands are automated but sometimes wordfence observed some manual commands being executed
Behavior of malware
When it effects any server and run, it copies itself with other name and those names are random, chosen from the file in the server.
Here is the typical way of working of this malware. There are variants found but all work in a similar way
- Effects the target and runs
- Once it runs, it copies itself with another name to the process
- Deletes original file
Deleting original file makes them stay stealthy unless anti-virus scans memory too.
Way of attacking
Malware tries to brute force into WordPress login pages based on the site they are attacking. For example if they are onto securitydiaries they might use admin, 123456, manin, diary etc.
Some of the malware contains monero mining software which is a cryptocurrency that got wings recently. They are linked with wallet addresses 45Fj1P2s9LiVEVoW4p81cSKP5og6GSF3m9YUQc51o6KzXw1ByufNoTa88NEWBeE7dtjRZRCDj3Ly4a95by6sfzP3UmX3741 and 4ADnikPPkTpD39LunWcMA136o2m2uwnEhheKNmfQPv5kAFsQaxr2VsLeit5GEPdEkd9TxnAkzinWhK8LUFzxmTuc5rT1YDK.
All these brute force attacks happened when Monero hiked its value from $200 to $378 in a single night.
What you can do to secure your WordPress sites.
- Scan your site with wordfence or secure or any other scanning service provider that you can trust,
- Check the task manager of your site and observer the processes running
- Enable limit login attempts
Share it if you like it.
