SoylentNews is people
SoylentNews
New P2P botnet infects SSH servers all over the world:
Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.
The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.
"What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to," Guardicore Labs researcher Ophir Harpaz wrote. "It was shortly after the beginning of the research when we understood no CNC existed in the first place."
(Score: 5, Informative) by VLM on Monday August 24 2020, @01:08PM (8 children)
Its interesting the linked article has no tech details that would interest a SN audience.
The break in mechanism seems to be brute forcing passwords. So no rate limiting and allowing password based auth using lame passwords is an issue. If you don't permit passwords (pub-key only auth) or don't use passwords like "password123" then you'll be OK.
The worm puts the same key in every authorized_keys file for later SSH access and weirdly enough the detector script doesn't look for that, just looks for open port 1234.
The worm seems exclusively used for one specific cryptocoin software miner on port 5555, you'll notice the network and CPU hit if you monitor anything.
(Score: 0) by Anonymous Coward on Monday August 24 2020, @01:31PM
So I guess whoever has the private key can then query the P2P network for coins. Each node would have to encrypt the information required to access coins so that only the person with the private key can get it.
(Score: 3, Informative) by RS3 on Monday August 24 2020, @02:07PM (5 children)
I was about to write a similar comment, that most articles like this are a LOT of verbiage (they must be paid by the character typed in) and nothing useful to an admin. (and cynical me wonders if they're just cultivating a market to sell anti-malware services to...)
However, the 2nd article linked actually gives very useful information, including looking for processes: 'nginx', 'ifconfig', and port '1234' being open. And lots more interesting stuff. Like that it uses 'nc' (netcat) to do its work through the ssh session, thereby bypassing most firewalls.
The article does contradict itself, saying that the bot doesn't write to the disk, but then says there will be a new rsa key, but maybe it's held in RAM only. Not clear either way. Also that it can read and write databases (not clear which ones) and that implies disk.
"Guardicore" link well worth a skim if not full read.
So I guess changing passwords and rebooting would clear it out.
(Score: 2) by FatPhil on Tuesday August 25 2020, @04:06AM (3 children)
If it's just a brute force dictionary attack (brutes can use dictionaries too, they don't need to understand them in order to just autistically skim through them), why is there no mention of mitigation such as fail2ban? And why is there no mention of what accounts are being hit? If it's just root, why is there no mention of disabling root remote logins from SSH?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by RS3 on Tuesday August 25 2020, @05:03AM
I'm not sure if you disagreed, but mostly augmented, and thanks. I'm not sure if OS/distroSSHserver matters(?). I didn't gather that it's a software bug, but just guessing and finding a weak password that causes the problem.
However, if you read the comment / Q&A at the bottom you'll see fail2ban mentioned, and how it's not going to be very effective due to the many different source IP addresses.
(Score: 2) by RS3 on Tuesday August 25 2020, @05:07AM (1 child)
Sorry- I meant to add: I agree that fail2ban (or similar) should stave off the initial brute.
Regarding root login- do people allow root login over ssh? I don't want to be one of those cantankerous jerks that say "then they deserve what they get" so I'll refrain from saying that. But it's possible just the same. :)
(Score: 2) by VLM on Wednesday August 26 2020, @05:01PM
Sometimes I set my sshd config to allow that but only using preshared keys not using typed in passwords.
The problem with sudo is it arrived as a tech right about the time virtualization and automated configuration and containerization made it obsolete. Other than troubleshooting diagnosis and development, there's really not much reason to do root stuff in a machine anymore. Like I don't log into physical freebsd servers and "pkg upgrade" as root anymore, its more like update the template for all machines then spin up new DEV TEST or PROD images automatically based on that golden upgraded template. If it passes TEST, I guess its good?
(Score: 2) by driverless on Tuesday August 25 2020, @04:51AM
Dan Goodin usually does decent-quality reporting, maybe he had an off day with this one...
(Score: 0) by Anonymous Coward on Monday August 24 2020, @04:59PM
anyone who uses password auth on a public ssh server is a ridiculous ass hat.