New P2P botnet infects SSH servers all over the world:
Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.
The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.
"What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to," Guardicore Labs researcher Ophir Harpaz wrote. "It was shortly after the beginning of the research when we understood no CNC existed in the first place."
(Score: -1, Spam) by Anonymous Coward on Monday August 24 2020, @11:14AM
https://www.thesun.co.uk/news/worldnews/12444192/monkey-slave-schools-coconuts-supermarket-thailand-sex-street-performers/ [thesun.co.uk] [thesun.co.uk]
MONKEY BUSINESS Snatched from their mums, chained & tortured – how helpless monkeys are sold to ‘slave schools’ and even used for sex
Forced to wear make-up and raped
Sickeningly, it’s not just exhausting farm work primates are forced to carry out.
In an exclusive interview with The Sun, former director of Borneo Orangutan Survival Foundation UK Michelle Desilets previously revealed the full horror of Pony - the female orangutan who had been forced to work as a prostitute for remote farm workers in Borneo.
Chained to a bed, men could choose to pay to have sex with her – and she was shaved daily and made to wear perfume and jewellery.
Laying bare the sheer terror of Pony’s life, Michelle said: “It was horrifying. She was a sex slave – it was grotesque.
"She was covered in abscesses, and they put make-up and earrings on her.
“She must have been in so much pain. It was horrible to think about how terrified she must have been.”
(Score: 5, Informative) by VLM on Monday August 24 2020, @01:08PM (8 children)
Its interesting the linked article has no tech details that would interest a SN audience.
The break in mechanism seems to be brute forcing passwords. So no rate limiting and allowing password based auth using lame passwords is an issue. If you don't permit passwords (pub-key only auth) or don't use passwords like "password123" then you'll be OK.
The worm puts the same key in every authorized_keys file for later SSH access and weirdly enough the detector script doesn't look for that, just looks for open port 1234.
The worm seems exclusively used for one specific cryptocoin software miner on port 5555, you'll notice the network and CPU hit if you monitor anything.
(Score: 0) by Anonymous Coward on Monday August 24 2020, @01:31PM
So I guess whoever has the private key can then query the P2P network for coins. Each node would have to encrypt the information required to access coins so that only the person with the private key can get it.
(Score: 3, Informative) by RS3 on Monday August 24 2020, @02:07PM (5 children)
I was about to write a similar comment, that most articles like this are a LOT of verbiage (they must be paid by the character typed in) and nothing useful to an admin. (and cynical me wonders if they're just cultivating a market to sell anti-malware services to...)
However, the 2nd article linked actually gives very useful information, including looking for processes: 'nginx', 'ifconfig', and port '1234' being open. And lots more interesting stuff. Like that it uses 'nc' (netcat) to do its work through the ssh session, thereby bypassing most firewalls.
The article does contradict itself, saying that the bot doesn't write to the disk, but then says there will be a new rsa key, but maybe it's held in RAM only. Not clear either way. Also that it can read and write databases (not clear which ones) and that implies disk.
"Guardicore" link well worth a skim if not full read.
So I guess changing passwords and rebooting would clear it out.
(Score: 2) by FatPhil on Tuesday August 25 2020, @04:06AM (3 children)
If it's just a brute force dictionary attack (brutes can use dictionaries too, they don't need to understand them in order to just autistically skim through them), why is there no mention of mitigation such as fail2ban? And why is there no mention of what accounts are being hit? If it's just root, why is there no mention of disabling root remote logins from SSH?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by RS3 on Tuesday August 25 2020, @05:03AM
I'm not sure if you disagreed, but mostly augmented, and thanks. I'm not sure if OS/distroSSHserver matters(?). I didn't gather that it's a software bug, but just guessing and finding a weak password that causes the problem.
However, if you read the comment / Q&A at the bottom you'll see fail2ban mentioned, and how it's not going to be very effective due to the many different source IP addresses.
(Score: 2) by RS3 on Tuesday August 25 2020, @05:07AM (1 child)
Sorry- I meant to add: I agree that fail2ban (or similar) should stave off the initial brute.
Regarding root login- do people allow root login over ssh? I don't want to be one of those cantankerous jerks that say "then they deserve what they get" so I'll refrain from saying that. But it's possible just the same. :)
(Score: 2) by VLM on Wednesday August 26 2020, @05:01PM
Sometimes I set my sshd config to allow that but only using preshared keys not using typed in passwords.
The problem with sudo is it arrived as a tech right about the time virtualization and automated configuration and containerization made it obsolete. Other than troubleshooting diagnosis and development, there's really not much reason to do root stuff in a machine anymore. Like I don't log into physical freebsd servers and "pkg upgrade" as root anymore, its more like update the template for all machines then spin up new DEV TEST or PROD images automatically based on that golden upgraded template. If it passes TEST, I guess its good?
(Score: 2) by driverless on Tuesday August 25 2020, @04:51AM
Dan Goodin usually does decent-quality reporting, maybe he had an off day with this one...
(Score: 0) by Anonymous Coward on Monday August 24 2020, @04:59PM
anyone who uses password auth on a public ssh server is a ridiculous ass hat.
(Score: 0) by Anonymous Coward on Monday August 24 2020, @01:09PM (1 child)
Does it have a public key that it responds to. When whoever has the private key sends a signed command to one of the bots it then responds and sends the signed command to other bots via P2P?
Where does the intelligence that it collects get routed and stored? How does that get managed? It seems like it would be difficult to manage intelligence from a whole bunch of computers within a decentralized botnet in a way that would let the person with the private key easily gain access to it. Unless each computer stores information about each other computer so that the one person that has the private key can collect information from each computer one by one. That would seem like a weakness. Or if each computer shared all sought out information with each other computer ... ?
I guess if the person with the private key wants to send out, say, a DDOS attack on a specific website without intelligence gathering involved this could work. The response time might be slow and clunky maybe? It would assume all nodes are able to maintain their connection with each other as IP address and other variables change. It would have to be kinda like a traditional P2P network, each node would have to have information about multiple other nodes so if, for instance, it gets disconnected and reconnected under a different IP address with different variables it can keep trying to contact several other nodes until it finds one that works and then get information about other live nodes to maintain the connection and spread its information to all the other nodes so they can keep track of its connection parameters.
The person with the desired private key, I supposed, query one of the nodes for other nodes and can do a P2P search for the desired information from other nodes so I guess information gathering can work kinda like a traditional P2P network.
This is confusing.
(Score: 0) by Anonymous Coward on Tuesday August 25 2020, @06:08AM
If it's using ssh, it might be loading the magic through some ssh dotfiles.
(Score: 4, Funny) by DannyB on Monday August 24 2020, @03:54PM (7 children)
Telnet runs on a different port than SSH. Whey the attacker sees that SSH port does not respond, they would never think to try Telnet.
Thus: Telnet is more secure.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 2) by arslan on Monday August 24 2020, @11:00PM (4 children)
To be "triply" secure I use rsh just in case they the attacker thinks of Telnet.
(Score: 2) by FatPhil on Tuesday August 25 2020, @04:12AM (3 children)
For an extra layer of security, I've randomly shuffled my keycaps.
Checkmate, wannabe-hackers!
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by DannyB on Tuesday August 25 2020, @01:18PM (2 children)
If you are attempting to protect the secrecy of your password, I have a better bestest practice.
Simply wear the T-shirt inside out. Nobody can see the password. Problem solved.
Is there a chemotherapy treatment for excessively low blood alcohol level?
(Score: 0) by Anonymous Coward on Tuesday August 25 2020, @06:17PM (1 child)
Make sure the password is upside down. That way no one can read it. Turn it right side up when needed.
(Score: 2) by arslan on Tuesday August 25 2020, @11:22PM
Eh? Weak sauce. I tattoo it flipped along the vertical axis so no can read it except for myself when I'm looking in the mirror.
(Score: 2) by driverless on Tuesday August 25 2020, @04:53AM (1 child)
I use a an even more secure proximity-based biometrically-authenticated distance-bounded airgapped protocol:
(Score: 0) by Anonymous Coward on Tuesday August 25 2020, @03:19PM
I use a an even more secure proximity-based biometrically-authenticated distance-bounded airgapped alcohol:
There, FTFY.