About hacking servers FirstVDS
Not long ago, a note appeared with a story about a large number of compromised FirstVDS servers. We startled, conducted our own investigation without delay, and want to talk about its results.
People are gambling, and some even too much. They are joining the ranks of online casino customers. In particular, the casino "Volcano". As in all such institutions, there are very fond of new customers. Therefore, Vulkan invites everyone to participate in their referral program: you are our clients, and we give you 5% of the earnings from them. It attracts some people who are not too clean.
True, they don’t turn around too widely, because since 2014, online casinos in Russia have been banned. From the word at all. And since 2015, their sites are beingshot blocked without trial. Therefore, methods of attracting customers are used far from clean. For example, you can add specially trained viruses to virtual servers of online stores and quietly redirect their traffic to online casino sites.
In the summer of this year, one of the clients sent us a letter in which he complained about hacking his server. We found the victims and sent them a message stating the fact of infection, explained how it happened and what to do about it. Asked to upgrade. “The old horse will not spoil the furrow” - this is not about the software industry, here the old stuff can plow the whole field.
')
At this calmed down. The fact is that we offer servers as is - with available software and without administration. For example, once bought up machines with FreeBSD 6 OS, FreeBSD Jail virtualization system and ISPmanager 4.x web hosting control panel. We believe that customers know better than us what they really need. This includes whether they want to update the OS and other software that is installed on the server. Quite a few of our customers do not rush to update. What hackers took advantage of - through the holes of the old software, they hooked the virus, which directs the traffic not to the right place.
The same thing happened with the author of the article, which became the reason for this story. Having discovered the virus cli.php, which supplies the traffic to the online casino "Vulkan", he wondered if he was not alone in his misfortune. It turned out not. So there was news about 3000 hacked sites on 1000 servers. The 0x31.ru domain acted as the virus coordinator, the owner of which received unearned income from the casino's referral program.
Naturally, we could not pass by such news, and conducted their investigation.
Any owner of VDS can independently check its server:
Freebsd:
Linux:
Everything turned out to be like that joke: "horror, of course, but not horror-horror." We managed to identify the domains that control malware (this includes the above 0x31.ru). We also found 7 checksums of the file cli.php, which are distributed as follows:
The total number of infected sites is 1904.
Next, we sorted all found versions of cli.php by the date of infection:
The fact that this year accounts for half of all infections is easy to explain: these are statistics as of "today", and since 2009, the owners of the servers have managed to update the software and remove the malware. In addition, new customers are constantly needed by everyone, including the casino, so the virus does not have time to become covered with dust - the tool is in demand, it does not lodge. Although even if cli.php is located on the server, it’s still not a fact that it is still infected. Was infected - yes. And if the owner of VDS has updated the software and closed the vulnerabilities, then the malware has stopped working.
After this story, we took the initiative and updated all users of ISPmanager 4.x to the latest version in this thread. It no longer has the aforementioned vulnerability.
But we’ll remind everyone again: update the software on the servers more often. They deserve it.
People are gambling, and some even too much. They are joining the ranks of online casino customers. In particular, the casino "Volcano". As in all such institutions, there are very fond of new customers. Therefore, Vulkan invites everyone to participate in their referral program: you are our clients, and we give you 5% of the earnings from them. It attracts some people who are not too clean.
True, they don’t turn around too widely, because since 2014, online casinos in Russia have been banned. From the word at all. And since 2015, their sites are being
In the summer of this year, one of the clients sent us a letter in which he complained about hacking his server. We found the victims and sent them a message stating the fact of infection, explained how it happened and what to do about it. Asked to upgrade. “The old horse will not spoil the furrow” - this is not about the software industry, here the old stuff can plow the whole field.
')
At this calmed down. The fact is that we offer servers as is - with available software and without administration. For example, once bought up machines with FreeBSD 6 OS, FreeBSD Jail virtualization system and ISPmanager 4.x web hosting control panel. We believe that customers know better than us what they really need. This includes whether they want to update the OS and other software that is installed on the server. Quite a few of our customers do not rush to update. What hackers took advantage of - through the holes of the old software, they hooked the virus, which directs the traffic not to the right place.
The same thing happened with the author of the article, which became the reason for this story. Having discovered the virus cli.php, which supplies the traffic to the online casino "Vulkan", he wondered if he was not alone in his misfortune. It turned out not. So there was news about 3000 hacked sites on 1000 servers. The 0x31.ru domain acted as the virus coordinator, the owner of which received unearned income from the casino's referral program.
Naturally, we could not pass by such news, and conducted their investigation.
- Analyzed servers with old OS: FreeBSD 6, FreeBSD 8, CentOS 5 and so on.
- Connect to the servers to which you can connect (some clients close access to their servers by IP).
- Found on these servers, the file of the malware cli.php.
- We compared the date of creation and the date of modification of this file (in 99% of cases they coincided). Took this value for the date of hacking.
- For each file, MD5 checksum was calculated. Grouped by checksums.
Any owner of VDS can independently check its server:
Freebsd:
find /home -name .cli.phpLinux:
find /var/www -name .cli.phpEverything turned out to be like that joke: "horror, of course, but not horror-horror." We managed to identify the domains that control malware (this includes the above 0x31.ru). We also found 7 checksums of the file cli.php, which are distributed as follows:
| Check sum | Number of infected sites | Share of total |
|---|---|---|
| MD5 1 | 644 | 33.82% |
| MD5 2 | 732 | 38.45% |
| MD5 3 | 2 | 0.1% |
| MD5 4 | one | 0.05% |
| MD5 5 | 69 | 3.62% |
| MD5 6 | 2 | 0.1% |
| MD5 7 | 454 | 23.85% |
The total number of infected sites is 1904.
Next, we sorted all found versions of cli.php by the date of infection:
| Year | Share of total |
|---|---|
| 2009 | 0.45% |
| 2010 | 2.59% |
| 2011 | 4.22% |
| 2012 | 14.89% |
| 2013 | 13.39% |
| 2014 | 5.94% |
| 2015 | 6.8% |
| 2016 | 51.7% |
The fact that this year accounts for half of all infections is easy to explain: these are statistics as of "today", and since 2009, the owners of the servers have managed to update the software and remove the malware. In addition, new customers are constantly needed by everyone, including the casino, so the virus does not have time to become covered with dust - the tool is in demand, it does not lodge. Although even if cli.php is located on the server, it’s still not a fact that it is still infected. Was infected - yes. And if the owner of VDS has updated the software and closed the vulnerabilities, then the malware has stopped working.
After this story, we took the initiative and updated all users of ISPmanager 4.x to the latest version in this thread. It no longer has the aforementioned vulnerability.
But we’ll remind everyone again: update the software on the servers more often. They deserve it.
Source: https://habr.com/ru/post/311584/
All Articles