Cloud server anti-hacking attack and defense Record (II)

4, Quest trace hackers

4.1 fable apartment building

Corner of the city there is a single apartment building, the apartment door with a window. At night, the owner returned from work key in the door into the room, closed rest lights, usually half open windows, ventilation, keep the air fresh.

Like a cloud server for a single apartment. Hackers like as uninvited guests, uninvited, into the house hackers have two paths, one way is to open the door strutted in, the other way is Fanchuang into the room, how many need some Feiyanzoubi effort.

Apartment doors more advanced, using electronic locks, you need to enter the correct password to open the door into the house. Hackers do not know the password, you can not come in.

Single apartment in a 16th floor room 1605, Xiao Ming lived in this small apartment a year, and recently a friend SGX Xiaofang, this time stay in the apartment. There are already late from work on Xiao Ming and new friends, so Bob gave her a new account, set up a new password. Xiao Ming a little lazy, the account number and password is set to the same, and very few people thought the 16th floor, the corridor has a 24-hour monitoring, understanding him no one would dare trespassing.

After a month, two people arguing, Xiaofang moved out. Xiao Ming in a bad mood, alone, depressed, withdrawn forget to Xiaofang account password.

Nearby communities to a foreign tramp. Tramp is a highly intelligent person, like unrestrained and live undisciplined lives. One day, wandering tramp in the apartment building, walked into the room 1605, saw a girl head silhouette on the door, but also on the pattern of letters “fang”, when it is left loving Xiao Ming and Xiao Fang Xiu under. Wanderers had an idea, not many people take the name of friends and relatives to do your password? And try locks. This test does not matter, actually opened the apartment door.

So, this tramp was admitted to a single apartment, and Bob had played a wrong peak style “cohabitation” life. Small clear day to go to work, go home at night to live. Tramp over live in an apartment during the day, myself cook, eat and sleep, to leave before dark. Later, the tramp is not met, the evening also came to the apartment, the owner Xiao Ming fear of discovery, secretly Xiaoming drink the cup put a sleeping pill, dissolves without a trace, Xiao Ming drinking boiled water under the sleeping pills at night I will sleep very fragrant, very heavy. Then, in the evening it is dominated by the tramp.

So “cohabitation” a month later, Xiao Ming found some anomalies in the fridge a few less inexplicable eggs, Kleenex on the coffee table is also used very quickly, taking the garbage in the morning, come back at night the trash and eating out the rest of the chicken bones.

Xiao Ming put these anomalies small clearing with his good friend said, a small clearing is a well-known private detective, cracked many difficult cases. Xiao Ming received the news, immediately came to a small clearing Xiaoming apartment, inside and out investigation again, and then Bob went to work. Small clear eyes remain on the apartment door girl silhouette and “fang”, seemed to understand something. Enter the password, the apartment door opened automatically. Xiaoqing went to the video control room of the building, access to the surveillance video outside Xiaoming apartment and saw that were coming and going every day tramp. A small clearing modify the apartment door password, and called the police. After the police investigation, it issued an arrest warrant.

Night, Xiao Ming back, a small clearing to lay it all happened told Xiao Ming, Xiao Ming was shocked, then laughed, very pleased to have such a small clearing detective friend.

4.2 Query visitors Chi

As mentioned earlier, a cloud server is like a single apartment, and hackers like to break into the apartment tramp. Can enter from the door into the apartment, but also Fanchuang come into the house from the windows of high-rise apartments, a large number of difficult, but also pull the steel mesh windows.

From the door into the house, like on a cloud server remotely over SSH logging in, the owner is a cloud server administrator, also came through SSH login. External exposure to a cloud server service port, it can respond to an interview request return, but would not be happy and welcome intruder sneaked into the port and take over from the server. Fanchuang into the house, like attacking the cloud server service port, vulnerable ports to get in, it is very difficult Fanchuang

For the stranger, the door from the house is not easy, unless you know the password or access control access control destroyed.

There is no stranger broke into the cloud server, log on to double the system log to clear. Single apartment as access to video surveillance, who visited a glance.

The last command of Linux queries the most recent SSH login log on the cloud server.

# last

Figure System login log for Linux server


4.3. Find the difference.

A few years ago, we played a little game called Finding Differences: two pictures are full of objects or geometries of different shapes, two pictures are mostly the same, only a few different shapes and hidden in the two pictures. Looking for traces from the logbook is a bit like playing a different game. Quickly find different results, find differences, have new discoveries.

The source address for most logins is 192.168.x.x, is the cloud data center LAN address, and the login user is root, consistent with the administrator’s daily management habits.

There was a strange IP address record that caught my attention, the login account was jira, and the last exit was April 8 04:09 to 04:19, exactly as the last modification time of Trojan horse sd-pam “Apr 8 04:19”.

It can be inferred that hackers use jira user is logged into the system, implanted Trojans in 10 minutes, and then sped away, quietly waiting for “chicken” host returns data mining (digital currency).


4.4 discovered no secret code

Hackers is how to know the user name and password?

We know, SSH encrypted communication application layer protocols, all communication is through high-strength encryption information, it is difficult to decipher, the possibility to intercept the ciphertext then deciphered almost zero. The possibility of brute force password guessing is also zero. The possibility of brute force password guessing is also zero.

Hackers are not the administrator login account jira common root account, the account password is not further evidence comes to decipher.

There is another possibility, the administrator password is lost because of carelessness, using a simple password is easy to guess, such as: 123,123456, abc, or account passwords altogether equal.

Let’s verify, I guess weak passwords is established. So far, I do not know the account password jira.

Log in to JIRA cloud server through a springboard machine root. Then, switch to another regular user jira1 (the account login is limited, not remote login), root user to switch to ordinary users do not have to enter a password. Next, switching from the ordinary user to user jira1 jira, jira user must enter a password. Enter the password jira, switching actually succeeded to prove that the account password is jira jira! ! ! Here I express silent.

# ssh [email protected]192.168.1.x
# su – jira1
$ su - jira

Cloud server has a pair of vent secret, account number and password just like plain text, like a password leak than the apartment, leaving others free access to come and go. Apartment compromised, into a tramp; server security defense was broken, “mining” the Trojans are implanted, round the clock to dig a digital virtual currency.


4.5 locked doors compromised

Query system is not within the normal process of the user in use jira, jira user to confirm temporarily idle useless. Immediately amend jira user password and locked account.

# passwd jira
# usermod -L jira

And toured the operating system again, / etc / passwd, / etc / shadow have no landed users. SSH scored from the inlet port of the cloud server have been blocked.

After doing these things, after the preliminary judging system has been safe, my heart gradually ease down.

Made immediately after work on Monday with the cloud server administrator, system management team made the cloud server cluster vulnerability scanning and security reinforcement.


4.6 explore trace hackers

The mood relaxed, thinking only idle hacker came from, how come, but also do something!

Baidu query, hacking the source address of April 8 from Norway. However, the hacker does not have to hide in Norway, even a little relationship with Norway at all. Since the invasion of source address may be just a springboard for manipulation by a “chicken” host only.


Since the May 1, another wave of hackers struck in broad daylight (14:34 pm to 14:41) blatantly intrusive cloud server to be six minutes, but did not modify the wave of hackers left on the Trojans program. May the source address of the hacker from Switzerland, who would he be? Is the wave of hackers, visited the old battlefield came back to win. Or new to the “ethical” hackers, to see people gain an advantage, quietly leave. Unknown, but anything is possible.


Looking further ahead, January 10 to 18, there have been four login records, address sources vary,,, and, respectively, from Russia, Russia, Tunisia and Netherlands.

Diversification of source address, seems to indicate that hackers can freely access this cloud servers. What is the reason to attract hackers flock to it? Why is jira user, not other users?

The answer is a port scan and public information learned through the scan, and then attack the server vulnerabilities.


4.7 Interpretation of hacker surgery

Hacker scan public IP address or domain name of the scan HTTP port (port 80, 8080), analysis of the HTML text returned, after filtration, extraction candidate words, and then compared with the thesaurus keywords. If the keyword match, extracts the corresponding application from keywords associated libraries, concluded that the address of the HTTP port provides the application services. For example: jira extracted keywords, to infer the JIRA server provides services; sonarqube to extract keywords, conclude that the server provides SonarQube services, and so on.


The default page Figure HTTP services exposed the specific services


Figure default HTTP service response returned exposed the specific services


The general public application installation guide, most users will be prompted to create a new account with the same name of the operating system, such as jira, mysql and redis etc., in order to install a common user applications. Some careless administrator, the system will give an account set up simple password. This is what this type of hack attacks one of the key reasons can succeed.

IP addresses on the Internet vast, why is this cloud server?

Stupid approach is based on IP addresses one by one scan and found an open port on the IP address, and then attack, break after break port, obtain system privileges, implanted Trojans.

A country allocated IP address segment number is fixed, unless there is a new IP address number section. National IP authorities to give their domestic cloud service provider assigned IP address numbers section, which is fixed, even publicly available any of a number of IP address segment of cloud service providers. With a cloud security infrastructure cloud providers are shared, with the same shield, also have the same flaw, if they find a loophole on a cloud server, it is possible that other cloud servers have similar vulnerabilities.

Rent virtual servers to the cloud service provider content provider, due to the safety management system, basic security software and security management team in common, its management of cloud server cluster will have a similar safety and similar vulnerabilities. Replicability, Zhaomaohuahu attacker captured a cloud server, it is easy to build on the attack more cloud servers.

Speaking earlier, the hacker implanted Trojan program is “mining” program. In the next episode will be the “mining” procedures surgery, a few chunks of dismembered program, analyze its internal operation mechanism, external communications contact mode and so on.


This article is an original work of authorship, originally published in a public anti-hacker invasion offensive and defensive Record No. cloud server (b)


Leave a Reply