Hacker Rootkit malware infections by over 50,000 MS-SQL Server and PHPMyAdmin

News 2019-05-30 08:31:42 views: null

Guardicore Labs security researcher has released a report , the report on the attack Windows MS-SQL Server and PHPMyAdmin on a global scale hacking, codenamed "Nansh0u", and this is the source of the attack by Chinese hackers.

The report said, including more than 50,000 servers belonging to the healthcare, telecommunications, media and IT companies, including under attack, once under attack, the target server will be infected with a malicious payload. Hackers also installed a sophisticated kernel-mode rootkit to prevent malicious software is terminated.

This is not a typical cryptographic attacks, which uses APT (Advanced Persistent Threat, advanced persistent threats, essentially targeted attacks) technology that often appear, such as fake certificates and privilege escalation vulnerabilities.

The attacks were first discovered in early April, but dates back to February 26, a day more than 700 new victims. The researchers found 20 different active malicious payload exists, at least there will be a new weekly malicious payload is created during this period, the number of infected computers had doubled in a month.

After a successful login authentication with administrative privileges, an attacker to execute on the infected system, a series of MS-SQL command to a file from a remote server to download malicious payload, and run it as SYSTEM.

In the background, the payload using a known privilege escalation vulnerability (CVE-2014-4113) to obtain SYSTEM privileges of infected systems.

Then, the payload installed on the server encryption currency infected with malware mining excavation TurtleCoin encryption currency.

The researchers also published a complete IoC (hazard index) and a list of free PowerShell-based scripts, Windows administrators can use it to check whether their systems are infected.

Since the attacks rely on weak user name and password combination and MS-SQL server PHPMyAdmin, therefore, strongly recommended that the administrator account to set a complex password.

调查报告完整版:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Guess you like

Origin www.oschina.net/news/107082/nansh0u-hacking-mysql-phpmyadmin
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com