\n| last log<\/td>\n | \/var\/log\/lastlog (Linux)
\n\/var\/adm\/lastlog (Solaris)<\/td>\n | Information of last successful login<\/td>\n | lastlog (Linux)
\nfinger (Solaris)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u00c7e\u015fitli g\u00fcnl\u00fck dosyalar\u0131 MIG LogCleaner arac\u0131l\u0131\u011f\u0131yla de\u011fi\u015ftirilebilir. \u00d6rne\u011fin, belirli bir dizeye sahip sat\u0131rlar\u0131 silebilir, dizeyi de\u011fi\u015ftirebilir veya yeni bir dize ekleyebilir. Ayr\u0131ca, bir giri\u015f kayd\u0131 eklemek i\u00e7in a\u015fa\u011f\u0131daki gibi bir komut kullan\u0131labilir.<\/p>\n ![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-17.webp\" "\\"\\"") <\/p>\n
Birlikte y\u00fcklenen \u201c0x333shadow Log Cleaner\u201d ayn\u0131 \u00f6zelliklere sahiptir.<\/p>\n ![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-18.webp\" "\\"\\"")
\n3.4. Ayr\u0131cal\u0131k Y\u00fckseltme K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m\u0131
\n\u201cping6\u201d dosyas\u0131, a\u015fa\u011f\u0131daki basit yap\u0131ya sahip bir ELF k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131d\u0131r. setuid() ve setgid() i\u015flevleri, kabu\u011fu \u00e7al\u0131\u015ft\u0131rmadan \u00f6nce kullan\u0131c\u0131 kimli\u011fini ve grup kimli\u011fini k\u00f6k hesap olarak ayarlamak i\u00e7in kullan\u0131l\u0131r.
\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-19.webp\" "\\"\\"") <\/p>\n
“Anahtar” Bash beti\u011fi, “ping6” y\u00fcklendikten sonra setuid’i ayarlar. K\u00f6k hesapla ba\u015far\u0131l\u0131 bir giri\u015f yap\u0131l\u0131rsa ve hesapla birlikte “anahtar” Bash komut dosyas\u0131 y\u00fcklenirse, tehdit akt\u00f6r\u00fc daha sonra k\u00f6k ayr\u0131cal\u0131klar\u0131na sahip bir kabu\u011fa eri\u015fim elde etmek i\u00e7in “ping6″y\u0131 kullanabilir.<\/p>\n ![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-20.webp\" "\\"\\"")
\n3.5. XMRig CoinMiner
\nBu \u00f6zel sald\u0131r\u0131 kampanyas\u0131nda, DDoS botlar\u0131n\u0131n yan\u0131 s\u0131ra bir CoinMiner da kurulur. Bir s\u00f6zl\u00fck sald\u0131r\u0131s\u0131 arac\u0131l\u0131\u011f\u0131yla oturum a\u00e7t\u0131ktan sonra y\u00fcr\u00fct\u00fclen komut, tar adl\u0131 s\u0131k\u0131\u015ft\u0131r\u0131lm\u0131\u015f bir dosyay\u0131 indirir ve a\u00e7ar. Ortaya \u00e7\u0131kan \u201cgo\u201d dosyas\u0131 daha sonra y\u00fcr\u00fct\u00fcl\u00fcr. Basit bir Bash beti\u011fi olarak \u201cgo\u201d, ayn\u0131 yolda bulunan \u201ctelevizor\u201d dosyas\u0131n\u0131 y\u00fcr\u00fct\u00fcr. \u201ctelevizor\u201d ayn\u0131 zamanda bir Bash beti\u011fidir ve \u201ctelecomanda\u201d Bash beti\u011fini y\u00fcr\u00fct\u00fcr. Bu sonu\u00e7ta XMRig CoinMiner “cnrig” in y\u00fcr\u00fct\u00fclmesine yol a\u00e7ar.<\/p>\n
![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-21.webp\" "\\"\\"")
\nMadeni para madencili\u011fi i\u00e7in gerekli olan yap\u0131land\u0131rma verileri, ayn\u0131 yol \u00fczerinde bulunan \u201cconfig.json\u201d dosyas\u0131nda tutulur.<\/p>\n
Mining Pool : monerohash[.]com:80
\nuser : \u201c46WyHX3L85SAp3oKu1im7EgaVGBsWYhf7KxrebESVE6QHA5vJRab6wF1gsVkYwJfnNV2KYHU1Xq2A9XUYmWhvzPf2E6Nvse\u201d
\npass : \u201cnobody\u201d<\/p>\n 4. Sonu\u00e7
\nK\u00f6t\u00fc y\u00f6netilen Linux SSH sunucular\u0131na y\u00f6nelik sald\u0131r\u0131 kampanyalar\u0131, olduk\u00e7a uzun bir s\u00fcredir \u0131srarla ger\u00e7ekle\u015fmektedir. Tehdit akt\u00f6r\u00fc, vir\u00fcsl\u00fc sistemlerde Tsunami ve ShellBot gibi DDoS botlar\u0131n\u0131n yan\u0131 s\u0131ra XMRig CoinMiner’\u0131 kurdu.<\/p>\n CoinMiner’\u0131n kurulu oldu\u011fu ortamlarda, vir\u00fcsl\u00fc sistemin kaynaklar\u0131, tehdit akt\u00f6r\u00fc i\u00e7in Monero madeni paralar\u0131 \u00e7\u0131karmak i\u00e7in kullan\u0131l\u0131r. Vir\u00fcs bula\u015fm\u0131\u015f sistemler, ayr\u0131ca y\u00fcklenen DDoS botlar\u0131 nedeniyle DDoS sald\u0131r\u0131lar\u0131 i\u00e7in kullan\u0131labilir ve ek k\u00f6t\u00fc ama\u00e7l\u0131 komutlar\u0131n y\u00fcr\u00fct\u00fclmesine izin verir. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar silinse bile, tehdit akt\u00f6r\u00fc yine y\u00fcklemi\u015f oldu\u011fu SSH arka kap\u0131 hesab\u0131n\u0131 kullanarak sisteme yeniden eri\u015fim sa\u011flayabilir. Bu, farkl\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m y\u00fcklemek ve sistemden bilgi \u00e7almak gibi \u00e7e\u015fitli k\u00f6t\u00fc ama\u00e7l\u0131 davran\u0131\u015flar ger\u00e7ekle\u015ftirmelerine olanak tan\u0131r.<\/p>\n Bu nedenle y\u00f6neticiler, Linux sunucusunu kaba kuvvet sald\u0131r\u0131lar\u0131ndan ve s\u00f6zl\u00fck sald\u0131r\u0131lar\u0131ndan korumak i\u00e7in hesaplar\u0131 i\u00e7in tahmin edilmesi zor parolalar kullanmal\u0131 ve bunlar\u0131 periyodik olarak de\u011fi\u015ftirmeli ve g\u00fcvenlik a\u00e7\u0131\u011f\u0131 sald\u0131r\u0131lar\u0131n\u0131 \u00f6nlemek i\u00e7in en son yamaya g\u00fcncelleme yapmal\u0131d\u0131r. Sald\u0131rganlar\u0131n eri\u015fimini k\u0131s\u0131tlamak i\u00e7in d\u0131\u015far\u0131dan eri\u015filebilen sunucular i\u00e7in g\u00fcvenlik duvarlar\u0131 gibi g\u00fcvenlik programlar\u0131 da kullanmal\u0131d\u0131rlar. Son olarak, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bula\u015fmas\u0131n\u0131 \u00f6nceden engellemek i\u00e7in V3’\u00fc en son s\u00fcr\u00fcme g\u00fcncelleyerek dikkatli olunmal\u0131d\u0131r.<\/p>\n Dosya Alg\u0131lama
\n\u2013 Linux\/CoinMiner.Gen2 (2019.07.31.08)
\n\u2013 Linux\/Tsunami.Gen (2016.08.24.00)
\n\u2013 Shellbot\/Perl.Generic.S1118 (2020.02.19.07)
\n\u2013 \u0130ndirici\/Shell.Agent.SC189601 (2023.06.12.02)
\n\u2013 HackTool\/Linux.LogWiper.22272 (2023.06.12.02)
\n\u2013 HackTool\/Linux.LogWiper.28728 (2023.06.12.02)
\n\u2013 Trojan\/Linux.Agent.8456 (2023.06.12.02)
\n\u2013 Trojan\/Shell.Runner (2023.06.12.02) )
\n\u2013 CoinMiner\/Text.Config (2023.06.12.02)<\/p>\n IOC
\nMD5
\n\u2013 6187ec1eee4b0fb381dd27f30dd352c9 : \u0130ndirici Bash beti\u011fi (anahtar)
\n\u2013 822b6f619e642cc76881ae90fb1f8e8e : Tsunami (a)
\n\u2013 c5142b41947f5d1853785020d9350de4 : ShellBot (bot) )
\n\u2013 2cd8157ba0171ca5d8b50499f4440d96 : ShellBot (logo) \u2013 32eb33cdfa763b012cd8bcad97d560f0
\n: MIG Logcleaner v2.0 (cls) \u2013
\n98b8cd5ccd6f7177007976aeb675ec38 : 0x3 33shadow G\u00fcnl\u00fck Temizleyici ( temiz)
\n\u2013 e2f08f163d81f79c1f94bd34b22d3191 : Ayr\u0131cal\u0131k Artt\u0131rma K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m\u0131 (ping6)
\n\u2013 725ac5754b123923490c79191fdf4f76 : Bash ba\u015flat\u0131c\u0131s\u0131 (git)
\n\u2013 ad04aab3e732ce5220db0b0fc9bc8a19 : Bas h ba\u015flat\u0131c\u0131 (televiz\u00f6r)
\n\u2013 421ffee8a223210b2c8f2384ee6a88b4 : Bash ba\u015flat\u0131c\u0131 (telecomanda)
\n\u2013 0014403121eeaebaeede796e4b6e5dbe : XMRig CoinMiner (cnrig)
\n\u2013 125951260a0cb473ce9b7acc406e83e1 : XMRig yap\u0131land\u0131rma dosyas\u0131 (config.json)<\/p>\n C&C
\n\u2013 ircx.us[.]to:20 : ShellBot
\n\u2013 ircx.us[.]to:53 : Tsunami
\n\u2013 ircx.us[.]to:6667 : ShellBot
\n\u2013 ircxx.us[.]to:53 : Tsunami<\/p>\n \ub2e4\uc6b4\ub85c\ub4dc \uc8fc\uc18c
\n\u2013 ddoser[.]org\/key: \u0130ndirici Bash beti\u011fi
\n\u2013 ddoser[.]org\/a : Tsunami
\n\u2013 ddoser[.]org\/logo : ShellBot
\n\u2013 ddoser[.]o]rg\/siwen\/bot \/ ShellBot DDoS Bot
\n\u2013 ddoser[.]org\/top : S\u0131k\u0131\u015ft\u0131r\u0131lm\u0131\u015f XMRig CoinMiner dosyas\u0131
\n\u2013 ddoser[.]org\/siwen\/cls : MIG Logcleaner v2.0
\n\u2013 ddoser[.]org\/siwen\/clean : 0x333shadow G\u00fcnl\u00fck Temizleyici
\n\u2013 ddoser[.]org\/ siwen\/ping6 : Ayr\u0131cal\u0131k y\u00fckseltme k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131<\/p>\n","protected":false},"excerpt":{"rendered":" AhnLab G\u00fcvenlik Acil Durum M\u00fcdahale Merkezi (ASEC) k\u0131sa bir s\u00fcre \u00f6nce, yetersiz y\u00f6netilen Linux SSH sunucular\u0131na kurulan Tsunami DDoS Botundan olu\u015fan bir sald\u0131r\u0131 kampanyas\u0131 ke\u015ffetti. Tehdit akt\u00f6r\u00fc yaln\u0131zca Tsunami’yi y\u00fcklemekle kalmad\u0131, ayn\u0131 zamanda ShellBot, XMRig CoinMiner ve Log Cleaner gibi \u00e7e\u015fitli ba\u015fka k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131 da y\u00fckledi. K\u00f6t\u00fc y\u00f6netilen Linux SSH sunucular\u0131na y\u00f6nelik sald\u0131r\u0131 durumlar\u0131na …<\/p>\n","protected":false},"author":1,"featured_media":2961,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-2955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"acf":[],"_links":{"self":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/2955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/comments?post=2955"}],"version-history":[{"count":0,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/2955\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media\/2961"}],"wp:attachment":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media?parent=2955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/categories?post=2955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/tags?post=2955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |
![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-10.webp\" "\\"\\"")
![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-11-1024x624.webp\" "\\"\\"")
<\/p>\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-12.webp\" "\\"\\"")
<\/p>\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-13.webp\" "\\"\\"")
<\/p>\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-14.webp\" "\\"\\"")
<\/p>\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-15.webp\" "\\"\\"")
<\/p>\n![\"\"](\"https:\/\/sunucucozumleri.com\/wp-content\/uploads\/2023\/06\/image-16.webp\" "\\"\\"")
<\/p>\n