exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

Possible mitigations for the recent "minecraft" hack #103

New issue
Closed
opened 2022-01-28 01:17:55 +00:00 by a · 7 comments
a commented 2022-01-28 01:17:55 +00:00
Owner
Copy link

As you may have read on our Matrix chat, a exozyme user with username "minecraft" was hacked on January 25 at 04:32:31. Since I know this user personally, I am contacting them right now for more details.

This is what we know so far: The account was created at around 17:00 on January 24 by an IP address near where this user lives, so I don't think the account was created by an attacker.

However, at 04:32:31 on January 25, the SSH logs reveal something terrifying:

Jan 25 04:32:31 exozyme sshd[885394]: Accepted password for minecraft from 195.29.105.125 port 60528 ssh2

The same IP address (located in London, but the attack is probably using a VPN) also tried brute-forcing other common account names but none were existing accounts. Based on the SSH logs, no other users were compromised. We have fail2ban set up #61 #94, but I'm not sure why it wasn't effective.

The compromised account downloaded a common cryptocurrency miner into the /home/minecraft/.configrc directory, which is an attack that others have been hit by too: https://askubuntu.com/questions/1224927/cpu-100-with-kswapd0-process-although-no-swap-is-needed#1229039 https://programming.vip/docs/kswapd0-process-mining-trojan.html

The account starts two processes using a cron job, both which are malicious. The kswapd0 process is responsible for mining cryptocurrency.

ps -u minecraft
    PID TTY          TIME CMD
   1682 ?        00:00:00 rsync
   2132 ?        21:26:35 kswapd0

The processes start automatically at boot time and also come back every day due to the cron job.

I attached a zip file of the compromised user's home directory.

I don't believe the account was able to do further damage other than wasting a ton of CPU. The attack succeeded because this user likely has a very weak password set (since it was guessed using only a few tries), but I'm currently asking them for more information.

To stop the attack, I have deleted the minecraft account and am scanning the drive using rkhunter and Lynis for any other malware.

To prevent similar attacks in the future, I think we should force stronger passwords, maybe like #21.

This might be worth looking into later, but not now.

Yeah, I really regret saying that.

Fortunately, this attack has been relatively minor and has also been a wake-up call to increase our security everywhere. Maybe only require SSH key login someday? At least all that work I put into #4 has been put to good use!

As you may have read on our Matrix chat, a exozyme user with username "minecraft" was hacked on January 25 at 04:32:31. Since I know this user personally, I am contacting them right now for more details. This is what we know so far: The account was created at around 17:00 on January 24 by an IP address near where this user lives, so I don't think the account was created by an attacker. However, at 04:32:31 on January 25, the SSH logs reveal something terrifying: ``` Jan 25 04:32:31 exozyme sshd[885394]: Accepted password for minecraft from 195.29.105.125 port 60528 ssh2 ``` The same IP address (located in London, but the attack is probably using a VPN) also tried brute-forcing other common account names but none were existing accounts. Based on the SSH logs, no other users were compromised. We have fail2ban set up #61 #94, but I'm not sure why it wasn't effective. The compromised account downloaded a common cryptocurrency miner into the `/home/minecraft/.configrc` directory, which is an attack that others have been hit by too: https://askubuntu.com/questions/1224927/cpu-100-with-kswapd0-process-although-no-swap-is-needed#1229039 https://programming.vip/docs/kswapd0-process-mining-trojan.html The account starts two processes using a cron job, both which are malicious. The `kswapd0` process is responsible for mining cryptocurrency. ``` ps -u minecraft PID TTY TIME CMD 1682 ? 00:00:00 rsync 2132 ? 21:26:35 kswapd0 ``` The processes start automatically at boot time and also come back every day due to the cron job. I attached a zip file of the compromised user's home directory. I don't believe the account was able to do further damage other than wasting a ton of CPU. The attack succeeded because this user likely has a very weak password set (since it was guessed using only a few tries), but I'm currently asking them for more information. To stop the attack, I have deleted the `minecraft` account and am scanning the drive using rkhunter and Lynis for any other malware. To prevent similar attacks in the future, I think we should force stronger passwords, maybe like #21. > This might be worth looking into later, but not now. Yeah, I really regret saying that. Fortunately, this attack has been relatively minor and has also been a wake-up call to increase our security everywhere. Maybe only require SSH key login someday? At least all that work I put into #4 has been put to good use!
minecraft.zip
5.2 MiB
a added the
security
help wanted
question
enhancement
bug
 labels 2022-01-28 01:17:55 +00:00
a added this to the (deleted) project 2022-01-28 01:17:55 +00:00
a commented 2022-01-28 01:36:31 +00:00
Author
Owner
Copy link

I think fail2ban did work properly, but the user's password was so weak the attacker managed to guess it in only 2 attempts instead of the 10 needed to trigger fail2ban. They probably also use a botnet to evade IP blocks.

I think fail2ban did work properly, but the user's password was so weak the attacker managed to guess it in only 2 attempts instead of the 10 needed to trigger fail2ban. They probably also use a botnet to evade IP blocks.
a commented 2022-01-28 02:23:05 +00:00
Author
Owner
Copy link

I locked down the root user with passwd --lock root so this should create a huge obstacle towards attackers getting root (which thankfully, I don't think this one did).

I locked down the root user with `passwd --lock root` so this should create a huge obstacle towards attackers getting root (which thankfully, I don't think this one did).
a commented 2022-01-28 04:04:00 +00:00
Author
Owner
Copy link

I'm going to require all passwords to be at least 8 characters which should prevent people from being able to guess them in only two attempts like what happened here.

I'm going to require all passwords to be at least 8 characters which should prevent people from being able to guess them in only two attempts like what happened here.
a commented 2022-01-28 13:29:49 +00:00
Author
Owner
Copy link

We wil also be requiring SSH keys now for all SSH logins.

We wil also be requiring SSH keys now for all SSH logins.
a commented 2022-01-28 14:33:22 +00:00
Author
Owner
Copy link

We wil also be requiring SSH keys now for all SSH logins.

This may be temporary if it causes problems, but anyone using SSH should be able to generate and use SSH keys without any issues.

> We wil also be requiring SSH keys now for all SSH logins. This may be temporary if it causes problems, but anyone using SSH should be able to generate and use SSH keys without any issues.
a commented 2022-01-28 16:24:30 +00:00
Author
Owner
Copy link

I cracked the user's password using hashcat and it's... very insecure. Their password was just "minecraft"! 👀

I cracked the user's password using `hashcat` and it's... very insecure. Their password was just "minecraft"! 👀
a commented 2022-02-02 23:46:13 +00:00
Author
Owner
Copy link

I emailed everyone with weak passwords, so hopefully they change them soon.

I emailed everyone with weak passwords, so hopefully they change them soon.
a closed this issue 2022-02-02 23:46:13 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#103
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?