Possible mitigations for the recent "minecraft" hack #103
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As you may have read on our Matrix chat, a exozyme user with username "minecraft" was hacked on January 25 at 04:32:31. Since I know this user personally, I am contacting them right now for more details.
This is what we know so far: The account was created at around 17:00 on January 24 by an IP address near where this user lives, so I don't think the account was created by an attacker.
However, at 04:32:31 on January 25, the SSH logs reveal something terrifying:
The same IP address (located in London, but the attack is probably using a VPN) also tried brute-forcing other common account names but none were existing accounts. Based on the SSH logs, no other users were compromised. We have fail2ban set up #61 #94, but I'm not sure why it wasn't effective.
The compromised account downloaded a common cryptocurrency miner into the
/home/minecraft/.configrc
directory, which is an attack that others have been hit by too: https://askubuntu.com/questions/1224927/cpu-100-with-kswapd0-process-although-no-swap-is-needed#1229039 https://programming.vip/docs/kswapd0-process-mining-trojan.htmlThe account starts two processes using a cron job, both which are malicious. The
kswapd0
process is responsible for mining cryptocurrency.The processes start automatically at boot time and also come back every day due to the cron job.
I attached a zip file of the compromised user's home directory.
I don't believe the account was able to do further damage other than wasting a ton of CPU. The attack succeeded because this user likely has a very weak password set (since it was guessed using only a few tries), but I'm currently asking them for more information.
To stop the attack, I have deleted the
minecraft
account and am scanning the drive using rkhunter and Lynis for any other malware.To prevent similar attacks in the future, I think we should force stronger passwords, maybe like #21.
Yeah, I really regret saying that.
Fortunately, this attack has been relatively minor and has also been a wake-up call to increase our security everywhere. Maybe only require SSH key login someday? At least all that work I put into #4 has been put to good use!
I think fail2ban did work properly, but the user's password was so weak the attacker managed to guess it in only 2 attempts instead of the 10 needed to trigger fail2ban. They probably also use a botnet to evade IP blocks.
I locked down the root user with
passwd --lock root
so this should create a huge obstacle towards attackers getting root (which thankfully, I don't think this one did).I'm going to require all passwords to be at least 8 characters which should prevent people from being able to guess them in only two attempts like what happened here.
We wil also be requiring SSH keys now for all SSH logins.
This may be temporary if it causes problems, but anyone using SSH should be able to generate and use SSH keys without any issues.
I cracked the user's password using
hashcat
and it's... very insecure. Their password was just "minecraft"! 👀I emailed everyone with weak passwords, so hopefully they change them soon.