back to article Chinese software nasty enslaves stadium-load of servers, puts them to work digging up digital dosh in crypto-mines

More than 50,000 servers around the world have been infected with malware that installs crypto-coin-mining scripts and advanced rootkits, it is claimed. Known as Nanshou, the software nasty, we're told, infects machines by brute-forcing Microsoft SQL Server account passwords and using known exploits to elevate its privileges. …

  1. Anonymous South African Coward Silver badge

    Sheep and chicken farming in the boondocks is starting to sound better and better by the day...

    1. Anonymous Coward
      Anonymous Coward

      I know MS SQL is very secure these days compared to MySQL or Oracle, but anyone leaving a database directly accessible from the internet is asking for it.

      1. bombastic bob Silver badge

        I sure don't "know" that... you sure you aren't just ass-pulling that 'fact' ?

        1. RyokuMas Silver badge

          "... PEOPLE PREFER THE OLD LOOK by a 2:1 margin... "

          Pot, kettle...

  2. Blockchain commentard

    Recently retired Chinese spooks looking to supplement their pension?

  3. gnasher729 Silver badge

    From government to criminals

    Happened with the NSA, now happened with the Chinese: Malware that was developed for a government has ended up in the hands of criminals.

    So can we please remember this the next time some government wants to be able to decrypt what’s on your phone or computer: if the government can do it today, then criminals will be able to do it soon.

  4. Lt.Kije

    Brute force

    So these marks allowed an unlimited number of failed login attempts without raising a flag or blocking the miscreants? Do I have that right?

    1. Sgt_Oddball Silver badge

      Re: Brute force

      Do any of the owners of these SQL boxes know how to secure it? White lists, account lock outs, black lists for repeat offenders, account level restrictions. Its not rocket surgery.

      1. whoseyourdaddy

        Re: Brute force

        Have to admit if the MS-SQL I'm in charge of gets hacked, the entire electronic parts catalog we keep there would never be impacted by a malicious use of spare CPU cycles that we would notice.

        Out of sight, can't see the lights blink. Only time we would consider hiring a DBA is if it stops responding and a restore/reinstall doesn't bring it back up.

      2. bombastic bob Silver badge

        Re: Brute force

        how about "WHY THE FEEL ARE THEY EXPOSING THE LISTENING PORTS ON A PUBLIC IP ADDRESS" as the #1 thing NOT to do with an MS SQL server... yeah THAT detail was pretty blatant, wasn't it? At least I think it was blatantly obvious as the #1 problem here. The article said that the logins were brute-forced, after all [captain obvious says so, as it's in the topic]

        /me also points out - it's pronounced 'Es Queue El' in case someone said the 'sequel' word.

        If you MUST have other machines across 'teh intarwebs' access it, USE A SECURE TUNNEL to an RFC1918 IP address, through a NON-MICROSOFT FIREWALL that outright blocks everything else.

    2. bombastic bob Silver badge

      Re: Brute force

      I would guess 'that' (zillions of login attempts, unrestricted, etc.) based on the description, and ALSO that the SQL Server was listening on a PUBLIC IP ADDRESS which is about as bone-headed as you can get, like hanging a sign up saying "hack me"

  5. chivo243 Silver badge

    Password reuse

    They must have kept a log of working passwords, and found some keys opened other doors.

  6. c1ue

    Sounds suspicious to me. There are government entities known for cryptocurrency operations...China's isn't one of them.

  7. I.Geller Bronze badge

    AI database and server

    AI primarily technology is how to structure texts into clusters of synonymous patterns, which make these texts (in some sense) programs. For example there is a paragraph:

    -- Tesla and Waymo are coming. They go fast. --

    In this section there are six patterns:

    - Tesla is coming

    - Waymo is coming

    - Tesla goes fast

    - Waymo goes fast

    - They are coming

    - They go fast.

    These patterns form three synonymous clusters. For example one of them:

    -- Tesla is coming

    -- Tesla goes fast.

    There is a second paragraph:

    -- Tesla is great. It went fast! --

    There are four patterns here:

    - Tesla is great

    - Tesla went fast

    - It went fast

    - It is great.

    That is, it is possible to index synonymous patterns of one cluster by another - both clusters have the same pattern "Tesla goes fast" / "Tesla went fast". And then in response to the query "Is Tesla coming?" it turns out that the answer is "It is great!", even if the first paragraph doesn't have this answer.

    Microsoft, for example, already uses this:

    -- Vector search makes it easier to search by concept rather than keyword. For example, if a user types in “How tall is the tower in Paris?” Bing can return a natural language result telling the user the Eiffel Tower is 1,063 feet, even though the word “Eiffel” never appeared in the search query and the word “tall” never appears in the result. Microsoft uses vector search for its own Bing search engine, and the technology is helping Bing better understand the intent behind billions of web searches and find the most relevant result among billions of web pages. --

    Thus, an AI database consists of synonymous clusters that are all indexed relative to each other, literally intertwined.

    Suppose someone wants to hack/ add/ delete into the database. This means that the database must be loaded with/ purged of old/ new clusters that violate the indexing of everything, ie hacking attempt will be detected immediately.

    Next, indexed synonymous clusters are the programs! That is, some actions are assigned to certain cluster patterns. For example, the pattern "Tesla goes fast" assigned to the function of giving acceleration Tesla car to 60 miles per hour. So, downloading malicious programs to the AI server means downloading synonymous clusters, which will be immediately detected because they destroy the indexing.

    AI database and server are protected from the traditional hacking.

    1. elDog

      Re: AI database and server

      That's a great idea!

      Just have the target machines building synonym tables for 500,000 words and the appropriate number of word-phrases (much bigger than 500,000) and you'll peg the CPU - making that particular target box unavailable to be hacked.

      (<grin> I will have to go back and parse your post a bit more carefully, perhaps.)

    2. I.Geller Bronze badge

      surrounding pieces of text

      Establishing relational connections between patterns is certainly not such a simple matter! In addition to the fact that the patterns must match, similar contexts and subtexts of the surrounding pieces of text - that is, paragraphs - are necessary.

    3. I.Geller Bronze badge

      and purge it

      Be very careful when obtaining patterns from text! For example, the word "fast" can be perceived (by computer) as a noun - something that fastens (such as a mooring line) or holds a fastening; although it is used as an adjective in, for example, this paragraph:

      -- Tesla and Waymo are coming. They go fast. --

      and then you get, as a meaningful, this pattern:

      - Fast go fast

      where the pattern pollutes the synonymous cluster (obtained from the paragraph), creates lexical noise.

      In order to understand the true part of speech and find the correct dictionary definition (for the subsequent indexing of the pattern), it's necessary to compare all a word's structured dictionary definitions with its surrounding text and delete the wrong, if it appeared accidentally.

  8. I.Geller Bronze badge

    The main thing to consider parts of speech - it immediately greatly reduces the number of synonyms. But for this you need a personal profile/ texts first.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021