Coin-mining malware jumps from Arm IoT gear to Intel servers A coin-mining malware infection previously only seen on Arm-powered IoT devices has made the jump to Intel systems. Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux. "I suspect it’s probably a …
In many cases, it already does. If you ever try mining on Windows, you'll probably have to whitelist the directory where you put your miner. In fact, Windows Defender even treats the Monero binaries as malware, even though you can't use them to mine, only to transact. But there are fewer traditional antivirus products for Linux, and they're less common, so I don't know if they also treat mining as suspicious.
“Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux.”
How does this malware initially get onto the Intel Linux machines?
“The honeypot allows logins using known default login credentials for root.”
No self respecting Linux user would leave the system with the ‘default login credentials for root’, whatever that is supposed to mean. As on installation you are prompted for a unique root password. Besides, any self respecting Linux user would disable SSHing into root.
It's stated that the access method is SSH, so some options include:
1. SSHing with poor or default credentials to root because not all Linux users are, in your words, self-respecting.
2. SSHing with poor or default credentials to something that isn't root, then elevating to root if the user has sudo privs.
3. SSHing with poor or default credentials to something that isn't root, and therefore installing as a user process. It's not as effective, but it'll mine sometimes and that can't hurt the criminals because why should they care?
I have a public-facing server with SSH enabled. Root can't log in, and anything that can log in has an undisclosed username* and either a seriously difficult password or keys only. Lots of automated login attempts occur, but not all of them are people fruitlessly trying to log in as root. Many are trying things like "admin", "system", "user", or the machine's domain name. The people trying this must be doing it because it sometimes works.
*Undisclosed username: This is not a security measure; I know that security by obscurity doesn't work. What it does let me do is set up a monitor for the SSH logs that can inform me if someone is trying to log into an actual account, thus filtering noise from the pointless attempts. If someone does get a real username, I will know about it and I can figure out where that information came from and where this at least a bit more sophisticated attack is coming from. Unless that filter activates, I don't have to worry about the automatic SSH bots. And while we're on the subject, *checks logs*, nobody's guessed any real usernames since the server was set up two years ago.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
