Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Chicken Little only has to be right once.


rocksolid / Hacking / Mr. Roboto

SubjectAuthor
* Mr. RobotoGuest
+* Re: Mr. RobotoAnonymous
|`- Re: Mr. RobotoGuest
`- Re: Mr. RobotoAnonymous

1
Mr. Roboto

<rrr2nn$t3g$1@def5.org>

 copy mid

https://rocksolidbbs.com/rocksolid/article-flat.php?id=231&group=rocksolid.shared.hacking#231

 copy link   Newsgroups: rocksolid.shared.hacking
Path: i2pn2.org!rocksolid2!def5!.POSTED.bogusentry!not-for-mail
From: guest@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.hacking
Subject: Mr. Roboto
Date: Mon, 21 Dec 2020 15:10:57 -0500
Organization: Dancing elephants
Lines: 39
Message-ID: <rrr2nn$t3g$1@def5.org>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 21 Dec 2020 21:05:59 -0000 (UTC)
Injection-Info: def5.org; posting-host="bogusentry:192.168.1.189";
logging-data="29808"; mail-complaints-to="usenet@def5.org"
User-Agent: FUDforum 3.0.7
X-FUDforum: 6666cd76f96956469e7be39d750cc7d9 <497355>
 by: Guest - Mon, 21 Dec 2020 20:10 UTC

https://threatpost.com/linux-webmin-servers-attack-p2p-botnet/150513/

Don't get to paranoid but also check your Webmin protocol from time to time if you have any!
I was hit last year and now it seems that a different version is making a comeback!

threatpost.com
Linux Webmin Servers Under Attack by Roboto P2P Botnet
Author: Lindsey O'Donnell
4-5 minutes

A newly-discovered peer-to-peer (P2P) botnet has been found targeting a remote code execution vulnerability in Linux Webmin servers.

Vulnerable Linux Webmin servers are under active attack by a newly-discovered peer-to-peer (P2P) botnet, dubbed Roboto by researchers.

The botnet is targeting a remote code-execution vulnerability (CVE-2019-15107) in Webmin, a web-based system configuration tool for Linux servers. CVE-2019-15107 was previously patched on Aug. 17 and can be mitigated by updating to Webmin 1.930, said researchers with NetLab 360.

"We recommend that Webmin users take a look whether they are infected by checking the process, file name and UDP [User Datagram Protocol] network connection," said NetLab 360 researchers in a Wednesday analysis. "We recommend that Roboto botnet-related IP, URL and domain names to be monitored and blocked."

Researchers first came across Roboto on Aug. 26, and have been tracking it for the past three months. It is unknown how many Linux Webmin servers are being targeted; Threatpost has reached out to NetLab 360 for further information. However, the attack surface could potentially be massive: Webmin says that it has over a million installations worldwide and according to Shodan, 232,000 servers are currently vulnerable.
Mr. Roboto

The Roboto botnet mainly supports seven functions: reverse shell (allowing attackers to execute commands on infected bots) and self-uninstall capabilities; as well as the ability to gather process network information, gather bot information, execute system commands, run encrypted files specified in URLs and launch distributed denial-of-service (DDoS) attacks.

However, Roboto's main goals remain unknown at this point, researchers said: "Roboto botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to capture a single DDoS attack command since it showed up on our radar. We are still yet to learn its true purpose."

After Roboto targeted their honeypot, researchers were able to further analyze the botnet's associated downloader and bot modules, as well as vulnerability-scanning modules and its P2P control module. Post-infection, the botnet collects further information (including a list of processes running, and network information) about the infected bot.
Rare P2P Botnet

As a peer-to-peer (P2) botnet, Roboto operates without a command-and-control (C2) server. P2P botnets including Hajime and Joanap make it trickier for researchers or authorities to target them as there's no centralized domains or servers to track.

P2P botnets instead create a decentralized networks of infected devices, or "bots," which talk to one another rather than a central server, typically employing custom protocols for communication that must be decrypted before they can be analyzed.

Upon further investigation, researchers found that Roboto uses such a P2P communication protocol between various infected bots. "The length of the request packet is a fixed 69 bytes, the data is not encrypted, and the content is the public key of the target peer and the public key of the bot," researchers said. "After receiving the bot request packet, peer establishes a connection with the bot if it is consistent with its own public key, and then calculates the SharedKey through the public key."

Roboto also uses algorithms like Curve25519, Ed25519, TEA, SHA256 and HMAC-SHA256 for communication. These algorithms allow Roboto to "ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control," researchers said.

It's not the first time that Linux servers have been targeted by botnets. Muhstik, for instance, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, "Trends in Fortune 1000 Breach Exposure" to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

--
Posted on def3

Re: Mr. Roboto

<ha.902.17z4nw@anon.com>

 copy mid

https://rocksolidbbs.com/rocksolid/article-flat.php?id=232&group=rocksolid.shared.hacking#232

 copy link   Newsgroups: rocksolid.shared.hacking
Path: i2pn2.org!.POSTED!not-for-mail
From: poster@anon.com (Anonymous)
Newsgroups: rocksolid.shared.hacking
Subject: Re: Mr. Roboto
Date: Mon, 21 Dec 2020 15:43:49 -0800
Organization: i2pn2 (i2pn.org)
Message-ID: <ha.902.17z4nw@anon.com>
References: <rrr2nn$t3g$1@def5.org>
Content-Type: text/plain; charset=UTF-8
Injection-Info: i2pn2.org; posting-account="def2";
logging-data="1467"; mail-complaints-to="usenet@i2pn2.org"
 by: Anonymous - Mon, 21 Dec 2020 23:43 UTC

This article is from end of '19 ?

--
Posted on def2

Re: Mr. Roboto

<rrtlv9$8mv$1@def5.org>

 copy mid

https://rocksolidbbs.com/rocksolid/article-flat.php?id=233&group=rocksolid.shared.hacking#233

 copy link   Newsgroups: rocksolid.shared.hacking
Path: i2pn2.org!rocksolid2!def5!.POSTED.bogusentry!not-for-mail
From: guest@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.hacking
Subject: Re: Mr. Roboto
Date: Tue, 22 Dec 2020 14:50:48 -0500
Organization: Dancing elephants
Lines: 0
Message-ID: <rrtlv9$8mv$1@def5.org>
References: <ha.902.17z4nw@anon.com>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 22 Dec 2020 20:46:33 -0000 (UTC)
Injection-Info: def5.org; posting-host="bogusentry:192.168.1.189";
logging-data="8927"; mail-complaints-to="usenet@def5.org"
User-Agent: FUDforum 3.0.7
X-FUDforum: 6666cd76f96956469e7be39d750cc7d9 <498566>
 by: Guest - Tue, 22 Dec 2020 19:50 UTC

I know. I was hit in 2019. It appears the new length is 156 bytes.

--
Posted on def3

Re: Mr. Roboto

<ha.904.6y4ti@anon.com>

 copy mid

https://rocksolidbbs.com/rocksolid/article-flat.php?id=234&group=rocksolid.shared.hacking#234

 copy link   Newsgroups: rocksolid.shared.hacking
Path: i2pn2.org!rocksolid2!.POSTED.127.117.190.215!not-for-mail
From: poster@anon.com (Anonymous)
Newsgroups: rocksolid.shared.hacking
Subject: Re: Mr. Roboto
Date: Tue, 22 Dec 2020 13:22:37 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <ha.904.6y4ti@anon.com>
References: <rrr2nn$t3g$1@def5.org>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def.i2p"; posting-host="127.117.190.215";
logging-data="5024"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Tue, 22 Dec 2020 21:22 UTC

>>73c5a7e8e8465ee711
what did the attackers do to your server ?

--
Posted on def2

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor