先來一段 log
45.148.120.113 - - [25/Jun/2023:18:24:48 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"cpuminer/2.5.1\"]}\n" 400 226 "-" "-"45.148.120.113 - - [25/Jun/2023:18:24:49 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"MinerName/1.0.0\", \"EthereumStratum/1.0.0\"]}\n" 400 226 "-" "-"45.148.120.113 - - [25/Jun/2023:18:24:50 +0800] "{\"id\":1,\"method\":\"eth_submitLogin\",\"worker\":\"igwrcvap\",\"params\":[\"91f6d16211ecd81a5c76786079d8de\",\"x\"],\"jsonrpc\":\"2.0\"}\n" 400 226 "-" "-"45.148.120.113 - - [25/Jun/2023:18:24:53 +0800] "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"PD4ob3TnkdP3VcFXwA6yxbcqdQzpZ9NcUdnY4YkVMYVnqTYor2mVegyb3FpBfNDzWqQXc\",\"pass\":\"x\",\"agent\":\"XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\",\"algo\":[\"cn/1\",\"cn/2\",\"cn/r\",\"cn/fast\",\"cn/half\",\"cn/xao\",\"cn/rto\",\"cn/rwz\",\"cn/zls\",\"cn/double\",\"cn/ccx\",\"cn-lite/1\",\"cn-heavy/0\",\"cn-heavy/tube\",\"cn-heavy/xhv\",\"cn-pico\",\"cn-pico/tlo\",\"cn/upx2\",\"rx/0\",\"rx/wow\",\"rx/arq\",\"rx/graft\",\"rx/sfx\",\"rx/keva\",\"argon2/chukwa\",\"argon2/chukwav2\",\"argon2/ninja\",\"astrobwt\"]}}\n" 400 226 "-" "-"
IP 45.148.120.113 來自荷蘭
就查到的資料似乎是一種加密貨幣挖礦的殭屍病毒漏洞攻擊, 攻擊者會先讓遠端電腦下載執行檔, 待下載後執行該檔案, 再以上列 log中的資料連線挖礦
沒有留言:
張貼留言