"mdrfckr" Botnet Attack - AT002-240304
March 4, 2024Status: Not Vulnerable - Monitoring
For a higher detail report on the attack overall, refer to this detailed article about the history of this attack.
Within the last year before writing, a significant number of odd requests have been discovered on the Guestbee SSH service. These requests are always the same, and have been carried out by the following IP addresses in the table, the specified number of times. They are categorized as attacks due to the unique content embedded within the arguments while making an SSH connection. While Honeybeeks servers are not vulnerable to this type of attack, these devices are known malious, and the techniques are useful to keep track of for future reference and IDS/IPS calibration.
What is the "mdrfckr" attack?
This attack is always the same, and comes in two connection attempts. The attack payloads are always sent within inline SSH commands upon making a connection. During the first connection, the attacker performs three actions in sequence. First, the attacker attempts to change directory into the ssh user's home directory. Next, the attacker attempts to change the attributes of the `.ssh` directory to only allow appending from the superuser, and denying all changes otherwise. Finally, a command named "lockr" is attempted to be executed, which is an unknown executable.
SSH_CMD: "-c cd ~; chattr -ia .ssh; lockr -ia .ssh"
In the second connection of the attack, which comes immediately after the first, the attacker attempts to perform six actions in sequence. First, the attacker again changes directory to the ssh user's home directory. Next, the attacker attempts to remove the .ssh directory and its contents. Next, the folder is re-created, then a new authorized_keys file within is populated with a public RSA SSH key. Notably, the hostname provided after each key in each attack from each device, is always "mdrfckr", giving this attack its name. Each RSA Key provided is interestingly the same in each attack across all different devices, hinting at all these devices being controlled by one individual/program. With one hundred forty eight (148) total mdrfckr attacks logged, one hundred, forty eight (148) of them were using the same public key. After the key is appended to the file, the attacker then attempts to modify permissions recursively for the .ssh directory to only allow the same group as the ssh user, and other users, access to the directory. Finally, the attacker, for some reason, changes directory back to the home directory. An example of this payload can be shown below, with the actual public SSH key the attacker used.
SSH_CMD: "-c cd ~ && rm -rf .ssh && mkdir .ssh &&
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7 VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3 Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+B gTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nyl AKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww +u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rB LAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys &&
chmod -R go= ~/.ssh && cd ~"
Conclusions
The "mdrfckr" attack is a series of SSH requests that attempt to override the vulnerable SSH user's .ssh directory, erasing all data stored within, then input a public key into the authorized_keys file.
The Attack is likely controlled by a botnet, as out of 148 logged attacks of this variant, one hundred forty eight (148) of them used the same SSH public key, hinting at one command center, or alternatively, a self replecating worm.
Identified Attackers:
If your IP is on the list and you are unsure why, a device on your network may be infected.
| # Of Occurences | IP Address |
|---|---|
| 1 | 101.100.176.99 |
| 1 | 103.110.33.217 |
| 1 | 103.171.162.91 |
| 1 | 103.226.248.146 |
| 1 | 103.231.46.66 |
| 1 | 103.252.25.168 |
| 1 | 103.69.97.230 |
| 1 | 104.224.177.195 |
| 1 | 106.12.79.130 |
| 1 | 110.42.234.102 |
| 1 | 111.229.180.133 |
| 1 | 113.142.150.74 |
| 1 | 113.31.114.208 |
| 1 | 113.83.131.105 |
| 1 | 115.94.79.59 |
| 1 | 117.94.223.7 |
| 1 | 119.8.155.248 |
| 1 | 120.48.242.12 |
| 1 | 122.155.0.205 |
| 1 | 124.222.32.114 |
| 1 | 125.88.221.205 |
| 1 | 128.199.179.8 |
| 1 | 129.226.198.6 |
| 1 | 137.184.55.79 |
| 1 | 14.103.40.90 |
| 1 | 144.126.204.43 |
| 1 | 146.190.166.212 |
| 1 | 150.129.105.120 |
| 1 | 150.158.26.29 |
| 1 | 158.101.127.60 |
| 1 | 159.89.207.210 |
| 1 | 162.62.80.84 |
| 1 | 165.22.116.130 |
| 1 | 165.22.20.135 |
| 1 | 167.172.32.129 |
| 1 | 167.71.161.120 |
| 1 | 167.71.205.80 |
| 1 | 167.71.99.157 |
| 1 | 170.106.141.190 |
| 1 | 171.244.51.26 |
| 1 | 172.245.55.35 |
| 1 | 178.22.122.66 |
| 1 | 178.22.168.219 |
| 1 | 178.234.49.115 |
| 1 | 178.46.163.191 |
| 1 | 181.115.208.122 |
| 1 | 182.43.254.170 |
| 1 | 183.15.120.55 |
| 1 | 185.233.119.142 |
| 1 | 186.152.214.88 |
| 1 | 186.57.168.74 |
| 1 | 189.128.140.92 |
| 1 | 189.6.45.130 |
| 1 | 191.98.191.214 |
| 1 | 192.144.65.1 |
| 1 | 195.19.97.157 |
| 1 | 200.189.192.3 |
| 1 | 200.52.65.31 |
| 1 | 202.103.157.115 |
| 1 | 202.183.186.82 |
| 1 | 202.29.232.18 |
| 1 | 202.51.74.123 |
| 1 | 205.185.118.174 |
| 1 | 211.21.113.128 |
| 1 | 213.251.166.31 |
| 1 | 213.251.176.27 |
| 1 | 217.76.62.14 |
| 1 | 222.108.154.231 |
| 1 | 222.124.214.10 |
| 1 | 222.219.131.94 |
| 1 | 23.224.132.116 |
| 1 | 35.244.32.76 |
| 1 | 36.129.29.128 |
| 1 | 36.137.233.189 |
| 1 | 36.20.2.38 |
| 1 | 37.17.180.202 |
| 1 | 41.74.112.230 |
| 1 | 4.216.225.68 |
| 1 | 4.249.160.124 |
| 1 | 43.128.106.12 |
| 1 | 43.130.57.4 |
| 1 | 43.131.62.185 |
| 1 | 43.133.58.65 |
| 1 | 43.134.164.247 |
| 1 | 43.134.180.14 |
| 1 | 43.134.29.154 |
| 1 | 43.135.150.198 |
| 1 | 43.135.184.84 |
| 1 | 43.153.105.59 |
| 1 | 43.153.194.186 |
| 1 | 43.153.66.73 |
| 1 | 43.153.85.172 |
| 1 | 43.156.33.78 |
| 1 | 43.156.83.109 |
| 1 | 45.117.177.103 |
| 1 | 46.245.89.107 |
| 1 | 49.205.41.97 |
| 1 | 49.232.9.165 |
| 1 | 49.247.214.126 |
| 1 | 49.247.45.195 |
| 1 | 51.15.171.97 |
| 1 | 52.183.128.237 |
| 1 | 62.171.155.215 |
| 1 | 64.227.30.193 |
| 1 | 68.178.170.110 |
| 1 | 68.183.179.218 |
| 1 | 72.167.142.155 |
| 1 | 72.167.227.34 |
| 1 | 74.208.63.130 |
| 1 | 81.28.167.30 |
| 1 | 81.31.244.226 |
| 1 | 81.68.252.226 |
| 1 | 82.157.68.33 |
| 1 | 85.133.166.86 |
| 1 | 88.142.46.185 |
| 1 | 89.121.228.38 |
| 1 | 89.144.200.56 |
| 1 | 91.202.5.31 |
| 1 | 93.81.248.157 |
| 1 | 94.228.169.245 |
| 2 | 103.56.148.238 |
| 2 | 115.159.85.90 |
| 2 | 146.190.60.168 |
| 2 | 179.49.29.90 |
| 2 | 202.129.211.254 |
| 2 | 217.232.128.201 |
| 2 | 36.68.222.128 |
| 2 | 37.27.20.117 |
| 2 | 43.153.20.27 |
| 2 | 43.153.48.75 |
| 2 | 43.155.170.163 |
| 2 | 45.164.39.253 |
| 2 | 49.51.72.183 |
| 2 | 58.136.163.11 |