[ikolor]

Following as title said How easy way get knowledge main picture about basic working Botnet.



On this picture we can see listing file Gayfgt botnet in Apache.The question who coming in my mind is
This is some takeover server ""www"" with insert and listing file .
Why Hacker allow this file be visible .
This server is as warehouse or this file by some command flooding with DDoss some target.
Why Hacker update this file ,he or she has to connect to this server or some software do this automatically.
The owner doesn't see his Linux has open server www.
############################
Second part
############################
This Linux Sandbox analyze some file from Botnet .Different file "Mirai"



https://detux.org/report.php?sha256=a04 ... a9c33121fc
We can see on right side DNS Queries report.xf0.pw 91.185.190.172
This is server takeover or only some warehouse
On the left we can see IP connected .It does means From 91.185.190.172 go out attack for some target .??
And finally where is number of Hacker who is connected to this server.
Of course every question has question mark ?

[tWiCe]

Basically, the actors behind the GafGyt are not skilled hackers, so it's okey that their servers are misconfigured. Furthermore, nobody really cares if the directory listening is allowed or not. I'll explain latter why.

So how attacks with GafGyt are happens? Firstly, an actor performs SSH/Telnet brute-force attack agains some IP range or just random-generated IPs. If he finds credentials to access some device, he downloads and runs sh script on this device. The script later downloads binaries for many architectures (that is why nobody cares about directory listening - all binaries' names are listed in the sh script) and tries to run every binary (in fact, only one binary will run, because other binaries have wrong architecture). Of course all this scanning/brute-forcing/uploading are performed by automative tools (trojans/tools).

Regarding your second part, report.xf0.pw is a server controled by an actor. If you look carefully on the IPs tab, you can see that it has a lot of connections on IP:23, which means the trojan performs telnet brute-force attack.

[ikolor]

What I know SSH/Telnet brute-force attack need find login+password.Then he has access for only normal User and restrict part of Linux.How he will get root account.To open some ports or open some socket.
The binary or script connect to headquarters.
How actor change target
Why the file are update

[tWiCe]

On most IoT devices (routers, smart tv, etc) the only ssh/telnet account has root privelege. So the attacker doesn't even need to care about rights elevation.

>How actor change target
>Why the file are update

Rephrase it please, I can't understand what do you mean.

[ikolor]

How hacker send command for change IP target .They have make modification file.
I noticed some file have date and for example 2 days late the file on the same server are new

This scenario will happened if server www for example Apache will be not works .

How to know where Hacker is sitting his real IP .

[tWiCe]

C&C server is hardcoded into every sample. The only way to change it - rebuild a binary file.

web servers are used only for malware distribution. Some actors use hacked websites for this purpose. C&C server usually has another IP address.

>How to know where Hacker is sitting his real IP .

You can't know it. For example, the IP used in trojan as C&C address could be just a proxy that transmit your trafic to another server and so on.

I saw one linux trojan that had C&C server hidden behind more than 5 chained proxies.

[ikolor]

The last what I need is know.Linux if is overtake doesn't means Hacker has access for root privilege only for telnet or some part.The root can quickly remove the damage on his server.The root also see this hacker work into logs.

Do you think it is big a performance to find open telnet/ssh and use to DDoS some target.
That overtake Linux can be use for sending Spam.Or only for DDoS.
And is ease to stopped that Botnet or difficult.
#########################
You see this botnet use one of connection here.
182.160.116.129:23

As you said me the have access for some modem to.
http://200.95.231.133/adv_index.html

[ikolor]

Ok I is not easy to understanding for someone who don't have a lot of knowledge .But mainly I understood .Thanks you

For someone who likes maps""mirai""""

https://intel.malwaretech.com/mirai.html

[tWiCe]

>The last what I need is know.Linux if is overtake doesn't means Hacker has access for root privilege only for telnet or some part.The root can quickly remove the damage on his server.

Once compromised, a device could be used in any way. Most common goals on linux-based devices - DDoS/brute-force/proxy.

>And is ease to stopped that Botnet or difficult.

If ppl don't change default passwords on their devices, there is not much that other ppl could do.

What's up with IPs you mentioned?

[ikolor]

What's up with IPs you mentioned

This number IP just coming to me after analyze by website.The binary file include some IP Address which should be Bruceforce for vulnerability and access for default login+password

You see I submitted this website to "Cert" this is Polish IP ///91.185.190.172/bins/mirai.arm7 .But for my surprise They didn't close it.Only hide server listing.I think they want to monitor it.But if you know direct link you can get this file .

I have seen Hacker still update this file.
new analyze by sandBox
https://detux.org/report.php?sha256=ef6 ... 24eef033e6
##########################
What this mean

Source Code for IoT Botnet ‘Mirai’ Released .
We can see file on server what include ???