discovered a new peer-to-peer (P2P) botnet dubbed Roboto that is targeting Linux servers running unpatched Webmin installs.
Researchers at 360Netlab discovered a new P2P
The experts first spotted the Roboto
“Fast forwarded to October 11, 2019, our Anglerfish
The analysis of the bot revealed that it supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc.
The researchers discovered that the DDoS module implements four types of DDoS attacks (ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood), but they speculate that DDoS is not the main purpose of the botnet.
The backdoor affects Webmin 1.882 through 1.921, but experts observed that default configuration are not vulnerable because the affected feature is not enabled by default. Only version 1.890 is affected also in the default configuration.
Webmin 1.930 and Usermin version 1.780 have addressed the flaw,
Searching with Shodan for internet-exposed Webmin installs, it is possible to find over 233,000 instances, most of them located in the United States, France and Germany.
“Only the attack messages that can be signed and signed can be accepted and executed by the Roboto node.
The verification method adopted by Roboto is ED25519, which is a public digital signature algorithm. At the same time, the check public key is
60FF4A4203433AA2333A008C1B305CD80846834B9BE4BBA274F873831F04DF1C, the public key is integrated into each of the Roboto Bot samples.” reads the analysis.
Additional technical details such as IoCs are included in the analysis published by the experts.
(SecurityAffairs – Roboto
The post Roboto, a new P2P botnet targets Linux Webmin servers appeared first on Security Affairs.