Friday , December 2 2022

WebLogic Cryptocurrency Mining

When people who produce in virtual currency mining wanted to do this in computer environment, a search emerged and they tried it on Weblogic.

Weblogic does not have any defense on crypto mining due to its nature, and without such a defense, attackers can perform many operations inside by running arbitrary commands on Weblogic servers that they can access.

The vulnerability published with the code (CVE 2017-10271) is run on the command line called weblogic’s “wls-wstat” and allows the attacker to run the relevant application for mining after installing it.

If a service called “Monero” is running on your system and your processor is peaking, it means that you are involved in this business.

The attacker uses the Dropper script that controls Web services by accessing the URL <HOST> / wls-wsat / CoordinatorPortType and downloads the mining application to the server where Weblogic is installed, ending the Weblogic service.

Below are two pictures for the seized machine.

Addresses trying to reach;

So what can we do at this stage?

First of all, we need to keep our application server up to date and review the following controls. (You can install the necessary patches with your Support account.)

Change the default management port numbers. Use 7001 and 7002 in Weblogic standard installation.

Do not choose the “weblogic” user as the default administrator user for WebLogic Domain. Use a different user and turn this off.

Perform the user name and password process that is asked at service startups with the “boot.properties” file.

Enable the “Administration Port” feature for WebLogic.

Always use “Custom Hostname Verifier”.

Set the value for “Max Post Size”. This setting is the default setting no limit.

And finally, open “Administration auditing” for the WebLogic domain and periodically check the logs.

 

Buğra PARLAYAN
Author: Buğra PARLAYAN

Burgra Parlayan is an experienced Database and Weblogic Administrator. After completing his technical / relevant training he has got involved with a serious amount of projects. He successfully managed database upgrade, database migration, database performance tuning projects for various public institutions.Currently he has been employed by one of the leading financial institutions called Turkiye Hayat &amp; Emeklilik as responsible administrator for Oracle Database and Oracle Middleware. He has been sharing his experience and knowledge by face to face training, personal blog and various social networking accounts to support the Oracle ecosystem continuously since 2010.

About Buğra PARLAYAN

Burgra Parlayan is an experienced Database and Weblogic Administrator. After completing his technical / relevant training he has got involved with a serious amount of projects. He successfully managed database upgrade, database migration, database performance tuning projects for various public institutions.Currently he has been employed by one of the leading financial institutions called Turkiye Hayat & Emeklilik as responsible administrator for Oracle Database and Oracle Middleware. He has been sharing his experience and knowledge by face to face training, personal blog and various social networking accounts to support the Oracle ecosystem continuously since 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *