{"id":4788,"date":"2015-09-30T13:12:26","date_gmt":"2015-09-30T13:12:26","guid":{"rendered":"https:\/\/ihs.com.tr\/blog\/?p=4788"},"modified":"2015-09-30T13:19:42","modified_gmt":"2015-09-30T13:19:42","slug":"linux-tabanli-xor-botneti-gunde-20-saldiri-yapiyor","status":"publish","type":"post","link":"https:\/\/www.ihs.com.tr\/blog\/linux-tabanli-xor-botneti-gunde-20-saldiri-yapiyor\/","title":{"rendered":"Linux Tabanl\u0131 XOR Botneti G\u00fcnde 20 Sald\u0131r\u0131 Yap\u0131yor"},"content":{"rendered":"<p>Akamai\u2019ye g\u00f6re <strong>XOR<\/strong> botnetinin hedefi Linux sistemleri.<\/p>\n<p>Akamai Sal\u0131 g\u00fcn\u00fc yay\u0131nlad\u0131\u011f\u0131 raporda 150 Gpbs\u2019nin \u00fczerinde DDoS sald\u0131r\u0131s\u0131 yapabilen XOR botnetinden yeni sald\u0131r\u0131lar ger\u00e7ekle\u015ftirdi\u011fini a\u00e7\u0131klad\u0131. Yak\u0131n tarihli olaylar\u0131 inceleyen ara\u015ft\u0131rmac\u0131lar XOR\u2019un hedeflerinin b\u00fcy\u00fck \u00e7o\u011funlu\u011funu Asya\u2019daki kurulu\u015flar oldu\u011funu s\u00f6yl\u00fcyor.<\/p>\n<p>XOR, Linux sistemlerini etkileyen bir <strong>Truva<\/strong>. Genellikle bir sald\u0131rgan\u0131n SSH oturumlar\u0131n\u0131 zorlamas\u0131 veya korumas\u0131z uygulamalar veya sistem operat\u00f6rleri gibi ikincil bir sald\u0131r\u0131 y\u00fczeyini hedef alarak sistemde a\u00e7\u0131k olu\u015fturmas\u0131 sonucu cihazlara y\u00fckleniyor. XOR y\u00fcklendikten sonra sistem botnete ekleniyor ve botmaster o sistemi istedi\u011fi zaman sald\u0131r\u0131lar\u0131 i\u00e7in kullanabiliyor.<\/p>\n<p>Akamai\u2019den Stuart Scholly XOR\u2019un eskiden Windows sistemlerini tercih eden botmasterlar\u0131n art\u0131k a\u00e7\u0131kl\u0131 Linux sistemlerini kullanarak olu\u015fturdu\u011fu botnetlere iyi bir \u00f6rnek oldu\u011funu s\u00f6yl\u00fcyor.<\/p>\n<p>Veri merkezlerindeki Linux tabanl\u0131 a\u011flarda ya\u015fanan b\u00fcy\u00fck art\u0131\u015f y\u00fcz\u00fcnden bu a\u011flar b\u00fcy\u00fck bir hedef halini ald\u0131, \u00e7\u00fcnk\u00fc sistem y\u00f6neticileri Linux\u2019un da bak\u0131mdan ge\u00e7mesi gerekti\u011fini s\u0131k s\u0131k unutuyorlar. Linux\u2019un sa\u011flaml\u0131\u011f\u0131na y\u00f6nelik yayg\u0131n bir inan\u0131\u015f oldu\u011fu i\u00e7in y\u00f6neticiler g\u00fcncelleme ve bak\u0131m yerine \u201cbozuk de\u011filse kurcalama\u201d anlay\u0131\u015f\u0131n\u0131 benimsemi\u015f durumdalar.<\/p>\n<p>Linux tabanl\u0131 botnetlerin di\u011fer \u00f6rnekleri Spike yaz\u0131l\u0131m\u0131, <a href=\"https:\/\/www.ihsteknoloji.com\/\" target=\"_blank\">IptabLes<\/a> ve IptabLex k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ailesi taraf\u0131ndan y\u00f6netilen botnetler.<\/p>\n<p>Akamai\u2019nin ara\u015ft\u0131rmas\u0131na g\u00f6re XOR\u2019dan gelen DDoS sald\u0131r\u0131lar\u0131 tek basamakl\u0131 Gbps\u2019lerden ba\u015flay\u0131p 150\u2019nin \u00fczerinde Gbps\u2019ye ula\u015fabiliyor. Botnet en \u00e7ok oyun sekt\u00f6r\u00fcn\u00fc ve e\u011fitim kurumlar\u0131n\u0131 hedef al\u0131yor.<\/p>\n<p>XOR g\u00fcnde yakla\u015f\u0131k 20 hedefe sald\u0131r\u0131yor ve bu hedeflerin %90\u2019\u0131 Asya\u2019da. Rapora g\u00f6re son sald\u0131r\u0131lardan biri 179 Gbps\u2019ye, ba\u015fka biri ise 109 Gbps\u2019ye ula\u015fm\u0131\u015f. Sald\u0131r\u0131lar\u0131n \u00e7o\u011fu SYN ve <a href=\"https:\/\/www.ihsteknoloji.com\/\" target=\"_blank\">DNS<\/a> floodlar\u0131.<\/p>\n<p><a href=\"https:\/\/www.ihs.com.tr\/blog\/wp-content\/uploads\/2015\/09\/XOR-DDoS-Botnet.jpg\" data-rel=\"penci-gallery-image-content\" ><img decoding=\"async\" class=\"alignnone size-medium wp-image-4790\" src=\"https:\/\/www.ihs.com.tr\/blog\/wp-content\/uploads\/2015\/09\/XOR-DDoS-Botnet-300x231.jpg\" alt=\"XOR DDoS Botnet\" width=\"300\" height=\"231\" srcset=\"https:\/\/www.ihs.com.tr\/blog\/wp-content\/uploads\/2015\/09\/XOR-DDoS-Botnet-300x231.jpg 300w, https:\/\/www.ihs.com.tr\/blog\/wp-content\/uploads\/2015\/09\/XOR-DDoS-Botnet.jpg 620w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Bula\u015fma Belirtileri<\/strong><\/p>\n<p>Hedef i\u015fletim sistemi \u00fczerinde ikilinin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131 i\u00e7in k\u00f6k dizin ayr\u0131cal\u0131klar\u0131 olmas\u0131 gerekiyor. \u0130kili \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131ktan sonra \/boot dizininde rastgele 10 alfa karakterden olu\u015fan bir dosya ad\u0131yla iki kopyas\u0131n\u0131, \/lib\/udev dizininde ise udev dosya ad\u0131yla bir kopyas\u0131n\u0131 olu\u015fturuyor.<\/p>\n<p>K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, kal\u0131c\u0131 olmak i\u00e7in ana i\u015flemin \u00e7al\u0131\u015f\u0131p \u00e7al\u0131\u015fmad\u0131\u011f\u0131n\u0131 kontrol eden \u00e7ok say\u0131da k\u0131sa \u00f6m\u00fcrl\u00fc i\u015flem y\u00fcr\u00fct\u00fcyor. Ana i\u015flem \u00e7al\u0131\u015fm\u0131yorsa, rastgele 10 karakterden olu\u015fan yeni bir isim kullanarak \/boot alt\u0131nda yeni bir kopya olu\u015fturup \u00e7al\u0131\u015ft\u0131r\u0131yor. Bu i\u015flem bilindik rootkit teknikleri kullan\u0131larak saklan\u0131yor. Yaz\u0131l\u0131m \u00e7al\u0131\u015fan i\u015flemleri g\u00f6steren ara\u00e7lar\u0131 ve bilindik bir Linux arac\u0131n\u0131n ad\u0131n\u0131 (\u00f6rne\u011fin top, grep, ls, ifconfig) kullanarak kendini sakl\u0131yor, rastgele komutlar yard\u0131m\u0131yla da i\u015flek bir sistemin i\u00e7erisinde kar\u0131\u015f\u0131yor.<\/p>\n<p>Bot bilgisayar\u0131n yeniden ba\u015flat\u0131lmas\u0131 sonras\u0131nda kal\u0131c\u0131 olabilmek i\u00e7in yaz\u0131l\u0131m\u0131n \/boot dizinine b\u0131rakt\u0131\u011f\u0131 dosyan\u0131n ad\u0131n\u0131 kullanarak \/etc\/init.d dizininde bir ba\u015flatma komut sat\u0131r\u0131 olu\u015fturuyor.<\/p>\n<p>Akamai\u2019nin XOR hakk\u0131ndaki, bula\u015fmay\u0131 tespit eden ve kurallar\u0131n\u0131 da i\u00e7eren detayl\u0131 raporuna <a href=\"https:\/\/www.stateoftheinternet.com\/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html\" target=\"_blank\" rel=\"nofollow\">buradan<\/a> ula\u015fabilirsiniz.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Akamai\u2019ye g\u00f6re XOR botnetinin hedefi Linux sistemleri. Akamai Sal\u0131 g\u00fcn\u00fc yay\u0131nlad\u0131\u011f\u0131 raporda 150 Gpbs\u2019nin \u00fczerinde DDoS sald\u0131r\u0131s\u0131 yapabilen XOR botnetinden yeni sald\u0131r\u0131lar&hellip;<\/p>\n","protected":false},"author":3,"featured_media":4795,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4788","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=4788"}],"version-history":[{"count":4,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4788\/revisions"}],"predecessor-version":[{"id":4794,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4788\/revisions\/4794"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/4795"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=4788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=4788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=4788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}