01-03-2018 11:20 AM
Hi folks,
We recently had a pen test and had positive results. We do not use URL filtering, but have everything else.
However, on 12/24/2017 we can now see a reboot.txt file sitting in our Windows\temp directory on an Oracle OAM server.
Luckly, Carbon Black flagged the file as it was trying to be run and denied, running from cmd.exe.
We can also see a new Windows task scheduler task created on 1/2/2017 that calls to run schtask1.ps1, that we did not create. Also cannot find that file. Did a restore of the VM to 12/21/2017, no trace of these new files and settings.
We continue to our threat alerts denying malicious traffic. Quick searches so far seem to indicate cryptocurrency mining.
I see there are a couple of PA references out there for this.
Curious if anyone has any comments as we continue our investigation or any of this rings a bell?
I've been searching our traffic logs for cryptocurreny as mentioned here, but nothing so far.
01-11-2018 02:48 PM - edited 01-11-2018 02:49 PM
My last comment about this. 🙂
I believe this article is a good summary of what happened to us.
Exploited our flawed vulnerability profile, unpatched Oracle Weblogic server to use for Cryptomining.
We did find the xmrig executable on our server, so feel pretty sure that was for mining.
Even though my last post does not mention, we did also patch our Oracle Weblogic server and have resolved this problem at firewall and server.
01-11-2018 03:06 PM
Bummer dude, it always sucks. But at least you caught it and stopped it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
