Danger of Libredtail [Guest Diary], (Wed, Apr 29th)

A honeypot (DShield/Cowrie) observed a campaign exploiting CVE-2024-4577 to deliver the redtail cryptominer: attackers used base64-encoded HTTP POSTs and directory traversal to execute wget/curl against known malicious hosts and run persistence scripts (cve_2024_4577.selfrep, apache.selfrep) that install hidden ‘.redtail’ binaries; related activity includes SSH brute attempts and SYN scans. Key IOCs include multiple malicious IPs (e.g., 31.57.216.121, 178.16.55.224, 46.151.182.82) and the libredtail-http user-agent; recommended mitigations are patching PHP, blocking known user-agent/IP patterns, and monitoring for unusual outbound network activity.