起因:
刚睡醒就看到了告警邮件,异常登录+恶意文件
远程查询了一下发现CPU资源异常,负荷100%
接下来正式开始
病毒种类
按照腾讯云报道,此次攻击为“亡命徒(Outlaw)僵尸网络”,该病毒最早于2018年被发现,其主要特征为通过SSH攻击目标系统,同时传播基于Perl的Shellbot和门罗币挖矿程序。
病毒处理
01.通过top命令查看各程序运行状态
发现CPU满负荷,出现不明程序kswapd0,rsync等
运行用户为ftptest
02.查看占用进程的病毒路径
ll /proc/16874发现该进程的真实文件地址
/tmp/.X2d-unix/.rsync/a/kswapd0PS:所有病毒文件都运行在/tmp,是因为我以前做过权限分离,而且泄露的并不是root权限。
(感觉被曾经的自己拯救了T_T
进入目录后发现存在以下文件
➜ X2d-unix ls -al
总用量 10748
dr--r--r-- 3 1000 1000 4096 5月 8 16:08 .
drwxrwxrwt. 6 root root 4096 5月 8 19:30 ..
-r--r--r-- 1 1000 1000 10993017 5月 8 16:07 dota3.tar.gz
dr--r--r-- 5 1000 1000 4096 5月 8 16:09 .rsync毫不遮掩的木马的母体文件dota3.tar.gz(这名字很怪真的很怪)
进入.rsync
➜ .rsync ls -al
总用量 136
dr--r--r-- 5 1000 1000 4096 5月 8 16:09 .
dr--r--r-- 3 1000 1000 4096 5月 8 16:08 ..
-r--r--r-- 1 1000 1000 4678 5月 8 16:09 1
dr--r--r-- 3 1000 1000 4096 5月 8 16:09 a
dr--r--r-- 2 1000 1000 4096 5月 8 16:09 b
dr--r--r-- 2 1000 1000 4096 5月 8 18:06 c
-r--r--r-- 1 1000 1000 219 5月 8 16:09 cron.d
-r--r--r-- 1 1000 1000 22 5月 8 16:09 dir.dir
-r--r--r-- 1 1000 1000 2349 2月 27 20:05 init
-r--r--r-- 1 1000 1000 88607 2月 27 20:06 init0
-r--r--r-- 1 1000 1000 1756 2月 27 20:06 init2
-r--r--r-- 1 1000 1000 1912 2月 27 20:06 initall
-r--r--r-- 1 1000 1000 0 5月 8 16:09 .out看到了有个cron.d的文件,说明该木马病毒设置了定时计划(这是常识吧喂!)
让我们来瞅瞅
➜ .rsync cat cron.d
5 6 * * 0 /tmp/.X2d-unix/.rsync/a/upd>/dev/null 2>&1
5 8 * * 0 /tmp/.X2d-unix/.rsync/b/sync>/dev/null 2>&1
@reboot /tmp/.X2d-unix/.rsync/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X2d-unix/.rsync/c/aptitude>/dev/null 2>&103.看下病毒运行日志
➜ .rsync cat 1
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
chattr: No such file or directory while trying to stat /data/repo/.configrc*
bash: line 26: lockkr: command not found
xmrig: no process found
ld-linux: no process found
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
mkdir: cannot create directory '/data/repo/.configrc5': Permission denied
cp: cannot create directory '/data/repo/.configrc5/': Permission denied
cp: cannot create directory '/data/repo/.configrc5/': Permission denied
sh: line 21: cd: /data/repo/.configrc5/a/: No such file or directory
sh: line 24: cd: /data/repo/.configrc5/b/: No such file or directory
sh: line 29: cd: /data/repo/.configrc5/: No such file or directory
nohup: failed to run command './a': Permission denied
nohup: failed to run command './a': Permission denied
./aptitude: line 3: 29217 Killed ./run &>/dev/null
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
no crontab for repo
./a: line 86: sysctl: command not found
sync: no process found
perl: no process found
ps: no process found
pool: no process found
nginx(1628): Operation not permitted
nginx(2540): Operation not permitted
nginx: no process found
ecryptfs: no process found
xmr: no process found
pkill: killing pid 45 failed: Operation not permitted
pkill: killing pid 1628 failed: Operation not permitted
pkill: killing pid 2540 failed: Operation not permitted
./stop: line 18: kill: (29517) - No such process
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
./stop: line 25: kill: (29579) - No such process
./stop: line 26: kill: (29585) - No such process
./stop: line 27: kill: (45) - Operation not permitted
./stop: line 27: kill: (25177) - Operation not permitted
./stop: line 27: kill: (29593) - No such process
pkill: killing pid 45 failed: Operation not permitted
chmod: cannot access 'ps': No such file or directory
rsync: no process found
sync: no process found
perl: no process found
ps: no process found
pool: no process found
nginx(1628): Operation not permitted
nginx(2540): Operation not permitted
nginx: no process found
ecryptfs: no process found
xmr: no process found
pkill: killing pid 45 failed: Operation not permitted
pkill: killing pid 1628 failed: Operation not permitted
pkill: killing pid 2540 failed: Operation not permitted
./stop: line 18: kill: (29624) - No such process
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
./stop: line 25: kill: (29660) - No such process
./stop: line 26: kill: (29664) - No such process
./stop: line 27: kill: (45) - Operation not permitted
./stop: line 27: kill: (25177) - Operation not permitted
./stop: line 27: kill: (29667) - No such process
./stop: line 27: kill: (29668) - No such process
pkill: killing pid 45 failed: Operation not permitted
mkdir: cannot create directory '.ssh': Permission denied(再次感谢自己做的权限隔离
04.以下是目录结构
➜ .rsync tree.├── 1├── a│ ├── a│ ├── bash.pid│ ├── cert_key.pem│ ├── cert.pem│ ├── dir.dir│ ├── init0│ ├── kswapd0│ ├── run│ ├── stop│ ├── tors│ │ ├── bin│ │ │ ├── tor│ │ │ ├── tor-gencert│ │ │ ├── torify│ │ │ ├── tor-print-ed-signing-cert│ │ │ └── tor-resolve│ │ ├── cleandirs.sh│ │ ├── etctor│ │ │ └── tor│ │ │ └── torrc1│ │ ├── libtor│ │ │ └── tor1│ │ ├── share│ │ │ └── tor│ │ │ ├── geoip│ │ │ └── geoip6│ │ ├── start.sh│ │ └── stop.sh│ └── upd├── b│ ├── a│ ├── dir.dir│ ├── run│ ├── stop│ └── sync├── c│ ├── aptitude│ ├── blitz│ ├── blitz32│ ├── blitz64│ ├── cron.d│ ├── dir2.dir│ ├── dir.dir│ ├── go│ ├── n│ ├── run│ ├── start│ ├── stop│ └── v├── cron.d├── dir.dir├── init├── init0├── init2└── initall11 directories, 46 files
05.代码分析
初始化代码有3个,即init、init2、initall
通过pkill、rm -f操作,将之前可能存在的程序残留都删除干净;
开始运行程序
mkdir ~/.configrc 新建文件夹cp -r a ~/.configrc/ 拷贝文件夹cp -r b ~/.configrc/cd ~/.configrc/a/nohup ./init0 >> /dev/null & 进入a文件夹运行init0,程序的主要功能为:在Linux环境中杀死加密矿工的脚本,即杀死别的挖矿脚本,同行是冤家啊。。。sleep 5snohup ./a >>/dev/null & 在a文件夹内运行a程序,折腾一圈,最终目的还是为了运行程序kswapd0cd ~/.configrc/b/nohup ./a >>/dev/null & 在b文件夹内运行a程序,目的为运行run程序cd $dircd cnohup ./start >>/dev/null & 在c文件夹内运行start程序,绕一圈最终为了运行tsm32、tsm64
通过计划任务来启动
echo "1 1 */2 * * $dir2/a/upd>/dev/null 2>&1@reboot $dir2/a/upd>/dev/null 2>&1
5 8 * * 0 $dir2/b/sync>/dev/null 2>&1
@reboot $dir2/b/sync>/dev/null 2>&1
0 0 */3 * * $dir/c/aptitude>/dev/null 2>&1" >> cron.d
crontab cron.d
crontab -linit2为init的简化版,没有新建目录和拷贝程序,直接就在当前目前运行程序。
initall 的功能为上述2个init、init2都运行一遍,cat init | bash、cat init2 | bash就通过这2个命令来实现,cat init | bash表示将init里的命令全部在重新执行一遍,(看完很佩服,精华啊这命令用的)
initall 的功能为上述2个init、init2都运行一遍,cat init | bash、cat init2 | bash就通过这2个命令来实现,cat init | bash表示将init里的命令全部在重新执行一遍,(看完很佩服,精华啊这命令用的)
经过上述分析可知,整个病毒的核心功能是a文件夹的kswapd0、b文件夹的run、c文件夹的tsm32、tsm64,下一步着重分析上述3个文件即可;病毒通过计划任务来启动。
06.文件分析
a目录下二进制文件kswapd0为XMRig编译的Linux平台门罗币挖矿木马
外联的ip及网址:
45.9.148.125 "url": "45.9.148.125:80",
45.9.148.129 "url": "45.9.148.129:80",
XMRig是一款高性能的门罗币(XMR)CPU挖矿软件。
b目录下run脚本主要内容为base64编码的shellbot后门程序,解码后可以看到代码仍然经过混淆。把执行函数eval改为print可打印出解密后的代码,是基于Perl的Shellbot变种,连接C2服务器地址为45.9.148.99:443,能够执行多个后门命令,包括文件下载、执行shell cmd和DDoS攻击。如果接受到扫描端口命令,可针对以下端口进行扫描:"21","22","23","25","53","80","110","143","6665"。
总结
本次入侵为ftp用户管理不当
ftp未设置nologin
密码过弱导致
病毒清理思路如下
1、删除以下文件,杀死对应进程:
/tmp/*-unix/.rsync/a/kswapd0/tmp/*-unix/.rsync/c/tsm64/tmp/*-unix/.rsync/c/tsm32
如果未做权限隔离,检查以下文件
*/.configrc/a/kswapd0*/.configrc/
2、检查定时任务,清理不认识的任务,特别是有以下内容的:
/a/upd/b/sync/c/aptitude
Comments NOTHING