Recently, because redis server runs under docker mining program was invaded, although the issue is resolved, but bloggers see a related article was well written, especially to share. Small series machines are black theme
(xmrig-notls => Munroe credits mining virus) currently exsi virtualization platform architecture, virtual multiple virtual machines on a single physical machine above, then install different business, where there is a need to develop redis installation requirements, so developers installed a docker's redis-based database. Since there was no password required to develop, so it was not configured password. Therefore risks came. After some time, found that the company network connection frequent interruptions room, a remote disconnect 3389, reconnection SSH connection, then began to troubleshoot problems, and finally found anomalies redis database
from the above diagram, the data can be seen that the redis string is changed significantly, then fill the data hackers, and allow a hacker redis timing of execution script.
Hackers script below I have downloaded it, and students interested in the study can be downloaded from the study. At the following address:
https://shell-1251121573.cos.ap-guangzhou.myqcloud.com/tmp.tKOLZdySXb
br
Because I handle exceptions redis is based docker set up, so he removed the original redis container, create a new container, and a password is configured. This operation has no effect on the real server and, I do not care about many things, this thing came to an end. The discovery of new physical servers have a lot of problems due to the virtual machine, after some time, cpu as well as network portion of the virtual machines often prompt abnormal. 100% cpu usage, network traffic greatly, scheduled tasks are often empty, and so the problem, I guess was probably the redis not configured password. Lead to other weak passwords batch scanning machines are compromised. So then planted a Trojan mining a weak password investigation of the machine. Finally found some anomalies on top of the machine, this machine has a large number of abnormal process, cpu occupancy is high, is also a great network traffic by
top -c
br
View server cpu usage
discovery process pid is obviously a problem 13427. Followed by a bunch of unfamiliar URL. Initially determined that mining Trojans
ps -ef 查看所有进程`
br
We found a bunch of abnormal process, so do not run out of cpu when pigs fly.
ifconfig 查看一下网络流量。简直是巨大,我说为什么我的ssh经常掉线呢,宽带都被挤没了
br
确定了 pid为13427进程有问题,于是就开始排查了
ll /proc/13427
br
查看这个进程里面的的一些关联信息(由于13427进程id被我干掉了,有生成了新的13699进程,)
exe -> /var/tmp / user/sh
br
一般exe对应的就是执行的程序的路径,就像下面那个。对应 /usr/sbin/smbd
但是上面那个奇葩的路径什么鬼?一脸迷茫。
cd /var/tmp/ user/sh
br
根本进不去
cd /var/tmp/
br
进入这个目录也没有找到user/sh 这个文件路径啊,我顿时就迷茫了,难道病毒压根就没有这文件。但是不可能啊,明明就指向这个路径,怎么可能没有呢,难道隐藏了?执行了ls -a命令。也是没有发现任何隐藏的文件在同事的提醒下,于是我进入到 /var/tmp/ 执行了ls- l命令。
一般的ll,只会显示 ./和…/路径,可是多出来一个/是什么东西。如果不仔细,还真是发现不了。于是就猜测,黑客可能是把文件夹名称通过转义隐藏了,导致我们在/var/tmp目录下执行 cd / 只会回到根目录,而压根进不去黑客隐藏的目录。就在尝试了好多次都没有办法的时候,我突然想到,能不能通过给这个文件夹重命名呢,于是执行了如下命令
mv \ 111
br
就是把名字为\的文件夹重命名为111,结果奇迹出现了
重命名成功了。原来黑客利用了转移字符 \ 这个字符明明的文件夹,在linux下是不会显示任何东西的,只会显示一个空格。而你不会轻易发现。这个操作真是玩的很溜。现在知道问题了,而且已经重命名了,接下来执行查看进程看一下
ll /proc/13427
br
下面就显示正常了
exe ->/var/tmp/111/god/haiduc
br
这个路径就行黑客的木马路径了。然后果断删除这个111整个文件夹。然后整个系统的cpu和网络全部降下来了。
黑客还利用了定时任务,让木马每分钟的都启动
定时任务里面,也是隐藏了路径,开始看到这个路径,我也是一脸懵逼。
/var/tmp /user/miner
br
这样的奇怪的写法从来没有见过,在根目录下也找不到/user/miner这个路径。后来其实只要看成下面的写法就可以理解。
/var/tmp/\/user/miner
br
Well, the virus file folder is deleted, emptied the regular task, then began the investigation other servers have no problem. Thanks tim development colleagues give me inspiration and I solve this problem together. In fact, the difficulty is to clean up the Trojan hacker used the fog. Use the shift character conversion folder path, leading to a lot of people can not find that this is really clever.
Above are some of my own thoughts, to share out the welcome to correct me, the way to find a wave of concern
Author: diyiday
Original: https: //blog.csdn.net/diyiday/article/details/83755205
