Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to kill the new variety of StartMiner". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to kill the new variety of StartMiner".

Background Overview

Recently, I am convinced that the security team has captured a new variant of StartMiner, which has added a soft protection module to end killing, and added more resident items to prevent killing, and the address of C2 has been changed to bash.givemexyz.in.

The Trojan horse resides by creating multiple scheduled tasks and multiple path release function modules on the server, and there is a SSH brute force cracking module to download and run open source mining programs.

Infection phenomenon

Discover that the process dbused or dbusex has high CPU usage through $top

Use $ps aux to view the execution of scripts downloaded from malicious domain names by bash and python processes.

You can see the execution of suspicious commands through $tail-f / var/log/syslog:

Resident item

Add 4 resident entries as follows:

(1) bash startup item ~ / .bash_profile

The mining Trojan will be executed when the terminal is opened. Note that you need to clean up the bash_profile in the corresponding user directory.

Cp-f-r-/ bin/bprofr / bin/dbused 2 > / dev/null & & / bin/dbused-c > / dev/null 2 > & 1 & & rm-rf-- / bin/dbused 2 > / dev/null

(2) crontab planning tasks

The first scheduled task is to download the script to execute

Crontab that may be created include

/ etc/cron.d/ngnix & apache/etc/cron.hourly & daily & weekly & monthly/var/spool/cron/var/spool/cron/crontabs

The planned tasks from the query are as follows:

Another planned task, pwnrig, is to start the mining process directly:

(3) rc.d

(4) init.d

(5) system services

Trojan horse behavior

After invading the host, the Trojan will download the shell script xms and the python script bb.py on bash.givemexyz.in and execute them. The alternate domain name is bash.givemexyz.xyz. If you cannot resolve it without dns, link to the alternate address 205.185.113.12194.156.99.30 to download.

The execution process of the xms script is as follows:

(1) screening and ending the existing mining process

(2) end software killing and other protection (the relevant code is commented and the function is not enabled)

(3) try to connect to other hosts in the known_hosts of ssh (it will spread if ssh secret-free login has been configured)

(4) clear the original scheduled tasks and write new planned tasks.

(5) download, verify and execute mining procedures

(6) download the SSH scan blasting component and execute

(7) execute Trojan files 2start.jpg and xms.

The bb.py script downloads the corresponding mining program according to the type of system platform.

Disposal method

(1) Delete the following files

/ bin/bprofr

/ bin/sysdr

/ bin/crondr

/ bin/initdr

/ usr/bin/bprofr

/ usr/bin/sysdr

/ usr/bin/crondr

/ usr/bin/initdr

/ tmp/dbused

/ tmp/dbusex

/ tmp/xms

/ tmp/x86_64

/ tmp/i686

/ tmp/go

/ tmp/x64b

/ tmp/x32b

/ tmp/2start.jpg

# SSH Communication

/ tmp/sshcheck

/ tmp/ssh_vuln.txt

/ tmp/scan.log

/ tmp/ip192.txt

/ tmp/hxx

/ tmp/p

/ tmp/scan

/ tmp/masscan

/ tmp/.dat

/ tmp/.checking

/ tmp/good.tar.gz

/ tmp/sshexec

/ tmp/sshpass

/ tmp/sparte.txt

(2) Clean up the startup items of scheduled tasks, bash_profile, rc*.d, init.d, and service containing malicious files

Filter and delete startup items containing dbused and dbusex

Filter and delete startup entries related to bprofr, sysdr, crondr, and initdr

(3) end the relevant process

Filter and end processes containing givemexyz, 198.98.57.217, 194.156.99.30

Filter and end processes that contain dbused and dbusex

Filter and end processes that contain lwp_download (note whether there are normal tasks using lwp_download)

IOC

Bash [.] givemexyz.in

Bash [.] givemexyz.xyz

205 [.] 185.113.12

194 [.] 156.99.30

Thank you for your reading, the above is the content of "how to kill the new variety of StartMiner". After the study of this article, I believe you have a deeper understanding of the problem of how to kill the new variety of StartMiner, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.