一次Linux遭入侵被挖矿的应急响应经历
type
status
date
slug
summary
tags
category
icon
password
和往常一样打开我的服务器玩玩,但这次输入都卡卡的,没多想看了一下进程cpu占用率
嗯?第一个进程怎么占用这么高不正常啊,我也没弄过这程序啊,仔细一看,卧槽xmrig,我不会中了挖矿了吧(我记得xmr好像是门罗币)
入侵分析
首先我们就先看看进程,进程里面写了路径,但为了以防万一我先ps一下,为了防止子进程我们再systemctl status一下pid,果然除了主进程还有一个子进程
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F008601e4-62ff-4cbf-883f-c8e661b24628%2FUntitled.png?table=block&id=651f8e84-e729-45f2-9712-54954ece133e&t=651f8e84-e729-45f2-9712-54954ece133e&width=2078&cache=v2)
我们先去主要路径里面看看
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F860453d8-f03e-446c-b2bb-987ae8f085e5%2FUntitled.png?table=block&id=057390e7-c331-4c6c-84be-95dfbb439860&t=057390e7-c331-4c6c-84be-95dfbb439860&width=934&cache=v2)
貌似不是木马,里面有个日志我们先打开看看
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3c0c758c-9eaf-4a13-a1cf-008f5c61b4b1%2FUntitled.png?table=block&id=6b1318ce-0b04-4dd4-b9af-e4c2d6f31e67&t=6b1318ce-0b04-4dd4-b9af-e4c2d6f31e67&width=1510&cache=v2)
嗯,一下子就看到了运行的时间4月6日,看来不是很久,我发现得挺及时的嘛,日志里面没什么可看的,我发现还有两个config文件,先打开看看
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3ccae0bf-b11c-486d-82c6-a22b79815e89%2FUntitled.png?table=block&id=e7ad90db-a038-49e6-aaa1-d3abbd4a2407&t=e7ad90db-a038-49e6-aaa1-d3abbd4a2407&width=2028&cache=v2)
直接就发现了矿池的地址和钱包地址,不过这特么pass用我的名字就过分了啊
然后看看子进程路径,就一个服务,等会关了就行了
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F319b24f3-41f7-4390-93f6-886041d8ca7f%2FUntitled.png?table=block&id=4da6980c-6ce2-4fa9-9f12-747125c5f512&t=4da6980c-6ce2-4fa9-9f12-747125c5f512&width=1374&cache=v2)
开始清除
首先首先干掉进程:kill -9 {pid号},结果过了一会,又复发了,我仔细看了一下,忘了停止服务了
我就先停止服务systemctl stop c3pool_miner.service,再干掉进程:kill -9 {pid号}
然后删掉文件,删掉文件之前先把恶意样本打包down下来,这样清除就完成了,也没有复发了
样本分析
找到了这个挖矿的源头,我们来简单分析一下。miner.sh的内容和相关样本在文末有提供下载。
在/root/c3pool下下载了config.json、config_background.json(挖矿配置)、xmrig(XMR挖矿软件)、miner.sh(本脚本)、xmrig.log(日志信息)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ffbbb0dff-1493-4342-88ae-01569aefec65%2FUntitled.png?table=block&id=8ba33d26-ce70-4deb-ba21-e623ad1a0ff0&t=8ba33d26-ce70-4deb-ba21-e623ad1a0ff0&width=1801&cache=v2)
我发现除了目录是c3pool,脚本里面是也写了c3pool,于是我抱着试试的心态搜索了一下
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2914469d-d7f6-49eb-a495-f9a73f934f20%2FUntitled.png?table=block&id=632f2211-ecb5-4aae-a4dd-8021c143531d&t=632f2211-ecb5-4aae-a4dd-8021c143531d&width=2350&cache=v2)
猫池?难不成用的这家的服务?我点进去看了一下,点了一下旁边的匿名挖矿输入钱包就发现了我的服务器
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd125ed82-95d0-4eb2-8dfe-b97237ba956e%2FUntitled.png?table=block&id=d6f71647-6a89-4fe5-a093-821cd45bbd85&t=d6f71647-6a89-4fe5-a093-821cd45bbd85&width=2546&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcb807cec-67a8-4363-8985-e7513bfff5d0%2FUntitled.png?table=block&id=c4e9f963-42c3-4447-bd65-f84a26e9ad3f&t=c4e9f963-42c3-4447-bd65-f84a26e9ad3f&width=2515&cache=v2)
还发现里面有个生成挖矿工具,估计就是这个了
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F775cf5c8-92a5-4e42-b674-3511177049d8%2FUntitled.png?table=block&id=229f9224-66da-4f5c-b2df-743f561c23f6&t=229f9224-66da-4f5c-b2df-743f561c23f6&width=2560&cache=v2)
入侵分析
查到这里就查不到什么了,先去看看日志,看是怎么被入侵的吧,在登录日志这里发现了异常
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1c5cddbb-b14c-4e07-8db1-d4bde9df1b3c%2FUntitled.jpeg?table=block&id=10d17378-e8f5-45e5-ac92-6b521947f1c7&t=10d17378-e8f5-45e5-ac92-6b521947f1c7&width=1475&cache=v2)
这两个异常登录,和挖矿的时间吻合,卧槽我ssh怎么被泄露了,去看下登录失败日志
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe406acdd-22a0-4b70-8768-4b45269b6113%2FUntitled.png?table=block&id=b079984a-9a24-4d57-867a-3c26349931a9&t=b079984a-9a24-4d57-867a-3c26349931a9&width=1482&cache=v2)
好家伙从3号就开始爆我服务器,合着我服务器被爆开的,看来不能图方便把密码设置成某网址,改密码吧,再换个端口,为了以防再发生这种情况,我还是把我的密码base64加密一下,再写条规则用户连续登录错误超过10次自动锁定3600秒,这样总不能爆破得了吧
附录
矿池地址
auto.c3pool.org:19999
钱包地址
4DSQMNzzq46N1z2pZWAVdeA6JvUL9TCB2bnBiA3ZzoqEdYJnMydt5akCa3vtmapeDsbVKGPFdNkzqTcJS8M8oyK7WGjtop8RjcYFKN1vCe
样本地址
Loading...