碼農的黑客反擊戰(二)

codergarden發表於2016-11-07
黑客

前言

最近阿里雲的伺服器被黑客黑了做成了肉雞,上傳一次發現專門清理過一次(http://www.toutiao.com/i63432…),當時就感覺可能沒有清除乾淨,果然,後面幾天每天都會收到阿里雲的報警簡訊,具體症狀主要是ssh客戶端連線不上,登入阿里雲控制檯重啟之後就可以連,但幾個小時後上面跑的服務倒是正常的。所以一直也沒有顧上管,今天抽空又去清理了一次。

處理

1.處理雲後臺報警資訊:
根據雲後臺報警資訊,提示有後門程式存在,根據提示查詢相應目錄,找到後門程式並刪除:

root@iZ25lwdric8Z:/usr/bin# pyth pythno python python2 python2.7 python3 python3.4 python3.4m python3m
root@iZ25lwdric8Z:/usr/bin/bsd-port# ls knerl knerl.conf

2.刪除感染檔案
在阿里雲的後臺警告裡還發現有下載病毒檔案的提示,根據提示查詢相應檔案。 [圖片] 後來在boot目錄下發現一堆異常檔案,全部刪除。

/boot abi-3.13.0-32-generic -rwxr-xr-x 1 root root 274808 Oct 7 15:53 aozxzdbfis* -rwxr-xr-x 1 root root 274808 Oct 15 19:37 bbavuhdmri* -rwxr-xr-x 1 root root 0 Oct 15 20:00 bgnqzgbufn* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 bumcwykrjj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 cnpplnjcdd* -rw-r--r-- 1 root root 75 Oct 31 12:32 conf.n -rwxr-xr-x 1 root root 274808 Oct 7 15:53 dwneynlzyw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 efrmetpcgd* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 egxrqjimuy* -rwxr-xr-x 1 root root 4096 Oct 15 18:24 extmulioke* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 eyhzuvhhij* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 fgbioungdb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fhuggtmbig* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fjxgrbljjd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fkmnpxquvu* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 godghrbbwy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 gsugoboncy* -rwxr-xr-x 1 root root 0 Oct 15 20:41 gwexawpbty* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hlkzmtramm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hygzlbpcfz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iamglpkedb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iavtgffmgw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ighesktgdm* -rwxrwxrwx 1 root root 1135000 Oct 22 10:11 iss* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jalbglrytg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 jeygefcens* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jtswtstxcr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jutumokmfy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jyajufvmib* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 keuvizznlm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 khlcattweq* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 kiwwpjblkl* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 kmrwbpxybh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 llybvcogsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 lsubdmnzih* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 mafvoardpz* -rwxr-xr-x 1 root root 274808 Oct 15 17:45 nimtgldgak* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nmcqjdvbnh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nnejyawlfq* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nptabkovas* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nuwwochtfg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 nxzytjppby* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oszqgzlqxf* -rwxr-xr-x 1 root root 0 Oct 15 20:49 oyowzphnsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oznxksrmyy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 pfwzluoxiu* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 pjpjgogzgo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 puqatevzxr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 qiayvbpmyn* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 raqifowtpw* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 rczvtbutzz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rftjduumvo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rgfyuwrcqd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 sqvaooipmd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 svszkutrqk* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 szfecatvio* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 thiibkmxvd* -rwxr-xr-x 1 root root 274808 Oct 15 17:08 tyudkxnzrs* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umalggzxer* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umuoguvill* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 uwmxnnrjvf* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 vaidcxajat* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 vsoiostmjo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wflcktfpdt* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wgswdcxppz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wljgdutvlw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ydeferhoaj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ysjmydgyhg* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 zvyfyvqbse*

找到並刪除下載的病毒檔案iss,刪除時提示沒有操作許可權,修改檔案許可權後正常刪除。

root@iZ25lwdric8Z:/boot# rm -f iss rm: cannot remove ‘iss’: Operation not permitted
root@iZ25lwdric8Z:/boot# lsattr iss ----i--------e-- iss
root@iZ25lwdric8Z:/boot# chattr -i iss root@iZ25lwdric8Z:/boot# lsattr iss -------------e-- iss root@iZ25lwdric8Z:/boot# rm -f iss

3.處理肉雞行為
碼農的黑客反擊戰(二)

前幾天阿里雲後臺還報警過肉雞行為,繼續找系統裡可疑的檔案,後來在啟動檔案rc.local中發現最後一行DDosClient命令,很明顯,這應該是被人當做肉雞,用來發起DDos攻擊。刪除。

PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh . /lib/lsb/init-functions
do_start() { if [ -x /etc/rc.local ]; then [ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)" /etc/rc.local ES=$? [ "$VERBOSE" != no ] && log_end_msg $ES return $ES fi }
case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument `$1` not supported" >&2 exit 3 ;; stop) ;; *) echo "Usage: $0 start|stop" >&2 exit 3 ;; esacDDosClient &

然後在檔案系統中查詢DDosClient檔案,並刪除

root@iZ25lwdric8Z:/# find -name DDosClient ./opt/dt/DDosClient

4.使用防毒軟體
下載防毒軟體,使用防毒軟體再清理一次。ClamAV安裝說明。全盤掃描後,果然發現17個被感染檔案。

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 50605 Scanned files: 215736 Infected files: 17 Total errors: 14166 Data scanned: 13729.61 MB Data read: 16311.49 MB (ratio 0.84:1) Time: 1933.999 sec (32 m 13 s)
這些是被刪除的感染檔案。
/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Removed.

後記

經過這次清理,也不敢保證已經完全清理乾淨了。上次清理完安裝了防火牆,這次檢視也沒有發現異常。後繼繼續觀察。

相關文章