记一次内网SSH后门误报事件

本文章记录的是安全平台一次告警的误报分析过程,记录此文当作笔记。

发现告警

在安全平台发现了下载sh脚本的告警
在这里插入图片描述
点开查看告警完整信息
在这里插入图片描述

分析过程

下载该脚本发现,4台主机下载的都是同一个脚本,功能为记录登录过ssh服务的主机,如果登陆过,下次登录就可以不适用密码。超过25个SSH公钥添加到本地主机上,以便实现SSH免密登录到本地主机上。
脚本代码:

#!/bin/sh
# $1 DO_COPY_EAC (1 to do and 0 not to do, default is 1)

DO_COPY_EAC=1
[[ $# -eq 1 ]] && DO_COPY_EAC=$1

set -e

if [ ! -d /root/.ssh ]; then
mkdir /root/.ssh
chmod 600 /root/.ssh
fi

if [ ! -f /root/.ssh/known_hosts ]; then
echo "dev.auth.ihmi.net,52.192.20.104 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBlVQmx56Jq1MPiBLdDP8HmIzLnxmkbBVAUppg/XJzscWf5YPnFJEpKtL6xTGRQm/dUp/ov6UWSABJMRCNVoVNtoKZe1ZM0zlxkGWNAYC5hIdnWUqkDoyZa5FP4weWx5985czZIMZjkMxt0EyBrjyujc78XLdKLnBqjxIjp43dMQ1Wyt323hZKXwLneJ7YxnSta4H7zg3/EBg69ICzDu85M2qjqWHN6Ql4b0cvac+5CDSivepAs4Tbs6GwmQ2Yj7R7+/JS/6OQxQKWT+Q3eCL5Za3q1Btl96oiWKHyp9zeKxGwfrEnPUz8fgovdXWJKrJoj8aoMzZ5u4ATTq3gkI0P" >> /root/.ssh/known_hosts
echo `date` "/root/.ssh/known_hosts ready"
fi

if [ ! -f /root/.ssh/upload_rsa ]; then
echo "-----BEGIN RSA PRIVATE KEY-----" >> /root/.ssh/upload_rsa
echo "MIIEogIBAAKCAQEAqWzRbIy2kgBICkKzDuj3AJvXpib7rm6GeOyC9EID0GK1Vjga" >> /root/.ssh/upload_rsa
echo "sSH045p/27e5oCVAqZ2aOej0shXgdI+OWo3Juf+zM1U/mVvWDBGpIOEsvf4jTZk8" >> /root/.ssh/upload_rsa
echo "Mbq8SLsKMe08AQkSCmZLjC2DYSVJKikfvgeFX30K4gO5eShraIx9J52iwsNsc3Ey" >> /root/.ssh/upload_rsa
echo "+Hd+/wkMx+TwFXw+AxXP0xdX2xm8onYUFK+zvHM1PlRwWEwqSNjEXbfuaN8c/mNc" >> /root/.ssh/upload_rsa
echo "2FG8MpH8P+G6KuD1/0JOp2wFd2A212sL8h6Z3hvcQAN7FB2y8aroYDJDv2ZOIwGK" >> /root/.ssh/upload_rsa
echo "qSuci5ss1/6sbxsc4HUvob9RYyQEWMKxwXXCZQIDAQABAoIBAGOl/x8LPC5vP+/Y" >> /root/.ssh/upload_rsa
echo "/xvb5btT7ehpsUoM88aXxQYI9dlQ1Tsa0IgyYqijrGP8kY8hmgCpE5bP72v29gdY" >> /root/.ssh/upload_rsa
echo "j++uyWE+hZXBpCB9JU3/7SvLhNdSbE0tvXu6Sxez+vEWiV5KiXPYasLN2iH/HiNQ" >> /root/.ssh/upload_rsa
echo "AL1yCv34u7fnXOVn4pShXNM6IgrOlNBjn4Pg8RGWQtNlVOmaFJy1VlpR49y1R+Np" >> /root/.ssh/upload_rsa
echo "RD1tJpape8nUSdSgleMvHnoepKcZCorwJk/1fw0QxZKkbws+4vVPYkqNsYZftGaM" >> /root/.ssh/upload_rsa
echo "Ww8+KDWtiitZXFS3sBC1NfRLw8PvL/Eikw7AI+D759VKs+4oJzucbWwT+GvwrQfw" >> /root/.ssh/upload_rsa
echo "3t2U2FkCgYEA3GSch1lzpuKaxjliU16k6EiJvMlGzLUyH7wiJsVMoHFstmU1IaBe" >> /root/.ssh/upload_rsa
echo "spVOxjeIDinhrJhAZrR/c4nZ2UanTUYLKPH8c17jRIQzl2xBRnRrc02Pk83zTPCb" >> /root/.ssh/upload_rsa
echo "FeFpBWvBzUVbanQ6/tReDaoytk87YK9oPJczL7UfTS64UUaoqyGdkRsCgYEAxMww" >> /root/.ssh/upload_rsa
echo "GMT80xYt0xdgHVbF628q3RKNmMyA8ihZYBG0ocCvKGvbcqEQqeYPa8pr+cObmaEH" >> /root/.ssh/upload_rsa
echo "LcSIGxT5vHyznrhMXLe3RJ3ZlEd/s6ImKT9r/CCJGJux2QIu92JWN9lDtmizvdZ5" >> /root/.ssh/upload_rsa
echo "elsEnHzpXhKU+9w0AKhx4KBphuUnnlhr74ySsn8CgYAWhJEZoyIV4wE9T4+kRP9E" >> /root/.ssh/upload_rsa
echo "XGT2TPpW4AyHAYnbvDzgB7a7zAtprCEAzhCGYBYenFjacZPi6n47J9KCSJ2/X3C0" >> /root/.ssh/upload_rsa
echo "dkT85K0Dyx4aUo04zZxM45fP2jMJoWu3CJjaXPAoMPXuIoIEl14kt0cHKYE/l6xm" >> /root/.ssh/upload_rsa
echo "xGwOa8sO778VTsrc8UpQEQKBgCRAGHv3jTq00ywXGjVNTpfXmmWujTagNQBmPlBb" >> /root/.ssh/upload_rsa
echo "8pH5FEq1026CDLe/EQgh+VHAnmDmMJRVp1yVuIrnzY5nFGnfzXpuOS3/HZ7RN4ZR" >> /root/.ssh/upload_rsa
echo "kGqY86f8xf3bURtwmcEf3EE1eCZ341iOe4L332Tct2TNYybb4F4oLkgS3gFk+Dzg" >> /root/.ssh/upload_rsa
echo "AAWxAoGAJJS9zbGIaoFIjx+dZJtqHpbf72D0f6YsdDn2+nMw0Sw+fxy/3qzFU8qX" >> /root/.ssh/upload_rsa
echo "qdeV0LwfQf1ZE+Ws6bQoA1J7xEKkPmL7U98eQs6W5gmI2a8wD98HCrnnsJyIIiWz" >> /root/.ssh/upload_rsa
echo "mCMiOJtzobLZS39yoxegePlH0mRFLTwqts60CfIZSVMQLaSYQyQ=" >> /root/.ssh/upload_rsa
echo "-----END RSA PRIVATE KEY-----" >> /root/.ssh/upload_rsa
chmod 600 /root/.ssh/upload_rsa
echo `date` "/root/.ssh/upload_rsa ready"
fi

if [ $DO_COPY_EAC -eq 1 ]; then
  echo `date` "downloading eac..."
  scp -i /root/.ssh/upload_rsa upload@dev.auth.ihmi.net:easy_access_client .
  chmod +x easy_access_client
  echo `date` "move to /mnt/project..."
  mv easy_access_client /mnt/project/easy_access_client.active
  echo `date` "done"
fi

一开始以为是有病毒向恶意IP发起请求下载脚本后门,在微步平台查询一下这个域名account.ihmi.net,可以看到确实存在两个sh脚本和一个exe程序
在这里插入图片描述
用google搜索这个域名account.ihmi.net,同时访问这个域名发现页面是EasyAccess
在这里插入图片描述
在这里插入图片描述

得出结论

这里我没下载使用这个软件,但我猜告警中的sh脚本应该是程序自带的,微步显示的setup.exe应该就是安装程序,初步判定为告警误报。以后有机会再整一个试试。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值