安全矩阵

 找回密码
 立即注册
搜索
查看: 6337|回复: 0

记一次阿里云木马排查过程

[复制链接]

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2020-12-16 20:50:21 | 显示全部楼层 |阅读模式
本帖最后由 gclome 于 2020-12-16 20:51 编辑

原文链接:记一次阿里云木马排查过程

作者:无名大盗,文章来源:https://blog.csdn.net/dreamer2020

问题描述

接到阿里云报警邮件,说是一台ECS有恶意进程。查看阿里云的安全详情,发现有恶意进程(云查杀)-自变异木马:

登录到服务器上检查/bin目录,发现该文件确实不对,大小变成的1.1M,类似的还有netstat。如下图:

正常ubuntu系统下的ps才96K,netstat大小为117K,上述命令文件被恶意窜改了。

检查

根据手动分析的结果发现,有多处系统文件被感染。通过lastlog等命令查看系统登录及操作,并未发现有被入侵的痕迹。
分析启动项,发现多出了如下文件:
  1. /etc/rc1.d/S97VsystemsshMdt
  2. /etc/rc2.d/S97VsystemsshMdt
  3. /etc/rc3.d/S97VsystemsshMdt
  4. /etc/rc4.d/S97VsystemsshMdt
  5. /etc/rc5.d/S97VsystemsshMdt
  6. /etc/rc1.d/S99selinux
  7. /etc/rc2.d/S99selinux
  8. /etc/rc3.d/S99selinux
  9. /etc/rc4.d/S99selinux
  10. /etc/rc5.d/S99selinux
复制代码

两个文件都是软链接:



可以明确感染文件不止一处,所以需要通过软件进行全盘扫描。linux下比较常见的杀毒工具是clamav,于是决定安装扫描全盘。

clamav安装
  1. sudo apt install clamav*
复制代码

值得注意的是,在安装过程中,一度出现了因S97VsystemsshMdt和S99selinux启动项冲突而无法安装的问题,这个时候需要将上述问题文件全部删除,重新安装即可。问题日志如下:
  1. Setting up clamav-freshclam (0.100.3+dfsg-0ubuntu0.16.04.1) ...
  2. insserv: warning: script 'S99selinux' missing LSB tags and overrides
  3. insserv: warning: script 'S97VsystemsshMdt' missing LSB tags and overrides
  4. insserv: warning: script 'selinux' missing LSB tags and overrides
  5. insserv: warning: script 'VsystemsshMdt' missing LSB tags and overrides
  6. insserv: There is a loop between service plymouth and procps if started
  7. insserv:  loop involving service procps at depth 2
  8. insserv:  loop involving service udev at depth 1
  9. insserv: There is a loop at service selinux if started
  10. insserv: There is a loop at service plymouth if started
  11. insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
  12. insserv: Starting VsystemsshMdt depends on plymouth and therefore on system facility `$all' which can not be true!
  13. insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
  14. insserv: Starting VsystemsshMdt depends on plymouth and therefore on system facility `$all' which can not be true!

  15. ......

  16. insserv: Max recursions depth 99 reached
  17. insserv: There is a loop between service selinux and hwclock if started
  18. insserv:  loop involving service hwclock at depth 1
  19. insserv:  loop involving service checkroot at depth 3
  20. insserv:  loop involving service mountdevsubfs at depth 1
  21. insserv:  loop involving service networking at depth 4
  22. insserv:  loop involving service selinux at depth 1
  23. insserv: exiting now without changing boot order!
  24. update-rc.d: error: insserv rejected the script header
  25. dpkg: error processing package clamav-freshclam (--configure):
  26. subprocess installed post-installation script returned error exit status 1
  27. Setting up libcurl3:amd64 (7.47.0-1ubuntu2.13) ...
  28. dpkg: dependency problems prevent configuration of clamav:
  29. clamav depends on clamav-freshclam (>= 0.100.3+dfsg) | clamav-data; however:
  30.   Package clamav-freshclam is not configured yet.
  31.   Package clamav-data is not installed.
  32.   Package clamav-freshclam which provides clamav-data is not configured yet.

  33. dpkg: error processing package clamav (--configure):
  34. dependency problems - leaving unconfigured
  35. Processing triggers for libc-bin (2.23-0ubuntu10) ...
  36. Processing triggers for systemd (229-4ubuntu21.2) ...
  37. Processing triggers for ureadahead (0.100.0-19) ...
  38. Errors were encountered while processing:
  39. clamav-freshclam
  40. clamav
复制代码

更新病毒库
  1. sudo freshclam
复制代码

全盘扫描
  1. clamscan -ri / -l o
复制代码

其中-r表示递归扫描子目录,-i表示只显示发现的病毒文件,-l表示将扫描结果输出到相应的文件位置。全盘扫描大概需要24分钟,结果如下:


可以看到,所有受感染的文件大概有60个,其中包括病毒库,非官方库等文件。手动筛选后,得如下结果:

  1. /root/ps: Legacy.Trojan.Agent-1388639 FOUND
  2. /root/netstat: Legacy.Trojan.Agent-1388639 FOUND
  3. /usr/bin/lsof: Legacy.Trojan.Agent-1388639 FOUND
  4. /usr/bin/pythno: Legacy.Trojan.Agent-1388639 FOUND
  5. /usr/bin/bsd-port/knerl: Legacy.Trojan.Agent-1388639 FOUND
  6. /bin/ps: Legacy.Trojan.Agent-1388639 FOUND
  7. /bin/netstat: Legacy.Trojan.Agent-1388639 FOUND
复制代码

将上述文件删除,系统命令可以从其他同版本ECS上拷贝过来修复。此后,阿里云没有再出现过木马报警

总结

本文记录了一次简单的木马排查过程,供安全小白参考,毕竟现在很多后端都没有安全方面的经验。本文处理比较简单,但基本上能解决掉木马问题。这也提醒了广大后端程序员,服务器安全还是得引起重视。
有一些遗留问题,至此仍不清楚服务器是如何感染的。没有发现其他非法登录的情况,猜测有可能是使用了一些nodejs非官方库导致的。至于这些木马是干什么的,出于时间考虑,也没有做进一步分析。

参考文献

linux服务器被入侵查询木马(清除方法)

http://www.voycn.com/article/linuxfuwuqibeiruqinchaxunmumaqingchufangfa

Linux木马分析初体验(BillGates及XORDDOS查杀)

http://www.youngroe.com/2016/08/25/Learning/Linux-malware-billgates-XORDDOS-analyze-first-time/












回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 15:46 , Processed in 0.013990 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表