11/02/2017 – 一江春水向东流

清除wnTKYg挖矿木马的全过程

今天下午，同事登录nginx服务器，发现一个进程占用CPU100%：搜索得知是一个挖矿木马，通过redis漏洞来植入的。检查crontab：发现一个redis进程：查看操作日志：查看/root/.ssh/authorized_keys，发现多了个不明key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfxLBb/eKbi0TVVULI8ILVtbv2iaGM+eZbZoCWcD3v/
eF1B/VkHAC1YwIhfqkUYudwhxVfQzsOZYQmKyapWzgp3tBAxcl82Al++VQc36mf/XFnECHndJS1JZB429
/w/Ao+KlASl/qzita61D2VsXyejIQIeYR7Ro+ztLSTXjx+70CvzgOae3oayunL/hGX8qORIkG5YR3R1Je
fhxy1NhGxEd6GaR7fZA5QWGfM17IcSXi2Q876JL8U7Aq8cjQyN/kGT2jWiiQiOZzqbjVJVICiwk0KvtrT
wppV6FLty/vdfhgyspR4WZMep41xxuBH5rBkEJO5lqbKJWatcaA8n9jR x

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfxLBb/eKbi0TVVULI8ILVtbv2iaGM+eZbZoCWcD3v/

eF1B/VkHAC1YwIhfqkUYudwhxVfQzsOZYQmKyapWzgp3tBAxcl82Al++VQc36mf/XFnECHndJS1JZB429

/w/Ao+KlASl/qzita61D2VsXyejIQIeYR7Ro+ztLSTXjx+70CvzgOae3oayunL/hGX8qORIkG5YR3R1Je

fhxy1NhGxEd6GaR7fZA5QWGfM17IcSXi2Q876JL8U7Aq8cjQyN/kGT2jWiiQiOZzqbjVJVICiwk0KvtrT

wppV6FLty/vdfhgyspR4WZMep41xxuBH5rBkEJO5lqbKJWatcaA8n9jR x

初步判明，由于187和186上以前同事测ABTestingGateway时启动了两个redis，但是没有设redis的密码，因为redis是root帐户启动的，所以通过redis把ssh public key写入了root的authorized_keys，从而运行了一个cron程序，之前一直没发现是因为内存和CPU使用率都在正常范围内（CPU使用率60%）按照网上方法杀之：删除不明key 杀掉进程并清理crontab和运行程序

pkill -9 wnTKYg

pkill -9 ddg.1009

rm -rf /var/spool/cron/root

rm -rf /tmp/wnTKYg

pkill -9 wnTKYg

pkill -9 ddg.1009

rm -rf /var/spool/cron/root

rm -rf /tmp/wnTKYg

增加防火墙策略：

# sample configuration for iptables service
# # you can edit this manually or use system-config-firewall
# # please do not ask us to add additional ports/services to this default configuration
#################
#     NAT       #
#################
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]

#OpenVPN
#-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

#-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT

#################
#     filter    #
#################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#:DOCKER - [0:0]

# 这里对已经建立连接的包直接放行，以提高iptables 效率(此条规则通常放在第一条)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许ping
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#本机设备放行
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


#开放sshd服务
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SMTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
#允许 80 443 端口，http 和 https
-A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
#dns
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p udp --sport 53 -j ACCEPT
#---ganglia的端口----
#ganglia展示web界面、解释php用的apache
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A OUTPUT -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT
#falcon-agent sent
-A OUTPUT -p tcp --dport 6030 -j ACCEPT
-A OUTPUT -p tcp --dport 8433 -j ACCEPT
-A INPUT -s 10.x.x.203 -p tcp --dport 1988 -j ACCEPT

#prometheus
-A INPUT -s 10.x.x.0/24  --match multiport -m state --state NEW -m tcp -p tcp --dports 9100,9102,9105 -j ACCEPT
#处理IP碎片数量,防止攻击,允许每秒100个
-A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#允许来自外部的ping测试
#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#禁止ping
-A INPUT -p icmp -i eth0 -j DROP
#设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包
-A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT


####################
#DROP RULL
####################
#丢弃坏的TCP包
#-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

# Reject spoofed packets
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP

-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

# Drop all invalid packets
-A INPUT -m state --state INVALID -j DROP
#-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
#drop 3128端口是 squid 的默认端口
-A INPUT -p tcp --dport 3128 -j DROP
# Drop excessive RST packets to avoid smurf attacks
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
-A INPUT   -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A INPUT -s xmr.crypto-pool.fr -j DROP
-A INPUT -s 218.248.40.228 -j DROP
-A OUTPUT -d xmr.crypto-pool.fr -j DROP   
-A OUTPUT -d 218.248.40.228 -j DROP     

#禁止其他未允许的规则访问
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
#-A OUTPUT -j DROP
-A FORWARD -j DROP

COMMIT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

# sample configuration for iptables service

# # you can edit this manually or use system-config-firewall

# # please do not ask us to add additional ports/services to this default configuration

#################

# NAT #

#################

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

#OpenVPN

#-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

#-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

COMMIT

#################

# filter #

#################

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

#:DOCKER - [0:0]

# 这里对已经建立连接的包直接放行，以提高iptables 效率(此条规则通常放在第一条)

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#允许ping

-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#本机设备放行

-A INPUT -i lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#开放sshd服务

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SMTP

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

#允许 80 443 端口，http 和 https

-A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp --dport 443 -j ACCEPT

#dns

-A OUTPUT -p udp --dport 53 -j ACCEPT

-A INPUT -p udp --sport 53 -j ACCEPT

-A INPUT -p udp --dport 53 -j ACCEPT

-A OUTPUT -p udp --sport 53 -j ACCEPT

#---ganglia的端口----

#ganglia展示web界面、解释php用的apache

-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT

-A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT

-A OUTPUT -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT

#falcon-agent sent

-A OUTPUT -p tcp --dport 6030 -j ACCEPT

-A OUTPUT -p tcp --dport 8433 -j ACCEPT

-A INPUT -s 10.x.x.203 -p tcp --dport 1988 -j ACCEPT

#prometheus

-A INPUT -s 10.x.x.0/24 --match multiport -m state --state NEW -m tcp -p tcp --dports 9100,9102,9105 -j ACCEPT

#处理IP碎片数量,防止攻击,允许每秒100个

-A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

#允许来自外部的ping测试

#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#禁止ping

-A INPUT -p icmp -i eth0 -j DROP

#设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包

-A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

####################

#DROP RULL

####################

#丢弃坏的TCP包

#-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

# Reject spoofed packets

-A INPUT -s 169.254.0.0/16 -j DROP

-A INPUT -s 172.16.0.0/12 -j DROP

-A INPUT -s 127.0.0.0/8 -j DROP

-A INPUT -s 224.0.0.0/4 -j DROP

-A INPUT -d 224.0.0.0/4 -j DROP

-A INPUT -s 240.0.0.0/5 -j DROP

-A INPUT -d 240.0.0.0/5 -j DROP

-A INPUT -s 0.0.0.0/8 -j DROP

-A INPUT -d 0.0.0.0/8 -j DROP

-A INPUT -d 239.255.255.0/24 -j DROP

-A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks

-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP

-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

# Drop all invalid packets

-A INPUT -m state --state INVALID -j DROP

#-A FORWARD -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A INPUT -m conntrack --ctstate INVALID -j DROP

#drop 3128端口是 squid 的默认端口

-A INPUT -p tcp --dport 3128 -j DROP

# Drop excessive RST packets to avoid smurf attacks

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans

# Anyone who tried to portscan us is locked out for an entire day.

-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list

-A INPUT -m recent --name portscan --remove

-A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.

-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A INPUT -s xmr.crypto-pool.fr -j DROP

-A INPUT -s 218.248.40.228 -j DROP

-A OUTPUT -d xmr.crypto-pool.fr -j DROP

-A OUTPUT -d 218.248.40.228 -j DROP

#禁止其他未允许的规则访问

#-A INPUT -j REJECT --reject-with icmp-host-prohibited

#-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A INPUT -j DROP

#-A OUTPUT -j DROP

-A FORWARD -j DROP

COMMIT

By sean, 7 years11/02/2017 ago

November 2, 2017

SECURITY

清除wnTKYg挖矿木马的全过程