I was attacked

Personal server was attacked in the last two days at the end of last year, because some things were delayed to deal with, today I really can’t help it, record the discovery and repair process after being attacked.

2019-12-30 23:39:44 Cloud Shield warning access malicious IP 178.170.189.5 This warning has a keyword “kdevtmpfsi”

Cloud Shield early warning mining pool communication behavior 178.170.189.5kdevtmpfsi

How to Get to the Root

Kdevtmpfsi is well disguised because it has a very similar name to a system process called kdevtmpfs, which accidentally shifts the focus of research. My current program is running with Docker. If the host is attacked, the problem will be serious.

Because they are not professional operation and maintenance, mine clearance depends on guesswork. There may be security vulnerabilities in CMS perceived by Cloud Shield, and no abnormality is found after code scanning. Here I feel that the problem may be more serious.

Does the container have vulnerabilities? The container also runs NMP, which container is the problem? I don’t know what to do. High CPU usage, docker check container CPU usage.

top

Using the top name, you can see the following figure directly. The CPU usage of Kdevtmpfsi is almost 100%. As a result, the server is completely occupied by malicious programs, and my own service cannot run normally.

container

CPU is used 100% by kdevtMPFSI mining program. Following the instructions above to locate the container problem, use the command to view the container status docker Stats to get the following figure.

Docker exec-it container ID /bin/bash docker exec-it container ID /bin/bash CTRL+P+Q

Using the ls-lrt command, you can see that the earliest downloaded Kinsing file was on The 30th of last year, the same day as the earliest alarm time. Through searching, I learned that this file is the procedure process of mining program, which needs to be cleaned up later.

According to the situation of cloud shield alarm, let’s see if the file exists/TMP /kdevtmpfsi. If so, we need to clear it. The file was definitely there, and one thing I did was kill -9 ID, which obviously reduced the CPU usage, and then I ran the program manually and saw that the CPU went up

How does it do it

Problem found, just kill the current process and daemons, the problem is solved for now. Did not find the root cause, the problem or may be used, continue to write mining procedures, we first think about where the vulnerability?

Is the above analysis caused by redis vulnerability? Consider how our Redis was installed. I initially tested an application that required login to use. The login method was to follow the public account and obtain the authorization code to unlock the application. I used Redis to store temporary tokens, and when I installed Redis, I ran naked in the air without password.

For example, my public IP address is 110.110.110.110. Just use the command redis-cli -h 110.110.110.110 -p 6379 to directly connect to my Redis service.

According to the “[Vulnerability Warning] Redis 4.x/5.x Remote Command Execution Vulnerability”, the key to solve this problem can be set to access Redis only from the Intranet and use password policies for special external IP addresses.

version: '3'
services:

  Use the command to set the passwordRedis: image: redis: 5.0.7command: ["redis-server"."--requirepass"."yourpassword"]
    hostname: redis
    networks:
      - redis-net
    volumes:
      - redis-data:/data

networks:
  redis-net:

volumes:
  redis-data:
Copy the code

Safety assured

After a long breath, I remembered the story of “Too late to Mend”.