主页 / server / 问题 / 1040260
Accepted
logg sar
Asked: 2020-10-28 08:43:25 +0800 CST

Miner kinsing 如何感染我的系统

  • 772

我 - 和其他几十个人一样 - 在我的部署中使用了 Miner kinsing。

与其他人不同,我有一个最小的服务器,没有安装 redis,也没有 cron。我唯一安装的是 docker 环境中的 symfony、php-fpm 和 apache。

但是 - 如果我在我的天蓝色环境中启动容器大约一小时后,如果进程激活激活。在以用户 apache 身份运行的容器 php-fpm 中。

码头工人日志说:

26-Oct-2020 15:50:08] NOTICE: fpm is running, pid 1
[26-Oct-2020 15:50:08] NOTICE: ready to handle connections
[26-Oct-2020 15:50:08] NOTICE: systemd monitor interval set to 10000ms
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "                                 Dload  Upload   Total   Spent    Left  Speed"
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0sh: line 4: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 5: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 6: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 7: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 8: ufw: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 9: iptables: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 11: sudo: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 12: /proc/sys/kernel/nmi_watchdog: Read-only file system"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 13: /etc/sysctl.conf: Permission denied"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'akay' does not exist"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'vfinder' does not exist"

在第 4 行和第 5 行,它看起来像 wget 的输出。但这根本没有安装。

现在我开始好奇了——如果没有安装“通常”的传播方式,这个矿工怎么能访问我的系统?

我的计划是在启动容器后跟踪每个文件操作,直到找到一个两位数的 sh 来执行其他步骤。

我无法在容器中安装 sysdig ( https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux ) - 我可以使用什么替代方案?将每个文件移动和每个启动的进程写入日志的工具会很棒。

有什么推荐吗?

malware php-fpm

1 个回答

  1. Best Answer

    @AB curl - 当然!掌心

    删除 curl 后没有任何反应。没有新的感染。

    但是 - 我创建了感染的 strace 日志。就我而言,它显然是 symfony 框架.....如果有人对日志感兴趣以了解感染方式,我可以提供它。

    感谢您的提示。我会通知 symfony-guys 并加强连接 symfony<->apache。

    • 0

相关问题