我和其他几十个人一样,在我的部署中也有 Miner kinsing。
与其他人不同,我的服务器很小,没有安装 redis,也没有 cron。我唯一安装的是 docker 环境中的 symfony、php-fpm 和 apache。
但是 - 如果我在我的 Azure 环境中启动容器,大约一个小时后,如果进程 kinsing 处于活动状态。在容器中,php-fpm 以用户 apache 身份运行。
docker 日志显示:
26-Oct-2020 15:50:08] NOTICE: fpm is running, pid 1
[26-Oct-2020 15:50:08] NOTICE: ready to handle connections
[26-Oct-2020 15:50:08] NOTICE: systemd monitor interval set to 10000ms
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: " % Total % Received % Xferd Average Speed Time Time Time Current"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: " Dload Upload Total Spent Left Speed"
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0sh: line 4: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 5: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 6: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 7: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 8: ufw: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 9: iptables: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 11: sudo: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 12: /proc/sys/kernel/nmi_watchdog: Read-only file system"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 13: /etc/sysctl.conf: Permission denied"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'akay' does not exist"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'vfinder' does not exist"
第 4 行和第 5 行看起来像是 wget 的输出。但这根本没有安装。
现在我很好奇——当没有安装“通常”的传播方式时,这个矿工如何访问我的系统?
我的计划是启动容器后跟踪每个文件操作,直到找到执行其他步骤的两位数的 sh。
我无法安装 sysdig(https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux) - 我可以使用什么替代方案?将每个文件移动和每个启动进程写入日志的工具会很棒。
有什么建议吗?
答案1
@AB curl-当然!捂脸。
删除 curl 后什么都没发生。没有新的感染。
但是 - 我创建了感染的 strace 日志。在我的例子中,它显然是 symfony 框架.....如果有人对日志感兴趣以了解感染方式,我可以提供它。
谢谢你的提示。我会通知 symfony 的伙计们并加强 symfony<->apache 的连接。