Miner kinsing 如何感染我的系统

tag-icon tag-icon php-fpm malware
Miner kinsing 如何感染我的系统

我和其他几十个人一样,在我的部署中也有 Miner kinsing。

与其他人不同,我的服务器很小,没有安装 redis,也没有 cron。我唯一安装的是 docker 环境中的 symfony、php-fpm 和 apache。

但是 - 如果我在我的 Azure 环境中启动容器,大约一个小时后,如果进程 kinsing 处于活动状态。在容器中,php-fpm 以用户 apache 身份运行。

docker 日志显示:

26-Oct-2020 15:50:08] NOTICE: fpm is running, pid 1
[26-Oct-2020 15:50:08] NOTICE: ready to handle connections
[26-Oct-2020 15:50:08] NOTICE: systemd monitor interval set to 10000ms
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "                                 Dload  Upload   Total   Spent    Left  Speed"
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0sh: line 4: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 5: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 6: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 7: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 8: ufw: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 9: iptables: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 11: sudo: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 12: /proc/sys/kernel/nmi_watchdog: Read-only file system"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 13: /etc/sysctl.conf: Permission denied"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'akay' does not exist"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'vfinder' does not exist"

第 4 行和第 5 行看起来像是 wget 的输出。但这根本没有安装。

现在我很好奇——当没有安装“通常”的传播方式时,这个矿工如何访问我的系统?

我的计划是启动容器后跟踪每个文件操作,直到找到执行其他步骤的两位数的 sh。

我无法安装 sysdig(https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux) - 我可以使用什么替代方案?将每个文件移动和每个启动进程写入日志的工具会很棒。

有什么建议吗?

答案1

@AB curl-当然!捂脸

删除 curl 后什么都没发生。没有新的感染。

但是 - 我创建了感染的 strace 日志。在我的例子中,它显然是 symfony 框架.....如果有人对日志感兴趣以了解感染方式,我可以提供它。

谢谢你的提示。我会通知 symfony 的伙计们并加强 symfony<->apache 的连接。

相关内容