david/DavidZhang73.github.io
1
0
Fork 0
Code Releases Activity
9d8b78fcd4
DavidZhang73.github.io/kinsing-virus/index.html

488 lines
21 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="zh-CN" class="loading">
<head>
<!-- hexo-inject:begin --><!-- hexo-inject:end --><meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>&#34;寄生&#34;于 Docker 的病毒 - Kinsing - Blog</title>
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="google" content="notranslate" />
<meta name="keywords" content="Developer, Python, C++, JavaScript, Java,">
<meta name="description" content="DavidZ&#39;s Blog,
原创发表于 DavidZ Blog遵循 CC 4.0 BY-NC-SA 版权协议,转载请附上原文出处链接及本声明。
¶前言
2020 年开年不顺2019 新型冠状病毒肺炎爆发,从年三十居家隔,">
<meta name="author" content="DavidZ">
<link rel="alternative" href="atom.xml" title="Blog" type="application/atom+xml">
<link rel="icon" href="/img/favicon.png">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1429596_nzgqgvnmkjb.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/animate.css@3.7.2/animate.min.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/codemirror@5.48.4/lib/codemirror.min.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/codemirror@5.48.4/theme/dracula.css">
<link rel="stylesheet" href="/css/obsidian.css">
<link rel="stylesheet" href="/css/ball-atom.min.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/font-awesome/css/font-awesome.min.css">
<meta name="generator" content="Hexo 4.2.1"><!-- hexo-inject:begin --><!-- hexo-inject:end --></head>
<body class="loading">
<!-- hexo-inject:begin --><!-- hexo-inject:end --><div class="loader">
<div class="la-ball-atom la-2x">
<div></div>
<div></div>
<div></div>
<div></div>
</div>
</div>
<span id="config-title" style="display:none">Blog</span>
<div id="loader"></div>
<div id="single">
<div class="scrollbar gradient-bg-rev"></div>
<div id="top" style="display: block;">
<div class="bar" style="width: 0;"></div>
<div class="navigation animated fadeIn fast delay-1s">
<img id="home-icon" class="icon-home" src="/img/favicon.png" alt="" data-url="https://blog.davidz.cn">
<div id="play-icon" title="Play/Pause" class="iconfont icon-play"></div>
<h3 class="subtitle">"寄生"于 Docker 的病毒 - Kinsing</h3>
<div class="social">
<!-- <div class="like-icon">-->
<!-- <a href="javascript:;" class="likeThis active"><span class="icon-like"></span><span class="count">76</span></a>-->
<!-- </div>-->
<div>
<div class="share">
<a href="javascript:;" class="iconfont icon-share1"></a>
<div class="share-component-cc" data-disabled="facebook,douban,linkedin,diandian,tencent,google"></div>
</div>
</div>
</div>
</div>
</div>
<div class="section">
<div class=article-header-wrapper>
<div class="article-header">
<div class="article-cover animated fadeIn" style="
animation-delay: 600ms;
animation-duration: 1.2s;
background-image:
radial-gradient(ellipse closest-side, rgba(0, 0, 0, 0.65), #100e17),
url(https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/netdata-1599485973.png) ">
</div>
<div class="else">
<p class="animated fadeInDown">
<a href="/categories/DevOps"><b>
</b>DEVOPS<b></b></a>
二月 10, 2020
</p>
<h3 class="post-title animated fadeInDown"><a href="/kinsing-virus/" title="&quot;寄生&quot;于 Docker 的病毒 - Kinsing" class="">&quot;寄生&quot;于 Docker 的病毒 - Kinsing</a>
</h3>
<p class="post-count animated fadeInDown">
<span>
<b class="iconfont icon-text2"></b> <i>文章字数</i>
2.4k
</span>
<span>
<b class="iconfont icon-timer__s"></b> <i>阅读约需</i>
2 mins.
</span>
<span id="busuanzi_container_page_pv">
<b class="iconfont icon-read"></b> <i>阅读次数</i>
<span id="busuanzi_value_page_pv">0</span>
</span>
</p>
<ul class="animated fadeInDown post-tags-list" itemprop="keywords"><li class="animated fadeInDown post-tags-list-item"><a class="animated fadeInDown post-tags-list-link" href="/tags/Docker/" rel="tag">Docker</a></li><li class="animated fadeInDown post-tags-list-item"><a class="animated fadeInDown post-tags-list-link" href="/tags/Linux/" rel="tag">Linux</a></li><li class="animated fadeInDown post-tags-list-item"><a class="animated fadeInDown post-tags-list-link" href="/tags/Shell/" rel="tag">Shell</a></li></ul>
</div>
</div>
</div>
<div class="screen-gradient-after">
<div class="screen-gradient-content">
<div class="screen-gradient-content-inside">
<div class="bold-underline-links screen-gradient-sponsor">
<p>
<span class="animated fadeIn delay-1s"></span>
</p>
</div>
</div>
</div>
</div>
<div class="article">
<div class='main'>
<div class="content markdown animated fadeIn">
<blockquote>
<p>原创发表于 <a href="https://blog.davidz.cn">DavidZ Blog</a>,遵循 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode" target="_blank" rel="noopener">CC 4.0 BY-NC-SA</a> 版权协议,转载请附上原文出处链接及本声明。</p>
</blockquote>
<h2 id="前言"><a class="header-anchor" href="#前言"></a>前言</h2>
<p>2020 年开年不顺2019 新型冠状病毒肺炎爆发,从年三十居家隔离到了正月十五,没想到自己的服务器也”感染“上了病毒 - Kinsing(进程的名字,姑且这样称呼)。</p>
<h2 id="发现"><a class="header-anchor" href="#发现"></a>发现</h2>
<p><img src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/netdata-1599485973.png" alt="netdata"></p>
<p>偶然看了看服务器状态,发现 CPU 占用一直保持在 100%上下,有些蹊跷。</p>
<p>难道是我的博客访问量<s>暴增</s>???那是当然不可能的,然后我去看了看<a href="https://github.com/portainer/portainer" target="_blank" rel="noopener">Portainer</a>看了看,果然,</p>
<p><img src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/portainer-1599485974.png" alt="portainer"></p>
<p>这个随机名称的容器就是 Kinsing 基于 Ubuntu 的容器CPU 占用 100%。</p>
<p><img src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/%E8%BF%9B%E7%A8%8B-1599485975.png" alt="进程"></p>
<p>简单看了看容器里面的进程表,第一个运行了一个 shell 脚本,这个病毒就是这个脚本下载启动的关键,我打开看了看,<s>也没看懂</s>,大概是下载了几个可执行文件。第二个是 cron这个是定时脚本我猜应该是病毒定时检查一下运行情况第三个好像是个守护进程第四个应该是用于容器保持第五个在网上能搜到是个<a href="https://www.baidu.com/s?wd=kdevtmpfsi" target="_blank" rel="noopener">挖矿的程序</a></p>
<p>无聊的我还简单看了看这个脚本的服务器 IP</p>
<p><img src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/ip-1599485976.png" alt="ip"></p>
<p>难道是俄罗斯大佬???</p>
<p>这个时候我突然想起来,前几天为了调试<a href="https://certbot.eff.org/" target="_blank" rel="noopener">certbot</a>的 Dockerfile, 我直接打开了 Docker 的<a href="https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option" target="_blank" rel="noopener">远程访问</a>,在默认的情况下是没有任何加密措施的。</p>
<p>这样,就真相大白了,这个病毒通过未加密的接口,在我的服务器上运行了挖矿的容器来盈利,同时也占用了服务器全部的 CPU😢.</p>
<h2 id="处理"><a class="header-anchor" href="#处理"></a>处理</h2>
<p>Kinsing 病毒还是很良心的(至少我遇到的这个是),把自己”关“在了容器里面,反正后来我也没有在别的地方发现相关文件。</p>
<p>所以处理起来也简单,</p>
<ol>
<li>删掉容器和镜像</li>
<li>关闭 Docker 远程访问即可。如果不想关闭的话也可以<a href="https://docs.docker.com/engine/security/https/" target="_blank" rel="noopener">用 https 的方式加密</a></li>
</ol>
<h2 id="小想法"><a class="header-anchor" href="#小想法"></a>小想法</h2>
<p>其实这个 Kinsing 病毒实现起来还是很简单的,</p>
<ol>
<li>扫描全网的 2375 这个默认端口</li>
<li>用 Docker API 连接并部署容器</li>
<li>执行脚本运行挖矿程序</li>
</ol>
<p><s>突然有一个邪恶的想法,一台机器一天就算 1 毛钱好啦</s>,哈哈哈,但是违法的事情不能做呀😄。</p>
<p>大家一定要注意呀,时刻谨记服务器安全,不要随意开放服务器端口。</p>
<!--[if lt IE 9]><script>document.createElement('audio');</script><![endif]-->
<audio id="audio" loop="1" preload="auto" controls="controls"
data-autoplay="false">
<source type="audio/mpeg" src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/music/汪苏泷 _ BY2 - 有点甜.mp3">
</audio>
<div class="post-nav">
<hr>
<div class="post-nav-item">上一篇:<a href="/inspur-ip-guard-uninstallation/" rel="prev"
title="卸载浪潮安装的 IP-GUARD 监控软件">卸载浪潮安装的 IP-GUARD 监控软件
</a></div>
<div class="post-nav-item">下一篇:<a href="/windows-package-manager-scoop/" rel="next"
title="Windows 包管理器 - Scoop">Windows 包管理器 - Scoop</a></div>
</div>
<div id='gitalk-container' class="comment link"
data-ae='true'
data-ci='489076c5dd3f5ba13f67'
data-cs='d6e3b245787b0b74d0dbe2639ef87f452a401194'
data-r='blog.davidz.cn'
data-o='DavidZhang73'
data-a='DavidZhang73'
data-d=''
data-p='https://cors-anywhere.azm.workers.dev/https://github.com/login/oauth/access_token'
>留言</div>
</div>
<div class="sidebar">
<div class="box animated fadeInRight">
<div class="subbox">
<img src="https://davidz-blog.oss-cn-beijing.aliyuncs.com/img/2019-1599483796.jpg" height=300 width=300></img>
<p>DavidZ</p>
<span>凡事都要留几分</span>
<dl>
</dl>
</div>
<ul>
<li><a href="/">15 <p>文章</p></a></li>
<li><a href="/categories">8 <p>分类</p></a></li>
<li><a href="/tags">15 <p>标签</p></a></li>
</ul>
</div>
<div class="box sticky animated fadeInRight faster">
<div id="toc" class="subbox">
<h4>目录</h4>
<ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#发现"><span class="toc-number">2.</span> <span class="toc-text">发现</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#处理"><span class="toc-number">3.</span> <span class="toc-text">处理</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#小想法"><span class="toc-number">4.</span> <span class="toc-text">小想法</span></a></li></ol>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="back-to-top" class="animated fadeIn faster">
<div class="flow"></div>
<span class="percentage animated fadeIn faster">0%</span>
<span class="iconfont icon-top02 animated fadeIn faster"></span>
</div><!-- hexo-inject:begin --><!-- hexo-inject:end -->
</body>
<footer>
<p class="copyright" id="copyright">
&copy; 2022
<span class="gradient-text">
DavidZ
</span>.
Powered by <a href="http://hexo.io/" title="Hexo" target="_blank" rel="noopener">Hexo</a>
Theme
<span class="gradient-text">
<a href="https://github.com/TriDiamond/hexo-theme-obsidian" title="Obsidian" target="_blank" rel="noopener">Obsidian</a>
</span>
<small><a href="https://github.com/TriDiamond/hexo-theme-obsidian/blob/master/CHANGELOG.md" title="v1.4.7" target="_blank" rel="noopener">v1.4.7</a></small>
</br>
鲁ICP备
<span class="gradient-text">
<a href="https://beian.miit.gov.cn/" title="19008089号-1" target="_blank" rel="noopener">19008089号-1</a>
</span>
</p>
</footer>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.7/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>
<script>
MathJax.Hub.Config({
"HTML-CSS": {
preferredFont: "TeX",
availableFonts: ["STIX", "TeX"],
linebreaks: {
automatic: true
},
EqnChunk: (MathJax.Hub.Browser.isMobile ? 10 : 50)
},
tex2jax: {
inlineMath: [
["$", "$"],
["\\(", "\\)"]
],
processEscapes: true,
ignoreClass: "tex2jax_ignore|dno",
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code']
},
TeX: {
noUndefined: {
attributes: {
mathcolor: "red",
mathbackground: "#FFEEEE",
mathsize: "90%"
}
},
Macros: {
href: "{}"
}
},
messageStyle: "none"
});
</script>
<script>
function initialMathJax() {
MathJax.Hub.Queue(function () {
var all = MathJax.Hub.getAllJax(),
i;
// console.log(all);
for (i = 0; i < all.length; i += 1) {
all[i].SourceElement().parentNode.className += ' has-jax';
}
});
}
function reprocessMathJax() {
if (typeof MathJax !== 'undefined') {
MathJax.Hub.Queue(["Typeset", MathJax.Hub]);
}
}
</script>
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/gitalk@1.6.2/dist/gitalk.min.css">
<script src="//cdn.jsdelivr.net/npm/gitalk@1.6.2/dist/gitalk.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>
<script src="/js/plugin.js"></script>
<script src="/js/obsidian.js"></script>
<script src="/js/jquery.truncate.js"></script>
<script src="/js/search.js"></script>
<script src="//cdn.jsdelivr.net/npm/typed.js@2.0.10/lib/typed.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/blueimp-md5@2.12.0/js/md5.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/codemirror@5.45.0/lib/codemirror.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/javascript/javascript.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/css/css.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/xml/xml.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/htmlmixed/htmlmixed.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/clike/clike.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/php/php.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/shell/shell.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/python/python.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/cmake/cmake.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/powershell/powershell.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/codemirror@5.45.0/mode/yaml/yaml.min.js"></script>
<script src="/js/busuanzi.min.js"></script>
<script>
$(document).ready(function () {
if ($('span[id^="busuanzi_"]').length) {
initialBusuanzi();
}
});
</script>
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.css">
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/default-skin/default-skin.min.css">
<script src="//cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/photoswipe@4.1.3/dist/photoswipe-ui-default.min.js"></script>
<!-- Root element of PhotoSwipe. Must have class pswp. -->
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
<!-- Background of PhotoSwipe.
It's a separate element as animating opacity is faster than rgba(). -->
<div class="pswp__bg"></div>
<!-- Slides wrapper with overflow:hidden. -->
<div class="pswp__scroll-wrap">
<!-- Container that holds slides.
PhotoSwipe keeps only 3 of them in the DOM to save memory.
Don't modify these 3 pswp__item elements, data is added later on. -->
<div class="pswp__container">
<div class="pswp__item"></div>
<div class="pswp__item"></div>
<div class="pswp__item"></div>
</div>
<!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
<div class="pswp__ui pswp__ui--hidden">
<div class="pswp__top-bar">
<!-- Controls are self-explanatory. Order can be changed. -->
<div class="pswp__counter"></div>
<button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
<button class="pswp__button pswp__button--share" title="Share"></button>
<button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
<button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
<!-- Preloader demo http://codepen.io/dimsemenov/pen/yyBWoR -->
<!-- element will get class pswp__preloader--active when preloader is running -->
<div class="pswp__preloader">
<div class="pswp__preloader__icn">
<div class="pswp__preloader__cut">
<div class="pswp__preloader__donut"></div>
</div>
</div>
</div>
</div>
<div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
<div class="pswp__share-tooltip"></div>
</div>
<button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
</button>
<button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
</button>
<div class="pswp__caption">
<div class="pswp__caption__center"></div>
</div>
</div>
</div>
</div>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="//www.googletagmanager.com/gtag/js?id=UA-157733505-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() {
dataLayer.push(arguments);
}
gtag('js', new Date());
gtag('config', 'UA-157733505-1');
</script>
<script>
function initialTyped() {
var typedTextEl = $('.typed-text');
if (typedTextEl && typedTextEl.length > 0) {
var typed = new Typed('.typed-text', {
strings: ['凡事都要留几分', '颜值是第一生产力'],
typeSpeed: 90,
loop: true,
loopCount: Infinity,
backSpeed: 20,
});
}
}
if ($('.article-header') && $('.article-header').length) {
$(document).ready(function () {
initialTyped();
});
}
</script>
<!-- 例:百度统计 --> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?your_code"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script>
</html>
View Git Blame Copy Permalink