Docker PHP8 容器挖矿病毒
前言
今天登录 VPS 时意外发现CPU占用 100%,察觉到意外的我立马检查了相关应用,最后定位到了 Docker 中的 PHP8 容器。容器占用了几乎所有的 CPU 资源和内存,随即我对此展开了调查。
日志分析
[07-Jun-2024 15:02:57] NOTICE: fpm is running, pid 1
[07-Jun-2024 15:02:57] NOTICE: ready to handle connections
172.18.0.1 - 07/Jun/2024:15:03:23 +0800 "GET /index.php" 200
172.18.0.1 - 07/Jun/2024:15:04:57 +0800 "GET /index.php" 200
chattr: setting flags on /tmp/: Operation not permitted
chattr: setting flags on /var/tmp/: Operation not permitted
chattr: setting flags on /var/spool/cron: Operation not permitted
chattr: can't open '/var/spool/cron/crontabs': Symbolic link loop
chattr: can't stat '/etc/crontab': No such file or directory
sh: ufw: not found
sh: iptables: not found
sh: sudo: not found
sh: can't create /proc/sys/kernel/nmi_watchdog: Read-only file system
sh: can't create /etc/sysctl.conf: Permission denied
userdel: user 'akay' does not exist
userdel: user 'vfinder' does not exist
chattr: can't stat '/root/.ssh/': Permission denied
chattr: can't stat '/root/.ssh/authorized_keys': Permission denied
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sed: /tmp/.X11-unix/01: No such file or directory
cat: can't open '/tmp/.X11-unix/01': No such file or directory
sed: /tmp/.X11-unix/11: No such file or directory
cat: can't open '/tmp/.X11-unix/11': No such file or directory
sed: /tmp/.X11-unix/22: No such file or directory
cat: can't open '/tmp/.X11-unix/22': No such file or directory
sed: /tmp/.systemd.1: No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sed: /tmp/.systemd.2: No such file or directory
cat: can't open '/tmp/.systemd.2': No such file or directory
sed: /tmp/.systemd.3: No such file or directory
cat: can't open '/tmp/.systemd.3': No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.2': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.3': No such file or directory
sh: you need to specify whom to kill
sed: /tmp/.pg_stat.0: No such file or directory
cat: can't open '/tmp/.pg_stat.0': No such file or directory
sed: /tmp/.pg_stat.1: No such file or directory
cat: can't open '/tmp/.pg_stat.1': No such file or directory
sed: /home/www-data/data/./oka.pid: No such file or directory
cat: can't open '/home/www-data/data/./oka.pid': No such file or directory
sed: /tmp/.ICE-unix/d: No such file or directory
cat: can't open '/tmp/.ICE-unix/d': No such file or directory
sed: /tmp/.ICE-unix/m: No such file or directory
cat: can't open '/tmp/.ICE-unix/m': No such file or directory
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
-o COL1,COL2=HEADER Select columns for display
-T Show threads
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
-o COL1,COL2=HEADER Select columns for display
-T Show threads
kill: invalid number 'USER'
grep: bad regex 'kworker -c\': Trailing backslash
kill: invalid number 'USER'
kill: invalid number 'www-data'
kill: invalid number 'www-data'
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sh: systemctl: not found
killall: log_rot: no process killed
chattr: can't stat '/etc/ld.so.preload': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory
rm: can't remove '/var/tmp/lib': No such file or directory
rm: can't remove '/var/tmp/.lib': No such file or directory
chattr: can't stat '/tmp/lok': No such file or directory
chmod: /tmp/lok: No such file or directory
sh: docker: not found
sh: docker: not found
sh: docker: not found
sh: setenforce: not found
sh: can't create /etc/selinux/config: nonexistent directory
sh: service: not found
sh: systemctl: not found
sh: service: not found
sh: systemctl: not found
/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
crontab: must be suid to work properly
crontab: must be suid to work properly
144.202.29.195 - 07/Jun/2024:15:09:55 +0800 "POST /usr/local/lib/php/PEAR.php" 200
可以看到,容器日志中有着很多权限错误,/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
这一行中的kinsing是一个知名挖矿病毒 kdevtmpfsi的守护进程。
系统占用
随即我使用 ssh登录服务器,使用 top命令检测系统占用,果不其然,挖矿进程正占用了系统的主要资源。
解决与反思
首先我尝试了停止 PHP 容器,随后检测发现 kdevtmpfsi的进程停止了,因此可以判断病毒仅存在于容器内。最后我重新构建了 PHP 容器,一切都得到解决,病毒进程也不在出现了。
我在网上查询相关的信息,发现有很多人都中过这个挖矿病毒,大多数人都是由于将 php-fpm 的9000端口暴露在了公网造成的,这是由于 Docker 在映射端口时需要指定127.0.0.1:9000->9000才是将端口映射在本地,如果映射到 0.0.0.0:9000 的话会绕过 ufw 直接暴露在公网。但问题是,我的服务器不仅有本地的防火墙,还有服务商那里的防火墙,因此不可能存在端口暴露在公网这种问题。此外,由于我服务器 SSH 登录方式采用密钥登录,也几乎排除了服务器被破解登录的可能性。
排除了所有的可能性之后,我只能认为是 Typecho 博客的的漏洞了,目前的解决措施是使用了 1panel 的 WAF 功能进行 XSS 防御和 SQL 注入防御。