Docker PHP8 容器挖矿病毒 - 风与雪的低语

前言

今天登录 VPS 时意外发现CPU占用 100%，察觉到意外的我立马检查了相关应用，最后定位到了 Docker 中的 PHP8 容器。容器占用了几乎所有的 CPU 资源和内存，随即我对此展开了调查。

日志分析

[07-Jun-2024 15:02:57] NOTICE: fpm is running, pid 1
[07-Jun-2024 15:02:57] NOTICE: ready to handle connections
172.18.0.1 -  07/Jun/2024:15:03:23 +0800 "GET /index.php" 200
172.18.0.1 -  07/Jun/2024:15:04:57 +0800 "GET /index.php" 200
chattr: setting flags on /tmp/: Operation not permitted
chattr: setting flags on /var/tmp/: Operation not permitted
chattr: setting flags on /var/spool/cron: Operation not permitted
chattr: can't open '/var/spool/cron/crontabs': Symbolic link loop
chattr: can't stat '/etc/crontab': No such file or directory
sh: ufw: not found
sh: iptables: not found
sh: sudo: not found
sh: can't create /proc/sys/kernel/nmi_watchdog: Read-only file system
sh: can't create /etc/sysctl.conf: Permission denied
userdel: user 'akay' does not exist
userdel: user 'vfinder' does not exist
chattr: can't stat '/root/.ssh/': Permission denied
chattr: can't stat '/root/.ssh/authorized_keys': Permission denied
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sed: /tmp/.X11-unix/01: No such file or directory
cat: can't open '/tmp/.X11-unix/01': No such file or directory
sed: /tmp/.X11-unix/11: No such file or directory
cat: can't open '/tmp/.X11-unix/11': No such file or directory
sed: /tmp/.X11-unix/22: No such file or directory
cat: can't open '/tmp/.X11-unix/22': No such file or directory
sed: /tmp/.systemd.1: No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sed: /tmp/.systemd.2: No such file or directory
cat: can't open '/tmp/.systemd.2': No such file or directory
sed: /tmp/.systemd.3: No such file or directory
cat: can't open '/tmp/.systemd.3': No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.2': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.3': No such file or directory
sh: you need to specify whom to kill
sed: /tmp/.pg_stat.0: No such file or directory
cat: can't open '/tmp/.pg_stat.0': No such file or directory
sed: /tmp/.pg_stat.1: No such file or directory
cat: can't open '/tmp/.pg_stat.1': No such file or directory
sed: /home/www-data/data/./oka.pid: No such file or directory
cat: can't open '/home/www-data/data/./oka.pid': No such file or directory
sed: /tmp/.ICE-unix/d: No such file or directory
cat: can't open '/tmp/.ICE-unix/d': No such file or directory
sed: /tmp/.ICE-unix/m: No such file or directory
cat: can't open '/tmp/.ICE-unix/m': No such file or directory
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
    -o COL1,COL2=HEADER    Select columns for display
    -T            Show threads
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
    -o COL1,COL2=HEADER    Select columns for display
    -T            Show threads
kill: invalid number 'USER'
grep: bad regex 'kworker -c\': Trailing backslash
kill: invalid number 'USER'
kill: invalid number 'www-data'
kill: invalid number 'www-data'
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sh: systemctl: not found
killall: log_rot: no process killed
chattr: can't stat '/etc/ld.so.preload': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory
rm: can't remove '/var/tmp/lib': No such file or directory
rm: can't remove '/var/tmp/.lib': No such file or directory
chattr: can't stat '/tmp/lok': No such file or directory
chmod: /tmp/lok: No such file or directory
sh: docker: not found
sh: docker: not found
sh: docker: not found
sh: setenforce: not found
sh: can't create /etc/selinux/config: nonexistent directory
sh: service: not found
sh: systemctl: not found
sh: service: not found
sh: systemctl: not found
/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
crontab: must be suid to work properly
crontab: must be suid to work properly
144.202.29.195 -  07/Jun/2024:15:09:55 +0800 "POST /usr/local/lib/php/PEAR.php" 200

可以看到，容器日志中有着很多权限错误，/tmp/kinsing is b3039abf2ad5202f4a9363b418002351 这一行中的kinsing是一个知名挖矿病毒 kdevtmpfsi的守护进程。

随即我使用 ssh登录服务器，使用 top命令检测系统占用，果不其然，挖矿进程正占用了系统的主要资源。

解决与反思

首先我尝试了停止 PHP 容器，随后检测发现 kdevtmpfsi的进程停止了，因此可以判断病毒仅存在于容器内。最后我重新构建了 PHP 容器，一切都得到解决，病毒进程也不在出现了。

我在网上查询相关的信息，发现有很多人都中过这个挖矿病毒，大多数人都是由于将 php-fpm 的9000端口暴露在了公网造成的，这是由于 Docker 在映射端口时需要指定127.0.0.1:9000->9000才是将端口映射在本地，如果映射到 0.0.0.0:9000 的话会绕过 ufw 直接暴露在公网。但问题是，我的服务器不仅有本地的防火墙，还有服务商那里的防火墙，因此不可能存在端口暴露在公网这种问题。此外，由于我服务器 SSH 登录方式采用密钥登录，也几乎排除了服务器被破解登录的可能性。

排除了所有的可能性之后，我只能认为是 Typecho 博客的的漏洞了，目前的解决措施是使用了 1panel 的 WAF 功能进行 XSS 防御和 SQL 注入防御。

日志分析

[07-Jun-2024 15:02:57] NOTICE: fpm is running, pid 1
[07-Jun-2024 15:02:57] NOTICE: ready to handle connections
172.18.0.1 -  07/Jun/2024:15:03:23 +0800 "GET /index.php" 200
172.18.0.1 -  07/Jun/2024:15:04:57 +0800 "GET /index.php" 200
chattr: setting flags on /tmp/: Operation not permitted
chattr: setting flags on /var/tmp/: Operation not permitted
chattr: setting flags on /var/spool/cron: Operation not permitted
chattr: can't open '/var/spool/cron/crontabs': Symbolic link loop
chattr: can't stat '/etc/crontab': No such file or directory
sh: ufw: not found
sh: iptables: not found
sh: sudo: not found
sh: can't create /proc/sys/kernel/nmi_watchdog: Read-only file system
sh: can't create /etc/sysctl.conf: Permission denied
userdel: user 'akay' does not exist
userdel: user 'vfinder' does not exist
chattr: can't stat '/root/.ssh/': Permission denied
chattr: can't stat '/root/.ssh/authorized_keys': Permission denied
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sed: /tmp/.X11-unix/01: No such file or directory
cat: can't open '/tmp/.X11-unix/01': No such file or directory
sed: /tmp/.X11-unix/11: No such file or directory
cat: can't open '/tmp/.X11-unix/11': No such file or directory
sed: /tmp/.X11-unix/22: No such file or directory
cat: can't open '/tmp/.X11-unix/22': No such file or directory
sed: /tmp/.systemd.1: No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sed: /tmp/.systemd.2: No such file or directory
cat: can't open '/tmp/.systemd.2': No such file or directory
sed: /tmp/.systemd.3: No such file or directory
cat: can't open '/tmp/.systemd.3': No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.2': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.3': No such file or directory
sh: you need to specify whom to kill
sed: /tmp/.pg_stat.0: No such file or directory
cat: can't open '/tmp/.pg_stat.0': No such file or directory
sed: /tmp/.pg_stat.1: No such file or directory
cat: can't open '/tmp/.pg_stat.1': No such file or directory
sed: /home/www-data/data/./oka.pid: No such file or directory
cat: can't open '/home/www-data/data/./oka.pid': No such file or directory
sed: /tmp/.ICE-unix/d: No such file or directory
cat: can't open '/tmp/.ICE-unix/d': No such file or directory
sed: /tmp/.ICE-unix/m: No such file or directory
cat: can't open '/tmp/.ICE-unix/m': No such file or directory
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
    -o COL1,COL2=HEADER    Select columns for display
    -T            Show threads
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
    -o COL1,COL2=HEADER    Select columns for display
    -T            Show threads
kill: invalid number 'USER'
grep: bad regex 'kworker -c\': Trailing backslash
kill: invalid number 'USER'
kill: invalid number 'www-data'
kill: invalid number 'www-data'
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sh: systemctl: not found
killall: log_rot: no process killed
chattr: can't stat '/etc/ld.so.preload': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory
rm: can't remove '/var/tmp/lib': No such file or directory
rm: can't remove '/var/tmp/.lib': No such file or directory
chattr: can't stat '/tmp/lok': No such file or directory
chmod: /tmp/lok: No such file or directory
sh: docker: not found
sh: docker: not found
sh: docker: not found
sh: setenforce: not found
sh: can't create /etc/selinux/config: nonexistent directory
sh: service: not found
sh: systemctl: not found
sh: service: not found
sh: systemctl: not found
/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
crontab: must be suid to work properly
crontab: must be suid to work properly
144.202.29.195 -  07/Jun/2024:15:09:55 +0800 "POST /usr/local/lib/php/PEAR.php" 200

可以看到，容器日志中有着很多权限错误，/tmp/kinsing is b3039abf2ad5202f4a9363b418002351 这一行中的kinsing是一个知名挖矿病毒 kdevtmpfsi的守护进程。

系统占用

随即我使用 ssh登录服务器，使用 top命令检测系统占用，果不其然，挖矿进程正占用了系统的主要资源。

解决与反思

排除了所有的可能性之后，我只能认为是 Typecho 博客的的漏洞了，目前的解决措施是使用了 1panel 的 WAF 功能进行 XSS 防御和 SQL 注入防御。