грешка в лога на nginx под docker

[sharpshooter]

Здравейте, от известно време забелязвам грешка в лога на nginx, която пречи на работата на няколко уеб сървиса - plex, nextcloud, wordpress и други, които общо взето се проксират през nginx.
Може ли някой да помогне?

nginx: [crit] pread() "/config/nginx/site-confs/xt" failed (21: Is a directory)

В тази директория имам index.php със следното съдържание, ако изобщо е от значение:

<?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5>

 

[anonimen]

Това не прилича да е цялото съдържание на index.php, ако всичко е наред. През декодер като пуснах тоя стринг, който е подаден на base64 decode, излезе това:

if(!function_exists("YiunIUY76bBhuhNYIO8")){fun

Изобщо evalът е доста подозрителен.. ако пуснеш целия index php, може би ще се види дали има нещо притеснително в eval'uateнатия код.
Някакви други странни неща да си забелязвал?

 

[sharpshooter]

Извинявяйте, не се съобразих, че ще трябва целият файл. Ето го:

hastebin

Иначе не съм забелязал нещо странно, но си признавам, че не съм гледал от много време лог файлове.

 

[anonimen]

Декодиран, файлът съдържа eval на този код:

<?php
if (!function_exists("YiunIUY76bBhuhNYIO8"))
{
    function YiunIUY76bBhuhNYIO8($g, $b = 0)
    {
        $a = implode("\n", $g);
        $d = array(
            655,
            236,
            40
        );
        if ($b == 0) $f = substr($a, $d[0], $d[1]);
        elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
        else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
        return ($f);
    }
}

Не знам какво може да е това.

Само че, като гледам каква е грешката, почвам да се съмнявам, че конкретно съдържанието на файла е от значение.

 

[sharpshooter]

Аз също не мисля, че съдържанието е проблем. Въпросът е, че това съдържание го нямаше преди време.

Тази директория изобщо не ми е позната и тя съществува във всяка една поддиректория на ngnix. А същата тази директория я има в грешката. Започвам да се притеснявам, че нещо лошо се е случило.

 

[anonimen]

Тази директория изобщо не ми е позната и тя съществува във всяка една поддиректория на ngnix. А същата тази директория я има в грешката. Започвам да се притеснявам, че нещо лошо се е случило.

Аз именно това питах, има ли нещо друго странно. Щом я има същата във всяка директория, звучи като някой злонамерен да ги е нафлякал. Според мен виж и за други съмнителни новопоявили се папки/файлове.

 

[deam0n]

Определено изглежда като нещо, което не трябва да е там.

 

[sharpshooter]

Аз именно това питах, има ли нещо друго странно. Щом я има същата във всяка директория, звучи като някой злонамерен да ги е нафлякал. Според мен виж и за други съмнителни новопоявили се папки/файлове.

Къде предлагаш да видя за такива - в директорияра на Nginx или?

 

[Revelation]

Декодиран, файлът съдържа eval на този код:

<?php
if (!function_exists("YiunIUY76bBhuhNYIO8"))
{
    function YiunIUY76bBhuhNYIO8($g, $b = 0)
    {
        $a = implode("\n", $g);
        $d = array(
            655,
            236,
            40
        );
        if ($b == 0) $f = substr($a, $d[0], $d[1]);
        elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
        else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
        return ($f);
    }
}

Не знам какво може да е това.

Само че, като гледам каква е грешката, почвам да се съмнявам, че конкретно съдържанието на файла е от значение.

Не е само това вътре. Има няколко функции вътре. Тази конкретно изтрива началото от този файл, който реално съдържа тези функции, след това има __halt_compiler(); за да предотврати PHP парсера да парсва бинарния код след __halt_compiler(), който е реално кода, който се изпълнява. Кода е нечетим, защото една от функциите компресира съдържанието и след това го декомпресира и изпълнява.

Този номер се използва за намаляне на размера на инсталационни файлове, както и malware. Има вероятност компресирания код да ти ходи по цялата файлова система рекурсивно и да изпраща разни файлчета напред назад... Предвид, че се намира няколко пъти в директорията на nginx, ме съмнява това да са инсталационни файлове на PHP разширения.

Ще се опитам да разбера какъв точно е скрипта, който се изпълнява.

Ако смяташ, че в другите файлове има различен код, то го дай и него да видим какво има (ако успея да изкарам кода).

 

[sharpshooter]

Благодаря ти много за отделеното времето, наистина!

Хората поддържащи nginx контейнера споделиха, че тези php файлове може да са mining software.

Иначе ето и още няколко файла от xt директориите:
https://paste.kodi.tv/movapobeke - основната директория в конфига на nginx
https://paste.kodi.tv/esofoguyoq - proxy-confs директорията

Ако има някаква разлика, ще намеря и другите директории.

За съжаление е вероятно да е компрометиран целия хост, а не само контейнера.

 

[Revelation]

Всичко е възможно. Ако е mining software можеш да ръннеш

docker stats

да видиш дали използва много CPU. Както и

docker top <container>

за да видиш дали има някакви съмнителни процеси вървящи в контейнера.

 

[sharpshooter]

Хм, благодаря ти! Имам един контейнер droppy, който е за споделяне на файлове. Всичко беше наред, докато не го стартирах - сега той работи на 68.87% , всичко друго по-сериозно е на 1-2% макс.

Ето още нещо интересно от лога на този контейнер:
Стартира се някакъв процес, който съдържа http://interact.sh/ и обяснението е следното:
This tool can generate specific domain names to help its users test whether an exploit is successful.
В лога забелязвам и някакъв домейн пак от същото IP:
2022-06-05 00:48:18 [INFO] 176.113.115.238:34090 GET /wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://caatb5ho6n6agto00010ekwgheiuas916.oast.live [401] [1ms],

Ето процеса:

2022-05-20 04:36:17 [INFO] 176.113.115.238:50994 GET /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://interact.sh/ [400] [0ms] Invalid GET: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://interact.sh/,

EDIT: Май това с процеса не е много вярно за droppy, защото и nginx вдигна 120%, когато го стартирам. Не знам дали е нормално, но...

 

[Revelation]

Само като го стартираш или се задържа на висок процент?

 

[Revelation]

Ето какво изкочи от първия файл:

https://pastebin.com/pSX12F4z

На който му се чете да чете

П.П. Набързо се зачетох... това ти чете най-важните файлове от файловата система. Понеже си в контейнер, вероятно нищо важно няма да излезе, но все пак... това си е чиста вратичка.

Както предполагах, има код за рекурсивно четене на директориите и има някакви функции за теглене... даже като гледам си е улеснил живота да може директно да си изобрази съдържанието на файловете директно в страничката, която си е отворил тайно.

 

[Revelation]

Проверих и другите файлове. Съдържанието е едно и също.

Ето и кода, който използвах да ги екстрактна. Преизползвах вътрешните функциите, така че едва ли ще работи за други такива освен, ако не са генерирани от същото място понеже началната част си е бойлерплейт код да рънне реалния код.

<?php
function findImportantStuff($g, $b = 0)
{
    $a = implode("\n", $g);
    $d = array(
        655,
        236,
        40
    );
    if ($b == 0) $f = substr($a, $d[0], $d[1]);
    elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
    else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
    return ($f);
}

function showRealContent($phpFileContent)
{
    // imitates file()
    $contentAsArray = [$phpFileContent];
   
    $uncompressed = gzinflate(base64_decode(findImportantStuff($contentAsArray, 2)));

    preg_match('#eval.*\("(.*?)"\)#', $uncompressed, $matches);

    return utf8_encode(base64_decode($matches[1]));
}

echo showRealContent(<<<'T'
<?php /*** PHP Encode v1.0 by zeura.com ***/...останалата част от файла...
T
);

 

[sharpshooter]

Благодаря много за всичко!

Това означава ли, че трябва да изтрия всичко от сървъра? И дали има инфектирани файлове?
Всъщност той nginx ли използва за да си визуализира файловете? Просто още не мога да си представя какво е станало.

 

[uphero]

Преди да триеш каквото и да било прегледай логовете за да разбереш кога и най-вече как са се появили тия файлове.

 

[sharpshooter]

ОК, ще опитам, но има адски много информация в логовете, ще трябва да я синтезирам по някакъв начин.
Ще опитам по този начин да видим дали ще намеря нещо:

Web Shell Detection and Prevention (Web Shells Part 5) | Acunetix

In the final part in this series on web shells we will be looking at web shell detection and how to prevent them

www.acunetix.com

Оказа се, че droppy има някаква Path Traversal уязвимост и май от там е проблемът. Нали, щом се проксира през nginx, би трябвало да се види в лога на nginx, ако е нещо свързано с droppy?

Path Traversal in droppy | CVE-2020-7757 | Snyk

Snyk Vulnerability Database

security.snyk.io

 

[sharpshooter]

Ако на някой му е интересно, ето всички файлове, които са създадени:

kre10yt’s gists

GitHub Gist: star and fork kre10yt's gists by creating an account on GitHub.

gist.github.com

Оказа се, че WordPress е дупката.