Cleanup script for salt minions affected by recent CVE exploitation - https://saltexploit.com - https://github.com/saltstack/salt/issues/57057

cleanup.sh

#!/bin/bash
## Executing this script is not a guarantee for a secure host!
## This script is a collection of the junk I have found on my hosts and what
## the SaltStack community gave as input. We have seen this attack evolve. 
## Please have a very close look at your systems and consider reinstalling them 
## to be absolutely sure you are free of malware.

# remove crontab persistence
for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru salt-store; do

  # remove for root
  crontab -l | sed "/$i/d" | crontab -
  
  # check other users crontabs
  for f in $(ls /var/spool/cron/crontabs/*); do
    user=$(basename $f)
    crontab -l -u $user | sed "/$i/d" | crontab -u $user -
  done
  
done
# warning! these IPs change! please manually verify your crontab with crontab -l 
# to make sure there are no other malicious entries

# remove ssh public key added by v5
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

for i in $(ls /home/*/.ssh/authorized_keys); do
  sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
done

# newer versions seem to set themselves immutable
chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
chattr -i /tmp/salt-minions
chattr -i /usr/bin/salt-store

# remove all the trash
rm /tmp/salt-minions
rm /tmp/salt-store
rm /var/tmp/salt-store
rm /usr/bin/salt-store
rm /etc/selinux/config
rm -rf /tmp/.ICE*
rm -rf /var/tmp/.ICE*
rm /root/.wget-hsts

# create apparmor profiles to prevent execution
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
apparmor_parser -r -W /etc/apparmor.d/salt-store

echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
apparmor_parser -r -W /etc/apparmor.d/salt-minions

# reenable nmi watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

# disable hugepages
sysctl -w vm.nr_hugepages=0

# enable apparmor
systemctl enable apparmor
systemctl start apparmor

# kill processes and reenabler
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9
killall -9 salt-minions
killall -9 salt-store

# fix syslog
touch /var/log/syslog
service rsyslog restart

@taigrr: My script is about as sledgehammery as the exploit itself, so it doesn't really matter if it throws errors. Line added additionally to the original one. Thank you.

Please also add:

cd /var/spool/cron/ && grep -r . * (requires interactivity, this doesn't remove them)
Some affected are finding crontabs for users other than root.

@itskenny0 salt-store (and possibly salt-minions) also downloads to /usr/bin/salt-store now. Would you mind updating it for that too?

@taigrr Both added! Thank you!

before

rm /tmp/salt-store
rm /var/tmp/salt-store

we added the following commands

chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
rm /usr/bin/salt-store

@xpicio Also added! Thanks!

Thanks a lot. It was very helpful.

I also added 'salt-store' in your remove crontab persistence for loop to remove this line from crontab :

* * * * * /usr/bin/salt-store || /tmp/salt-store || /var/tmp/salt-store

@pmahalwar-intertrust I wasn't aware they were doing that now. That was also added! Thanks a lot!

I found few additional things to do:

1. sed -i '/bitbucket.org$/d' /etc/hosts;
2. rm /usr/local/lib/*.so; rm /etc/ld.so.preload; ldconfig There is random name .so included in ld.so.preload (this file is hiddedn from ls)
3. There is random name cron file in /etc/cron.d periodically running random named binary