Skip to content

Instantly share code, notes, and snippets.

@itskenny0
Last active November 5, 2020 10:46
Show Gist options
  • Star 14 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save itskenny0/df20bdb24a2f49b318a91195634ed3c6 to your computer and use it in GitHub Desktop.
Save itskenny0/df20bdb24a2f49b318a91195634ed3c6 to your computer and use it in GitHub Desktop.
Cleanup script for salt minions affected by recent CVE exploitation - https://saltexploit.com - https://github.com/saltstack/salt/issues/57057
#!/bin/bash
## Executing this script is not a guarantee for a secure host!
## This script is a collection of the junk I have found on my hosts and what
## the SaltStack community gave as input. We have seen this attack evolve.
## Please have a very close look at your systems and consider reinstalling them
## to be absolutely sure you are free of malware.
# remove crontab persistence
for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru salt-store; do
# remove for root
crontab -l | sed "/$i/d" | crontab -
# check other users crontabs
for f in $(ls /var/spool/cron/crontabs/*); do
user=$(basename $f)
crontab -l -u $user | sed "/$i/d" | crontab -u $user -
done
done
# warning! these IPs change! please manually verify your crontab with crontab -l
# to make sure there are no other malicious entries
# remove ssh public key added by v5
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys
for i in $(ls /home/*/.ssh/authorized_keys); do
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
done
# newer versions seem to set themselves immutable
chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
chattr -i /tmp/salt-minions
chattr -i /usr/bin/salt-store
# remove all the trash
rm /tmp/salt-minions
rm /tmp/salt-store
rm /var/tmp/salt-store
rm /usr/bin/salt-store
rm /etc/selinux/config
rm -rf /tmp/.ICE*
rm -rf /var/tmp/.ICE*
rm /root/.wget-hsts
# create apparmor profiles to prevent execution
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
apparmor_parser -r -W /etc/apparmor.d/salt-store
echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
apparmor_parser -r -W /etc/apparmor.d/salt-minions
# reenable nmi watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf
# disable hugepages
sysctl -w vm.nr_hugepages=0
# enable apparmor
systemctl enable apparmor
systemctl start apparmor
# kill processes and reenabler
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9
killall -9 salt-minions
killall -9 salt-store
# fix syslog
touch /var/log/syslog
service rsyslog restart
@taigrr
Copy link

taigrr commented May 5, 2020

Please also add:

cd /var/spool/cron/ && grep -r . * (requires interactivity, this doesn't remove them)
Some affected are finding crontabs for users other than root.

@taigrr
Copy link

taigrr commented May 5, 2020

@itskenny0 salt-store (and possibly salt-minions) also downloads to /usr/bin/salt-store now. Would you mind updating it for that too?

@itskenny0
Copy link
Author

@taigrr Both added! Thank you!

@xpicio
Copy link

xpicio commented May 6, 2020

before

rm /tmp/salt-store
rm /var/tmp/salt-store

we added the following commands

chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
rm /usr/bin/salt-store

@itskenny0
Copy link
Author

@xpicio Also added! Thanks!

@pmahalwar-intertrust
Copy link

pmahalwar-intertrust commented May 8, 2020

Thanks a lot. It was very helpful.

I also added 'salt-store' in your remove crontab persistence for loop to remove this line from crontab :

* * * * * /usr/bin/salt-store || /tmp/salt-store || /var/tmp/salt-store

@itskenny0
Copy link
Author

@pmahalwar-intertrust I wasn't aware they were doing that now. That was also added! Thanks a lot!

@MartinMystikJonas
Copy link

I found few additional things to do:

  1. sed -i '/bitbucket.org$/d' /etc/hosts;
  2. rm /usr/local/lib/*.so; rm /etc/ld.so.preload; ldconfig There is random name .so included in ld.so.preload (this file is hiddedn from ls)
  3. There is random name cron file in /etc/cron.d periodically running random named binary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment