Last active
November 5, 2020 10:46
-
-
Save itskenny0/df20bdb24a2f49b318a91195634ed3c6 to your computer and use it in GitHub Desktop.
Cleanup script for salt minions affected by recent CVE exploitation - https://saltexploit.com - https://github.com/saltstack/salt/issues/57057
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Executing this script is not a guarantee for a secure host! | |
## This script is a collection of the junk I have found on my hosts and what | |
## the SaltStack community gave as input. We have seen this attack evolve. | |
## Please have a very close look at your systems and consider reinstalling them | |
## to be absolutely sure you are free of malware. | |
# remove crontab persistence | |
for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru salt-store; do | |
# remove for root | |
crontab -l | sed "/$i/d" | crontab - | |
# check other users crontabs | |
for f in $(ls /var/spool/cron/crontabs/*); do | |
user=$(basename $f) | |
crontab -l -u $user | sed "/$i/d" | crontab -u $user - | |
done | |
done | |
# warning! these IPs change! please manually verify your crontab with crontab -l | |
# to make sure there are no other malicious entries | |
# remove ssh public key added by v5 | |
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys | |
for i in $(ls /home/*/.ssh/authorized_keys); do | |
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i | |
done | |
# newer versions seem to set themselves immutable | |
chattr -i /tmp/salt-store | |
chattr -i /var/tmp/salt-store | |
chattr -i /tmp/salt-minions | |
chattr -i /usr/bin/salt-store | |
# remove all the trash | |
rm /tmp/salt-minions | |
rm /tmp/salt-store | |
rm /var/tmp/salt-store | |
rm /usr/bin/salt-store | |
rm /etc/selinux/config | |
rm -rf /tmp/.ICE* | |
rm -rf /var/tmp/.ICE* | |
rm /root/.wget-hsts | |
# create apparmor profiles to prevent execution | |
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store | |
apparmor_parser -r -W /etc/apparmor.d/salt-store | |
echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions | |
apparmor_parser -r -W /etc/apparmor.d/salt-minions | |
# reenable nmi watchdog | |
sysctl kernel.nmi_watchdog=1 | |
echo '1' >/proc/sys/kernel/nmi_watchdog | |
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf | |
# disable hugepages | |
sysctl -w vm.nr_hugepages=0 | |
# enable apparmor | |
systemctl enable apparmor | |
systemctl start apparmor | |
# kill processes and reenabler | |
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}') | |
ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9 | |
killall -9 salt-minions | |
killall -9 salt-store | |
# fix syslog | |
touch /var/log/syslog | |
service rsyslog restart |
Thanks a lot. It was very helpful.
I also added 'salt-store' in your remove crontab persistence for loop to remove this line from crontab :
* * * * * /usr/bin/salt-store || /tmp/salt-store || /var/tmp/salt-store
@pmahalwar-intertrust I wasn't aware they were doing that now. That was also added! Thanks a lot!
I found few additional things to do:
sed -i '/bitbucket.org$/d' /etc/hosts;
rm /usr/local/lib/*.so; rm /etc/ld.so.preload; ldconfig
There is random name .so included in ld.so.preload (this file is hiddedn from ls)- There is random name cron file in
/etc/cron.d
periodically running random named binary
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@xpicio Also added! Thanks!