04-关键技术验证

4.1 基于主机的检测脚本

4.1.1 进程检测

#!/bin/bash
# detect_xmrig_masquerade.sh
# 检测伪装成 systemd 组件的 XMRig 进程

echo "=== 检测伪装的 XMRig 进程 ==="

# 方法 1: 检测可疑进程名
echo "[1] 检查 systemd-bench 进程..."
if ps aux | grep -E 'systemd-bench|\.bench\.' | grep -v grep > /dev/null; then
    echo "⚠️  发现可疑进程："
    ps aux | grep -E 'systemd-bench|\.bench\.' | grep -v grep
else
    echo "✓ 未发现 systemd-bench 进程"
fi

# 方法 2: 按 CPU 使用率检测（XMRig 通常占用近 100% 每线程）
echo ""
echo "[2] 检查高 CPU 使用率进程..."
ps aux --sort=-%cpu | head -10 | awk '$3 > 80 {print "⚠️  高 CPU: " $0}'

# 方法 3: 检查隐藏目录
echo ""
echo "[3] 检查隐藏挖矿目录..."
for dir in /root/.system-cache /root/.system /tmp/.X11-unix/.cache; do
    if [ -d "$dir" ]; then
        echo "⚠️  发现隐藏目录：$dir"
        ls -la "$dir"
    fi
done

# 方法 4: 通过字符串搜索 XMRig 二进制
echo ""
echo "[4] 搜索 XMRig 特征字符串..."
find / -type f -executable -size +1M -size -20M 2>/dev/null | while read bin; do
    if strings "$bin" 2>/dev/null | grep -q "XMRig"; then
        echo "⚠️  发现 XMRig 二进制：$bin"
    fi
done

4.1.2 Crontab 持久化检测

#!/bin/bash
# detect_cron_persistence.sh
# 检测基于 crontab 的持久化

echo "=== 检测 Crontab 持久化 ==="

# 检查 root crontab
echo "[1] 检查 root crontab..."
crontab -l 2>/dev/null | grep -E 'xmrig|restore|bench|\.system' && {
    echo "⚠️  发现可疑 crontab 条目"
} || echo "✓ root crontab 正常"

# 检查系统 crontab
echo ""
echo "[2] 检查系统 crontab..."
grep -rE 'xmrig|restore|bench' /etc/cron.* 2>/dev/null && {
    echo "⚠️  发现可疑系统 cron 任务"
} || echo "✓ 系统 cron 正常"

# 检查恢复脚本
echo ""
echo "[3] 检查恢复脚本..."
if [ -f /etc/xmrig-restore/restore.sh ]; then
    echo "⚠️  发现 xmrig-restore 目录："
    ls -la /etc/xmrig-restore/
fi

4.1.3 SSH 密钥检测

#!/bin/bash
# detect_unauthorized_ssh_keys.sh
# 检测未授权的 SSH 密钥

echo "=== 检测未授权 SSH 密钥 ==="

# 检查 authorized_keys 中无注释的密钥（可疑）
echo "[1] 检查无注释的 SSH 密钥..."
for user in root $(cut -f1 -d: /etc/passwd); do
    home=$(eval echo ~$user 2>/dev/null)
    auth_keys="$home/.ssh/authorized_keys"
    if [ -f "$auth_keys" ]; then
        echo "检查 $user 的 authorized_keys..."
        while IFS= read -r line; do
            [[ "$line" =~ ^#.*$ ]] && continue  # 跳过注释
            [[ -z "$line" ]] && continue  # 跳过空行
            if ! echo "$line" | grep -q '@'; then
                echo "⚠️  可疑密钥（无注释）: ${line:0:50}..."
                echo "    完整密钥：$line"
            fi
        done < "$auth_keys"
    fi
done

# 检查最近修改的 authorized_keys
echo ""
echo "[2] 检查最近修改的 authorized_keys..."
find /home /root -name authorized_keys -mtime -7 2>/dev/null | while read f; do
    echo "⚠️  7 天内修改：$f"
    ls -la "$f"
done

4.1.4 网络连接到矿池检测

#!/bin/bash
# detect_mining_pool_connections.sh
# 检测矿池网络连接

echo "=== 检测矿池连接 ==="

# 已知矿池域名
MINING_POOLS=(
    "pool.supportxmr.com"
    "nanopool.org"
    "hashvault.pro"
    "minexmr.com"
    "xmrpool.eu"
)

# 方法 1: DNS 查询日志
echo "[1] 检查 DNS 查询日志..."
for pool in "${MINING_POOLS[@]}"; do
    if grep -r "$pool" /var/log/syslog /var/log/dnsmasq.* 2>/dev/null; then
        echo "⚠️  发现 $pool 的 DNS 查询"
    fi
done

# 方法 2: 活动连接
echo ""
echo "[2] 检查活动网络连接..."
ss -tnp | grep -E ':443|:3333|:5555|:7777' | grep -v nginx | grep -v apache

# 方法 3: 检查防火墙规则修改
echo ""
echo "[3] 检查最近的防火墙规则..."
ufw status verbose | grep -E '2222|8443|3443|58888' && {
    echo "⚠️  发现可疑端口规则"
}

4.2 完整清除脚本

#!/bin/bash
# remove_xmrig_persistence.sh
# 彻底清除 XMRig 持久化
# ⚠️  需要 root 权限

set -e

echo "=== XMRig 持久化清除脚本 ==="
echo "⚠️  警告：此脚本将删除所有相关文件。请确认后再执行。"
read -p "确认继续？(yes/no): " confirm

if [ "$confirm" != "yes" ]; then
    echo "操作已取消"
    exit 0
fi

# 1. 杀死进程
echo "[1/6] 杀死 XMRig 进程..."
if [ -f /var/run/.bench.pid ]; then
    kill -9 $(cat /var/run/.bench.pid) 2>/dev/null || true
fi
pkill -f systemd-bench 2>/dev/null || true
pkill -f xmrig 2>/dev/null || true
echo "✓ 进程已终止"

# 2. 删除 crontab 条目
echo "[2/6] 删除 crontab 持久化..."
crontab -l 2>/dev/null | grep -v 'xmrig-restore' | crontab - 2>/dev/null || true
echo "✓ Crontab 已清理"

# 3. 删除持久化目录
echo "[3/6] 删除持久化目录..."
rm -rf /root/.system-cache 2>/dev/null || true
rm -rf /root/.system 2>/dev/null || true
rm -rf /etc/xmrig-restore 2>/dev/null || true
echo "✓ 持久化目录已删除"

# 4. 删除管理工具
echo "[4/6] 删除管理工具..."
rm -f /usr/local/bin/miner-status 2>/dev/null || true
rm -f /usr/local/bin/miner-stop 2>/dev/null || true
echo "✓ 管理工具已删除"

# 5. 删除运行时文件
echo "[5/6] 删除运行时文件..."
rm -f /var/run/.bench.pid 2>/dev/null || true
rm -f /var/log/xmrig-restore.log 2>/dev/null || true
echo "✓ 运行时文件已删除"

# 6. 检查 SSH 密钥
echo "[6/6] 检查 SSH 密钥..."
echo "⚠️  请手动检查 /root/.ssh/authorized_keys 移除可疑密钥"
echo "   查找无注释的密钥或未知指纹"

echo ""
echo "=== 清除完成 ==="
echo "建议后续操作："
echo "1. 检查 Hetzner 控制台移除未知 SSH 密钥"
echo "2. 轮换所有 API 令牌和密码"
echo "3. 启用云审计日志"
echo "4. 监控 CPU 使用率 24 小时"

4.3 XMRig 配置参数参考

4.3.1 典型恶意配置

{
    "_comment": "攻击者典型配置示例",
    "pools": [{
        "coin": "monero",
        "url": "pool.supportxmr.com:443",
        "user": "4ABnCJEm7Umfip66...DiXd75r",
        "pass": "work232_web",
        "tls": true,
        "keepalive": true,
        "nicehash": false
    }],
    "cpu": {
        "enabled": true,
        "huge-pages": false,
        "hw-aes": true,
        "priority": 3,
        "yield": true,
        "max-threads-hint": 100,
        "asm": true
    },
    "http": {
        "enabled": false,
        "host": "127.0.0.1",
        "port": 0
    },
    "donate-level": 1,
    "syslog": false,
    "verbose": 0,
    "pause-on-battery": false,
    "pause-on-active": false
}

4.3.2 配置参数含义

4.4 YARA 检测规则

rule XMRig_Cryptojacker_SystemdBench {
    meta:
        description = "Detects XMRig masquerading as systemd-bench"
        author = "Innora Security"
        date = "2026-03-08"
        reference = "Hetzner Cloud Cryptojacking Campaign"
        hash_sha256 = "96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46"

    strings:
        $s1 = "XMRig" ascii
        $s2 = "systemd-bench" ascii
        $s3 = "pool.supportxmr.com" ascii
        $s4 = "/home/buildbot/xmrig/scripts/build/" ascii
        $s5 = "Monero" ascii
        $s6 = "RandomX" ascii
        $s7 = "hwloc" ascii
        $h1 = { 41 42 61 6E 43 4A 45 6D }  // 钱包地址开头 "4ABnCJEm"

    condition:
        ($s1 and $s2) or
        ($s3 and $s4) or
        ($s5 and $s6 and $s7) or
        ($h1)
}

rule XMRig_Installer_Script {
    meta:
        description = "Detects XMRig installer script with Russian comments"
        author = "Innora Security"
        date = "2026-03-08"
        language = "Bash"

    strings:
        $bash1 = "#!/bin/bash" ascii
        $comment1 = "Автоматическая установка" ascii  // Russian: Automatic installation
        $comment2 = "защитой от удаления" ascii  // Russian: deletion protection
        $var1 = "XMRIG_VERSION" ascii
        $var2 = "WORKER_NAME" ascii
        $url1 = "api.github.com/repos/xmrig/xmrig/releases" ascii

    condition:
        $bash1 and ($comment1 or $comment2) and ($var1 or $var2) and $url1
}

rule Hetzner_Rescue_Mode_Abuse {
    meta:
        description = "Detects indicators of Hetzner Rescue Mode abuse"
        author = "Innora Security"
        date = "2026-03-08"
        category = "Cloud Attack"

    strings:
        $sshkey1 = "ssh-ed25519" ascii
        $sshkey2 = "ssh-rsa" ascii
        $path1 = "/etc/xmrig-restore/" ascii
        $path2 = "/root/.system-cache/" ascii
        $cron1 = "@reboot sleep 90" ascii
        $cron2 = "*/30 * * * *" ascii
        $script1 = "restore.sh" ascii

    condition:
        ($sshkey1 or $sshkey2) and
        ($path1 or $path2) and
        ($cron1 or $cron2) and
        $script1
}

4.4.1 使用 YARA 规则

# 安装 YARA
sudo apt-get install yara  # Debian/Ubuntu

# 扫描文件系统
yara -r XMRig_Cryptojacker_SystemdBench.yar /root/ 2>/dev/null
yara -r XMRig_Installer_Script.yar /etc/ 2>/dev/null

# 扫描进程内存
yara -r XMRig_Cryptojacker_SystemdBench.yar -p $(pidof systemd-bench) 2>/dev/null

4.5 取证分析工具

4.5.1 时间线分析

#!/bin/bash
# analyze_attack_timeline.sh
# 分析攻击时间线

echo "=== 攻击时间线分析 ==="

# 提取授权密钥修改时间
echo "[1] authorized_keys 修改时间..."
stat /root/.ssh/authorized_keys 2>/dev/null | grep Modify

# 提取系统启动时间
echo ""
echo "[2] 系统启动时间..."
who -b

# 提取最近的 SSH 登录
echo ""
echo "[3] 最近 SSH 登录..."
last -20 sshd

# 提取 bash 历史时间戳
echo ""
echo "[4] Bash 历史时间戳..."
if [ -f /root/.bash_history ]; then
    HISTFILE=/root/.bash_history
    while IFS= read -r line; do
        echo "$line"
    done < "$HISTFILE" | head -20
fi

# 提取 crontab 修改时间
echo ""
echo "[5] Crontab 修改时间..."
ls -la /var/spool/cron/crontabs/root 2>/dev/null

4.5.2 网络取证

#!/bin/bash
# network_forensics.sh
# 网络取证脚本

echo "=== 网络取证 ==="

# 活动连接
echo "[1] 活动网络连接..."
ss -tnp | grep -v 'Idle'

# 监听端口
echo ""
echo "[2] 监听端口..."
ss -tlnp

# DNS 缓存
echo ""
echo "[3] DNS 缓存（如果可用）..."
sudo systemd-resolve --statistics 2>/dev/null || \
    cat /etc/resolv.conf

# 防火墙日志
echo ""
echo "[4] 防火墙日志..."
ufw status verbose
journalctl -u ufw --since "2 days ago" | tail -50

4.6 云控制台检测查询

4.6.1 Hetzner Cloud API 审计

#!/bin/bash
# audit_hetzner_api.sh
# 审计 Hetzner Cloud API 调用

# 需要设置 API 令牌
HCLOUD_TOKEN="your_api_token"

echo "=== Hetzner Cloud API 审计 ==="

# 列出所有 SSH 密钥
echo "[1] SSH 密钥..."
curl -s -H "Authorization: Bearer $HCLOUD_TOKEN" \
    https://api.hetzner.cloud/v1/ssh_keys | jq '.ssh_keys[]'

# 列出最近的服务器操作
echo ""
echo "[2] 最近的服务器操作..."
curl -s -H "Authorization: Bearer $HCLOUD_TOKEN" \
    "https://api.hetzner.cloud/v1/actions?status=success&sort=started&direction=desc" | \
    jq '.actions[] | select(.command | test("enable_rescue|reboot"))' | head -50

# 检查 Rescue Mode 启用历史
echo ""
echo "[3] Rescue Mode 启用..."
# 注意：Hetzner API 不直接提供 Rescue Mode 历史，需通过审计日志

4.6.2 推荐监控告警

# cloud_monitoring_rules.yaml
# 云监控告警规则配置

alerts:
  - name: "Rescue Mode Enabled"
    condition: "api_call.command == 'enable_rescue'"
    severity: "critical"
    notification: "pagerduty, slack"

  - name: "SSH Key Added"
    condition: "api_call.command == 'create_ssh_key'"
    severity: "high"
    notification: "slack"

  - name: "API Token Created"
    condition: "api_call.command == 'create_token'"
    severity: "high"
    notification: "slack, email"

  - name: "Server Reboot Outside Business Hours"
    condition: "api_call.command == 'reboot' AND time NOT IN 09:00-18:00"
    severity: "medium"
    notification: "slack"

  - name: "Multiple Failed Console Logins"
    condition: "console.failed_logins > 5 IN 10 minutes"
    severity: "high"
    notification: "pagerduty"

4.7 检测脚本汇总

#!/bin/bash
# complete_detection_suite.sh
# 完整检测套件

echo "╔════════════════════════════════════════╗"
echo "║   Hetzner 云加密劫持检测套件          ║"
echo "╚════════════════════════════════════════╝"

# 运行所有检测
./detect_xmrig_masquerade.sh
./detect_cron_persistence.sh
./detect_unauthorized_ssh_keys.sh
./detect_mining_pool_connections.sh

# 生成报告
echo ""
echo "=== 检测完成 ==="
echo "如果发现任何 ⚠️  警告，请立即："
echo "1. 运行清除脚本：./remove_xmrig_persistence.sh"
echo "2. 检查 Hetzner 控制台"
echo "3. 轮换所有凭证"
echo "4. 联系安全团队"

4.8 本章小结

本章提供了可操作的技术验证内容：

• 检测脚本：进程、持久化、SSH 密钥、网络连接检测
• 清除程序：彻底清除 XMRig 持久化的完整脚本
• 配置参数：恶意配置参考和参数含义
• YARA 规则：三个检测规则覆盖二进制、脚本、攻击指标
• 取证工具：时间线分析、网络取证、云 API 审计
• 监控告警：推荐的云控制平面监控规则

下一章将进行风险评估并提供完整的防御指南。

参考资料

• YARA 文档
• 原始分析
• MITRE ATT&CK 检测