{"id":54909,"date":"2018-03-19T09:00:15","date_gmt":"2018-03-19T01:00:15","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=54909"},"modified":"2018-03-19T15:13:14","modified_gmt":"2018-03-19T07:13:14","slug":"%e6%96%b0%e6%8c%96%e7%a4%a6%e6%94%bb%e6%93%8a%e5%88%a9%e7%94%a8-eternalblue%e6%b0%b8%e6%81%86%e4%b9%8b%e8%97%8d-%e6%bc%8f%e6%b4%9e%e6%94%bb%e6%93%8a%e6%8a%80%e5%b7%a7%e5%85%a5%e4%be%b5%e4%bc%ba","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=54909","title":{"rendered":"\u65b0\u6316\u7926\u653b\u64ca\u5229\u7528 EternalBlue(\u6c38\u6046\u4e4b\u85cd) \u6f0f\u6d1e\u653b\u64ca\u6280\u5de7,\u5165\u4fb5\u4f3a\u670d\u5668"},"content":{"rendered":"<p>\u8cc7\u5b89\u7814\u7a76\u4eba\u54e1 Nadav Avital <a href=\"https:\/\/www.scmagazine.com\/rediswannamine-cryptojacking-attack-exploits-eternalblue-vulnerability-and-public-redis-servers\/article\/750096\/\">\u767c\u73fe\u4e86<\/a>\u4e00\u500b\u7531\u4ed6\u547d\u540d\u70ba\u300cRedisWannaMine\u300d\u7684<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=50965\">\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63<\/a>\u6316\u7926\u884c\u52d5\uff0c\u5229\u7528\u77e5\u540d\u7684 <a href=\"https:\/\/blog.trendmicro.com.tw\/?s=EternalBlue+\">EternalBlue(\u6c38\u6046\u4e4b\u85cd)<\/a>\u6f0f\u6d1e\u653b\u64ca\u6280\u5de7\u5165\u4fb5\u8cc7\u6599\u5eab\u548c\u61c9\u7528\u7a0b\u5f0f\u4f3a\u670d\u5668\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/documents.trendmicro.com\/images\/TEx\/articles\/security-news-server-coin-miner.jpg\" \/><\/p>\n<p>RedWannaMine \u6703\u7d93\u7531 <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/new-apache-struts-vulnerability-could-be-worse-than-poodle\">CVE-2017-9805<\/a> \u9019\u500b\u53ef\u8b93\u99ed\u5ba2\u5f9e\u9060\u7aef\u57f7\u884c\u7a0b\u5f0f\u78bc\u7684 Apache Struts \u6f0f\u6d1e\u3002Apache Struts \u662f\u4e00\u500b\u7528\u4f86\u958b\u767c Java \u7db2\u7ad9\u61c9\u7528\u7a0b\u5f0f\u7684\u958b\u653e\u539f\u59cb\u78bc\u61c9\u7528\u7a0b\u5f0f\u67b6\u69cb\uff0c\u6839\u64da\u7814\u7a76\uff0c\u5168\u7403 Fortune 100 (\u300a\u8ca1\u661f\u300b\u767e\u5927) \u4f01\u696d\u7576\u4e2d\u81f3\u5c11\u6709 65% \u90fd\u63a1\u7528\u9019\u5957\u67b6\u69cb\u3002RedisWannaMine\u5229\u7528\u6b64\u6f0f\u6d1e\u5f9e\u9060\u7aef\u57f7\u884c\u6307\u4ee4\u5217 (shell) \u547d\u4ee4\uff0c\u5c07\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u4e0b\u8f09\u81f3\u4f3a\u670d\u5668\u4e0a\u3002<\/p>\n<p><strong>[\u8cc7\u5b89\u57fa\u790e\u89c0\u5ff5\uff1a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=50965\">\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u7684\u8ca0\u9762\u5f71\u97ff]<\/a><\/strong><\/p>\n<p>\u6b64\u5916\uff0c\u5728\u8ffd\u67e5\u9019\u9805\u653b\u64ca\u884c\u52d5\u7684\u904e\u7a0b\u7576\u4e2d\uff0c\u7814\u7a76\u4eba\u54e1\u9084\u767c\u73fe\u4e00\u500b\u6307\u4ee4\u5217\u8173\u672c (shell script)\uff0c\u8a72\u8173\u672c\u7528\u4f86\uff1a<\/p>\n<ul>\n<li>\u4e0b\u8f09\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u3002<\/li>\n<li>\u5229\u7528 Linux \u4e0a\u7684 crontab \u5de5\u4f5c\u6392\u7a0b\u5668\u4f86\u8b93\u81ea\u5df1\u5728\u7cfb\u7d71\u4e0a\u4e0d\u65b7\u57f7\u884c\u3002<\/li>\n<li>\u5728\u611f\u67d3\u7684\u7cfb\u7d71\u4e0a\u5efa\u7acb\u4e00\u500b\u65b0\u7684 Secure Shell (SSH) \u91d1\u9470\u4ee5\u4fbf\u5f9e\u9060\u7aef\u9023\u7dda\u3002<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p>\u5728\u653b\u64ca\u904e\u7a0b\u7576\u4e2d\uff0cRedWannaMine \u9084\u6703\u7d93\u7531\u9023\u63a5\u57e0 6379 \u4f86\u6383\u7784\u7db2\u8def\u4e0a\u662f\u5426\u6709\u672a\u4fee\u88dc\u7684 Redis \u4f3a\u670d\u5668 (Redis \u662f\u4e00\u500b\u958b\u653e\u539f\u59cb\u78bc\u8cc7\u6599\u5eab\u5e73\u53f0)\uff0c\u4e26\u4f7f\u5176\u611f\u67d3\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u3002\u6b64\u5916\uff0c\u9084\u6703\u4f7f\u7528 TCP \u6383\u7784\u7a0b\u5f0f\u4f86\u641c\u5c0b\u958b\u653e\u7684\u9023\u63a5\u57e0 445\uff0c\u9019\u662f Server Message Block (SMB) \u6a94\u6848\u5171\u7528\u5354\u5b9a\u7684\u9810\u8a2d\u9023\u63a5\u57e0\u3002\u82e5\u627e\u5230\uff0c\u5c31\u5229\u7528 EternalBlue \u6f0f\u6d1e\u653b\u64ca\u6280\u5de7\u5728\u7cfb\u7d71\u4e0a\u690d\u5165\u6316\u7926\u7a0b\u5f0f\u4e26\u9032\u4e00\u6b65\u64f4\u6563\u3002<\/p>\n<p><strong>[\u5ef6\u4f38\u95b1\u8b80\uff1a<\/strong><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-mining-malware-2018-new-menace\/\"><strong>\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u6703\u4e0d\u6703\u6210\u70ba\u4e0b\u4e00\u500b\u52d2\u7d22\u75c5\u6bd2\uff1f<\/strong><\/a><strong>]<\/strong><\/p>\n<p>RedisWannaMine \u4e26\u975e\u7b2c\u4e00\u500b\u5229\u7528\u6b64\u6280\u5de7\u4f86\u653b\u64ca Apache \u7684\u5a01\u8105\u3002\u4eca\u5e74\u4e8c\u6708\uff0c\u8da8\u52e2\u79d1\u6280\u624d\u767c\u73fe\u4e00\u500b\u5c08\u9580\u653b\u64ca\u5169\u500b <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/vulnerabilities-apache-couchdb-open-door-monero-miners\/\">Apache CouchDB<\/a> \u6f0f\u6d1e\u7684\u9580\u7f85\u5e63 (Monero) \u6316\u7926\u7a0b\u5f0f\u3002\u6b64\u5916\uff0c\u53bb\u5e74\u9084\u6709\u4e00\u500b<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly\/\">\u7121\u6a94\u6848\u5f0f\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f<\/a>\u4e5f\u662f\u5229\u7528 EternalBlue \u4f86\u6563\u5e03\uff0c\u4e26\u4e14\u85c9\u7531 \u00a0<a href=\"https:\/\/la.trendmicro.com\/media\/misc\/understanding-wmi-malware-research-paper-en.pdf\">Windows Management Instrumentation<\/a> (WMI) \u6307\u4ee4\u5217\u5de5\u5177\u8b93\u81ea\u5df1\u6f5b\u4f0f\u5728\u7cfb\u7d71\u5167\u3002\u66f4\u65e9\u4e4b\u524d (\u5c07\u8fd1\u56db\u500b\u6708\u524d)\uff0c\u9084\u6709\u4e00\u500b\u9580\u7f85\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u300c\u00a0<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit\/\">Adylkuzz<\/a>\u300d\u8d81\u8457\u9918\u6ce2\u76ea\u6f3e\u4e4b\u969b\u4f5c\u4e82\u3002<\/p>\n<p>\u7684\u78ba\uff0c\u96a8\u8457\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u65e5\u76ca\u5d1b\u8d77\uff0c\u9019\u985e\u60e1\u610f\u7a0b\u5f0f\u4e5f\u8d8a\u4f86\u8d8a\u666e\u904d\u3002\u4e8b\u5be6\u4e0a\uff0c\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u6d3b\u52d5\u662f<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/research-and-analysis\/threat-reports\/roundup\/a-look-into-the-most-noteworthy-home-network-security-threats-of-2017\">\u5bb6\u7528\u8def\u7531\u5668<\/a>\u9023\u63a5\u7684\u88dd\u7f6e\u6700\u5e38\u5075\u6e2c\u5230\u7684\u7db2\u8def\u4e8b\u4ef6\uff0c\u5075\u6e2c\u6578\u91cf\u5728 2017 \u5e74\u7b2c\u4e09\u5b63\u7a81\u7834 2,300 \u842c\u3002<\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848\u80fd\u4e3b\u52d5\u9632\u7bc4\u7121\u6a94\u6848\u5f0f\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u3002<br \/>\n\u7531\u65bc RedWannaMine \u5c08\u9580\u653b\u64ca\u7279\u5b9a\u4f3a\u670d\u5668\uff0c\u56e0\u6b64\u5c0d\u65bc\u63a1\u7528\u9019\u985e\u4f3a\u670d\u5668\u7684\u4f01\u696d\u5f71\u97ff\u751a\u9245\u3002\u5b83\u9664\u4e86\u6703\u8b93\u4f3a\u670d\u5668\u66f4\u8017\u96fb\u4e4b\u5916\uff0c\u9084\u53ef\u80fd\u5e72\u64fe\u71df\u904b\uff0c\u56e0\u70ba\u9019\u985e\u60e1\u610f\u7a0b\u5f0f\u6703\u5360\u7528\u8cc7\u6e90\u4f86\u958b\u63a1\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u3002<\/p>\n<p>\u66f4\u91cd\u8981\u7684\u4e00\u9ede\u662f\uff0cRedisWannaMine \u4e5f\u7a81\u986f\u51fa\u7cfb\u7d71\u7ba1\u7406\u54e1\u61c9\u5b9a\u671f<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/patching-problems-and-how-to-solve-them\">\u4fee\u88dc<\/a>\u7cfb\u7d71\uff0c\u4e26\u4e14\u63a1\u53d6\u4e00\u4e9b<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=50380\">\u6700\u4f73\u5be6\u52d9\u539f\u5247<\/a>\u4f86\u4fdd\u969c\u4f01\u696d\u7db2\u8def\u908a\u5883\u5b89\u5168\u3002\u800c\u9019\u9ede\u5c0d\u65bc\u81ea\u884c\u958b\u767c\u3001\u4f7f\u7528\u3001\u90e8\u7f72<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/cloud-solutions\/deep-security\/index.html\">\u7db2\u7ad9\u61c9\u7528\u7a0b\u5f0f<\/a>\u7684\u4f01\u696d\u4f86\u8aaa\u5c24\u5176\u91cd\u8981\uff0c\u9019\u4e9b\u4f01\u696d\u5fc5\u9808\u5728\u61c9\u7528\u7a0b\u5f0f\u751f\u547d\u9031\u671f\u7684\u6bcf\u4e00\u500b\u968e\u6bb5\u90fd\u52a0\u5165\u5b89\u5168\u6a5f\u5236\u3002\u5982\u540c\u9762\u5c0d\u5176\u4ed6<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/2017-notable-vulnerabilities-and-exploits\">\u5c08\u9580\u653b\u64ca\u91cd\u5927\u6f0f\u6d1e<\/a>\u7684\u5a01\u8105\u4e00\u6a23\uff0c\u53ea\u8981\u6709\u4e00\u53f0\u96fb\u8166\u7684\u6f0f\u6d1e\u672a\u4fee\u88dc\uff0c\u6240\u6709\u8207\u5b83\u9023\u7dda\u7684\u7cfb\u7d71\u90fd\u53ef\u80fd\u906d\u6b83\u3002<\/p>\n<p><a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/cloud-solutions\/deep-security\/index.html\">\u8da8\u52e2\u79d1\u6280\u7684 Deep Security&#x2122;<\/a>\u3001<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/product-security\/vulnerability-protection\/\">\u8da8\u52e2\u79d1\u6280 Vulnerability Protection \u6f0f\u6d1e\u9632\u8b77<\/a>\u4ee5\u53ca TippingPoint \u7b49\u7522\u54c1\u90fd\u80fd\u63d0\u4f9b<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/capabilities\/intrusion-prevention.html?cm_re=10_19_17-_-2d_Capabilities-_-IntrusionPrevention\">\u865b\u64ec\u4fee\u88dc<\/a>\u4f86\u9632\u7bc4\u4f01\u696d\u7aef\u9ede\u56e0\u672a\u4fee\u88dc\u7684\u6f0f\u6d1e\u800c\u906d\u5230\u653b\u64ca\u3002\u6b64\u5916\uff0c\u8da8\u52e2\u79d1\u6280\u4e5f\u5df2\u91dd\u5c0d CVE-2017-9805 \u6f0f\u6d1e\u63d0\u4f9b\u4e86\u89e3\u6c7a\u65b9\u6848\uff0c\u8acb\u53c3\u95b1<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/new-apache-struts-vulnerability-could-be-worse-than-poodle\">\u9019\u7bc7\u6587\u7ae0<\/a>\u3002\u524d\u8ff0\u63d0\u5230\u7684\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\uff1aCoinminer_MALXMR.AB-WIN32\u3001ELF_SETAG.TNX \u548c Suspicious_GEN.F47V0305\u3002<\/p>\n<p>\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/rediswannamine-cryptocurrency-mining-operation-found-targeting-servers-with-eternalblue\">RedisWannaMine Cryptocurrency-Mining Operation Found Targeting Servers with EternalBlue<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8cc7\u5b89\u7814\u7a76\u4eba\u54e1 Nadav Avital \u767c\u73fe\u4e86\u4e00\u500b\u7531\u4ed6\u547d\u540d\u70ba\u300cRedisWannaMine\u300d\u7684\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u6316\u7926 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[3373,3603,3647,3654,156],"tags":[3231,3792,3575,3335,3723],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/54909"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=54909"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/54909\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=54909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=54909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=54909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}