{"id":64156,"date":"2020-05-11T15:10:00","date_gmt":"2020-05-11T07:10:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=64156"},"modified":"2020-05-01T13:22:53","modified_gmt":"2020-05-01T05:22:53","slug":"%e6%9a%b4%e9%9c%b2%e7%9a%84-redis-%e5%9f%b7%e8%a1%8c%e5%af%a6%e4%be%8b%e8%a2%ab%e7%94%a8%e4%be%86%e9%80%b2%e8%a1%8c%e9%81%a0%e7%ab%af%e7%a8%8b%e5%bc%8f%e7%a2%bc%e5%9f%b7%e8%a1%8c%e8%b7%9f%e8%99%9b","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=64156","title":{"rendered":"\u66b4\u9732\u7684 Redis \u57f7\u884c\u5be6\u4f8b,\u88ab\u7528\u4f86\u9032\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\u8ddf\u865b\u64ec\u8ca8\u5e63\u6316\u7926"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/DevOps-380x380.jpg\" alt=\"\" width=\"220\" height=\"220\"\/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>\u6211\u5011\u6700\u8fd1\u5beb\u4e86\u4e00\u7bc7\u5728\u7db2\u8def\u4e0a\u767c\u73fe<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=63908\">8,000\u591a\u500b\u6c92\u6709\u4fdd\u8b77\u597dRedis\u57f7\u884c\u5be6\u4f8b<\/a>\u7684\u6587\u7ae0\u3002\u5728\u672c\u7bc7\u6587\u7ae0\u88e1\uff0c\u6211\u5011\u6703\u4ecb\u7d39\u9019\u4e9b\u57f7\u884c\u5be6\u4f8b\u6703\u5982\u4f55\u88ab\u7528\u4f86\u9032\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\uff08RCE\uff09\uff0c\u5c31\u5982\u60e1\u610f\u8edf\u9ad4\u5728\u771f\u5be6\u4e16\u754c\u88e1\u6240\u505a\u7684\u3002\u9019\u4e9b\u60e1\u610f\u7a0b\u5f0f\u6703\u5c07Redis\u57f7\u884c\u5be6\u4f8b\u8b8a\u6210<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=50965\">\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u6a5f\u5668\u4eba<\/a>\uff0c\u4e26\u4e14\u900f\u904e\u201d\u8815\u87f2\u201d\u6563\u64ad\u529f\u80fd\u4f86\u611f\u67d3\u5176\u4ed6\u6709\u6f0f\u6d1e\u7684\u57f7\u884c\u5be6\u4f8b\u3002<\/p>\n\n\n\n<p>Redis\u662f\u8a2d\u8a08\u4f7f\u7528\u5728\u53d7\u4fe1\u4efb\u74b0\u5883\u4e26\u63d0\u4f9b\u4e86<a href=\"https:\/\/redis.io\/topics\/security#protected-mode\">\u4fdd\u8b77\u6a21\u5f0f\u8a2d\u5b9a<\/a>\uff0c\u800c\u4e14\u5373\u5c07\u66f4\u65b0\u5230Redis 6.0\uff0c\u5728\u65b0\u7248\u672c\u4e2d\u6703\u5c0e\u5165\u5982\u5b58\u53d6\u63a7\u5236\u5217\u8868\uff08ACL\uff09\u7b49\u65b0\u7684\u5b89\u5168\u529f\u80fd\u3002\u4f46\u5728\u76ee\u524d\uff0c\u5982\u679c\u4f7f\u7528\u8005\u7684Redis\u57f7\u884c\u5be6\u4f8b\u6c92\u6709\u52a0\u4e0aTLS\u52a0\u5bc6\u6216\u5bc6\u78bc\u4fdd\u8b77\uff0c\u4e00\u65e6\u653b\u64ca\u8005\u9032\u5165\u4e86\u74b0\u5883\u5c31\u53ef\u4ee5\u4f7f\u7528\u8d85\u904e<a href=\"https:\/\/redis.io\/commands\">200\u500b\u547d\u4ee4<\/a>\u4f86\u9032\u884c\u653b\u64ca\u3002\u76ee\u524dRedis\u9810\u8a2d\u4e26\u6c92\u6709\u8eab\u4efd\u8a8d\u8b49\u3002\u5373\u4f7f\u6709\u8a2d\u5b9a\u5bc6\u78bc\uff0c\u4e5f\u8981\u78ba\u8a8d\u5bc6\u78bc\u8db3\u5920\u5f37\u5230\u62b5\u6297\u66b4\u529b\u7834\u89e3\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u6211\u5011\u5728\u871c\u7f50\u7cfb\u7d71\u88e1\u89c0\u5bdf\u5230\u99ed\u5ba2\u4f7f\u7528\u4e86\u4e0b\u5217\u60c5\u5883\uff0c\u9019\u4e9b\u871c\u7f50\u7cfb\u7d71\u662f\u70ba\u4e86\u5438\u5f15\u548c\u76e3\u8996\u771f\u5be6\u653b\u64ca\u800c\u8a2d\u7f6e\uff1a<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u60c5\u5883\u4e00\uff1a\u5229\u7528<em>config<\/em><\/strong><strong>\u547d\u4ee4<\/strong><\/h3>\n\n\n\n<p><br>\u653b\u64ca\u8005\u7528Redis\u8cc7\u6599\u5eab\u6a94\u8a2d\u5b9a\u591a\u500b\u7684\u9375\u503c\u4f86\u6210\u70bacron\u4efb\u52d9\u3002\u8cc7\u6599\u5eab\u503c\u9075\u5faa\u8457<a href=\"https:\/\/man7.org\/linux\/man-pages\/man8\/cron.8.html\">cron<\/a>\uff08\u57f7\u884c\u6392\u7a0b\u547d\u4ee4\u7684\u5b88\u8b77\u7a0b\u5e8f\uff09\u548c<a href=\"https:\/\/man7.org\/linux\/man-pages\/man5\/crontab.5.html\">crontab<\/a>\uff08\u7528\u65bc\u6392\u7a0b\u57f7\u884c\u7a0b\u5f0f\u7684\u6a94\u6848\uff09\u683c\u5f0f\u898f\u7bc4\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/t.rend.tw\/?i=ODkzNg\"><img loading=\"lazy\" decoding=\"async\" width=\"540\" height=\"90\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2020\/04\/Blog_540x90.jpg\" alt=\"\" class=\"wp-image-64174\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2020\/04\/Blog_540x90.jpg 540w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2020\/04\/Blog_540x90-300x50.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2020\/04\/Blog_540x90-30x5.jpg 30w\" sizes=\"(max-width: 540px) 100vw, 540px\" \/><\/a><\/figure>\n\n\n\n<!--more-->\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig1.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><figcaption> \u57161. \u5c07\u9375\u503c\u8a2d\u6210cron\u4efb\u52d9 <\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u653b\u64ca\u8005\u7528config\u547d\u4ee4\u5c07\u76ee\u9304\u8a2d\u5230<em>\/var\/spool\/cron<\/em>\u4e26\u5c07dbfilename\u8a2d\u70ba\u4f7f\u7528\u8005\u540d\u7a31\uff08\u5982<em>root<\/em>\uff09\uff0c\u7136\u5f8c\u5132\u5b58\u8cc7\u6599\u5eab\uff08\u6a94\u540d\u70ba<em>root<\/em>\uff09\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig2-1.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><figcaption> \u57162. \u5c07\u8cc7\u6599\u5eab\u5132\u5b58\u5230cron\u76ee\u9304 <\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>root\u6a94\u6848\u5167\u5bb9\u5982\u4e0b\u9762\u622a\u5716\uff0c\u57fa\u672c\u4e0a\u5c31\u662f\u6709\u5e7e\u884ccron\u683c\u5f0f\u7684\u53ef\u8b80\u6587\u5b57\u593e\u96dc\u5728\u4e8c\u9032\u4f4d\u8cc7\u6599\u4e4b\u9593\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figure3.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><figcaption> \u57163. root\u6a94\u6848\u5167\u5bb9 <\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5118\u7ba1\u6a94\u6848\u5167\u6709\u90e8\u5206\u4e8c\u9032\u4f4d\u683c\u5f0f\u5167\u5bb9\uff0c\u4f46\u5982\u679c\u6709\u5b89\u88ddcron\uff0c\u5b83\u6703\u627e\u51fa\u53ef\u7528\u7684\u689d\u76ee\u4e26\u57f7\u884c\u653b\u64ca\u8005\u6240\u8981\u4e0b\u8f09\u7684Shell\u8173\u672c \u2013 \u9019\u4e9b\u90fd\u662f\u56e0\u70baRedis\u57f7\u884c\u5be6\u4f8b\u6c92\u6709\u53d7\u5230\u9069\u7576\u4fdd\u8b77\u6240\u9020\u6210\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig4-1.png\" alt=\"A close up of text on a white background\n\nDescription automatically generated\"\/><figcaption> \u57164. \u4f7f\u7528cron\u5728\u66b4\u9732\u7684Redis\u57f7\u884c\u5be6\u4f8b\u4e0a\u57f7\u884cRCE\u653b\u64ca\u7684\u7bc4\u4f8b <\/figcaption><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u60c5\u5883\u4e8c\uff1a\u5229\u7528<em>slaveof<\/em><\/strong><strong>\u529f\u80fd<\/strong><\/h3>\n\n\n\n<p><br>\u7b2c\u4e8c\u7a2e\u65b9\u6cd5\u662f\u56e0\u70ba<a href=\"https:\/\/redis.io\/topics\/introduction\">Redis\u53ef\u4ee5\u4f5c\u70ba\u5206\u6563\u5f0f\u8cc7\u6599\u5eab<\/a>\u3002\u653b\u64ca\u8005\u6703\u5148\u88fd\u4f5c\u4e00\u500b\u60e1\u610fRedis\u57f7\u884c\u5be6\u4f8b\u4e26\u7de8\u8b6f\u4e00\u500b\u60e1\u610fRedis\u6a21\u7d44\u3002\u9019\u500b\u7279\u88fdRedis\u57f7\u884c\u5be6\u4f8b\u6210\u70ba\u4e86\u4e3b\u4f3a\u670d\u5668\uff0c\u4e26\u767c\u9001<a href=\"https:\/\/redis.io\/commands\/slaveof\"><em>slaveof<\/em>\u547d\u4ee4<\/a>\u5230\u6709\u6f0f\u6d1e\u7684\u57f7\u884c\u5be6\u4f8b\u3002\u63a5\u8457\u99ed\u5ba2\u5f9e\u4e3b\u4f3a\u670d\u5668\u767c\u8d77<em>full resyn<\/em>c\u4f86\u6d3e\u9001\u60e1\u610fRedis\u6a21\u7d44\u3002\u63a5\u8457\u89f8\u767c<em>module load<\/em>\u547d\u4ee4\uff0c\u6210\u529f\u5730\u5728\u6709\u6f0f\u6d1e\u7684Redis\u6a21\u7d44\u5167\u8f09\u5165\u5f8c\u9580\u3002\u5b89\u5168\u7814\u7a76\u54e1Pavel Toporkov\u57282018\u5e74ZeroNights\u6703\u8b70\u4e0a\u7684<a href=\"https:\/\/2018.zeronights.ru\/wp-content\/uploads\/materials\/15-redis-post-exploitation.pdf\">\u201dRedis Post-exploitation\u201d<\/a>\u6f14\u8b1b\u88e1\u63a2\u8a0e\u4e86\u6b64\u6280\u8853\u3002<\/p>\n\n\n\n<p>\u8981\u7279\u5225\u8aaa\u660e\u7684\u662f\uff0c\u5f9e2018\u5e7410\u6708\u767c\u5e03\u7684Redis 5.0\u958b\u59cb\u5c31\u4e0d\u518d\u4f7f\u7528\u201dslave\u201d\uff0c\u800c\u662f\u7528<a href=\"https:\/\/redis.io\/commands\/replicaof\"><em>replicaof<\/em><\/a>\u3002\u4f46\u70ba\u4e86\u5411\u4e0b\u76f8\u5bb9\uff0c<em>slaveof<\/em>\u547d\u4ee4\u4ecd\u53ef\u4ee5\u5728\u65e9\u671f\u7248\u672c\u4f7f\u7528\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig5-1.png\" alt=\"A picture containing table, bird\n\nDescription automatically generated\"\/><figcaption> \u57165. \u60e1\u610fRedis\u6a21\u7d44\u8a3b\u518a\u4e09\u500b\u547d\u4ee4\u7684\u7bc4\u4f8b <\/figcaption><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig6.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><figcaption> \u57166. \u60e1\u610fRedis\u6a21\u7d44\u90e8\u7f72\u548c\u547d\u4ee4\u547c\u53eb\u7684\u7bc4\u4f8b <\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u6b64\u6848\u4f8b\u88e1\u7684\u60e1\u610fRedis\u6a21\u7d44\u6703\u4e0b\u8f09<a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/virtualization-and-cloud\/misconfigured-docker-daemon-api-ports-attacked-for-kinsing-malware-campaign\">Kinsing\u60e1\u610f\u8edf\u9ad4<\/a>\uff0c\u7136\u5f8c\u4e0b\u8f09\u4e26\u57f7\u884c<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner\/\">XMRig\u9580\u7f85\u5e63\u6316\u7926\u7a0b\u5f0f<\/a>\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig7-1.png\" alt=\"\"\/><figcaption> \u57167. \u5728Redis\u57f7\u884c\u7684XMRig\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u88ab\u767c\u73fe\u6d88\u8017\u4e86\u5927\u91cf\u8cc7\u6e90 <\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u6240\u89c0\u5bdf\u60e1\u610f\u8edf\u9ad4\u6a23\u672c\u6982\u8ff0<\/strong><\/h3>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u6211\u5011\u6703\u5728\u6b64\u7bc0\u88e1\u91cd\u9ede\u4ecb\u7d39\u4e00\u4e9b\u503c\u5f97\u6ce8\u610f\u7684\u60e1\u610f\u8edf\u9ad4\u6a23\u672c\uff0c\u9019\u4e9b\u6a23\u672c\u662f\u900f\u904e\u4e0a\u8ff0\u5169\u7a2e\u65b9\u6cd5\u4e4b\u4e00\u6563\u64ad\u5230\u66b4\u9732\u7684Redis\u57f7\u884c\u5be6\u4f8b\uff0c\u4e14\u88ab\u871c\u7f50\u7cfb\u7d71\u6240\u6355\u6349\u5230\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>\u6848\u4f8b\u4e00\uff1a\u591a\u5e73\u53f0shell<\/strong><strong>\u8815\u87f2\u5b89\u88dd\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u75c5\u6bd2<\/strong><\/p>\n\n\n\n<p>\u6211\u5011\u5728\u771f\u5be6\u4e16\u754c\u89c0\u5bdf\u5230\u7684\u7b2c\u4e00\u500b\u60e1\u610f\u8edf\u9ad4\u662f\u4e00\u7a2e\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u75c5\u6bd2\u7684\u66f4\u65b0\u7248\u672c\uff0c\u6b64\u60e1\u610f\u8edf\u9ad4\u4e4b\u524d\u88ab\u767c\u73fe\u6703\u653b\u64ca\u641c\u5c0b\u5f15\u64ce<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-spreads-via-old-vulnerabilities-on-elasticsearch\/?spm=a2c65.11461447.0.0.69d44407Oeg0gj\">Elasticsearch<\/a>\u7684\u5df2\u77e5\u6f0f\u6d1e\u3002\u8a72\u60e1\u610f\u8edf\u9ad4\u662f\u4e00\u7a2e\u591a\u5e73\u53f0\u8815\u87f2\uff1a\u5b83\u540c\u6642\u6709Linux\u548cWindows\u7248\u672c\uff0c\u4e26\u5177\u5099\u7528Shell\u548cPowerShell\u64b0\u5beb\u7684\u8173\u672c\uff0c\u800c\u4e14\u6709\u4e9b\u7d44\u4ef6\u662f\u7528Golang\u958b\u767c\u7684\u4e8c\u9032\u4f4d\u57f7\u884c\u6a94\u3002\u611f\u67d3\u65b9\u5f0f\u662f\u900f\u904e\u4fee\u6539cron\u6a94\u6848\uff08\u5982\u60c5\u5883\u4e00\u6240\u793a\uff09\uff0c\u5305\u542b\u4e86\u6307\u5411<em>init.sh<\/em>\u6a94\u6848\u7684\u9023\u7d50\u3002<\/p>\n\n\n\n<p><strong><em>Init.sh<\/em><\/strong><\/p>\n\n\n\n<p>\u9019\u60e1\u610f\u8edf\u9ad4\u662f\u7528shell\u7de8\u5beb\u7684\u555f\u52d5\u6216\u521d\u59cb\u5316\u8173\u672c\u3002\u5b83\u7684\u91cd\u8981\u529f\u80fd\u662f\u79fb\u9664\u3001\u7d42\u6b62\u548c\u5f37\u5236\u7d42\u6b62\u5404\u7a2e\u6703\u8017\u8cbb\u8cc7\u6e90\u6216\u7af6\u722d\u5c0d\u624b\u7684\u7a0b\u5e8f\u3002\u8a72\u8173\u672c\u6703\u57f7\u884c\u4e0b\u5217\u5de5\u4f5c\uff1a<\/p>\n\n\n\n<ol><li>\u79fb\u9664\u963f\u91cc\u96f2\u670d\u52d9\uff08\u9748\u611f\u4f86\u6e90\u53ef\u80fd\u4f86\u81ea\u6b64<a href=\"https:\/\/github.com\/stardock\/aliyun-service\">\u5132\u5b58\u5eab<\/a>\uff09\u3002<\/li><li>\u79fb\u9664\u9a30\u8a0a\u4ee3\u7406\uff08\u9748\u611f\u4f86\u6e90\u53ef\u80fd\u4f86\u81ea\u6b64<a href=\"https:\/\/github.com\/littleplus\/TencentAgentRemove\/blob\/master\/remove.sh\">\u5132\u5b58\u5eab<\/a>\uff09\u3002<\/li><li>\u522a\u9664\u591a\u500b\u6a94\u6848\u4e26\u7d42\u6b62\u591a\u7a2e\u7a0b\u5e8f\u548cDocker\u57f7\u884c\u5be6\u4f8b\u3002<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figinit3.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<ul><li>\u7d42\u6b62\u8ddf\u7279\u5b9a\u60e1\u610f\u8edf\u9ad4\u6240\u7528\u6a21\u7d44\u540c\u540d\u7684\u7a0b\u5e8f\uff1a<\/li><li><em>sysguerd<\/em><\/li><li><em>sh<\/em><\/li><li><em>sysupdata<\/em><\/li><li><em>networkservics<\/em><\/li><li>\u5982\u679c\u662froot\uff0c\u6703\u4e0b\u8f09\u4e26\u5b89\u88dd\u60e1\u610f\u8edf\u9ad4\u5230<em>\/etc\/<\/em>\uff0c\u5426\u5247\u6703\u7528<em>\/tmp\/<\/em>\u3002\u9019\u4e9b\u6a94\u6848\u662f<em>miner<\/em>\u3001<em>miner config<\/em>\u3001<em>watchdog<\/em>\u3001<em>update<\/em>\u548c<em>scanner<\/em>\u3002<\/li><li>\u900f\u904eupdata.sh\u9054\u5230\u6301\u7e8c\u6027\u80fd\u529b\uff0c\u5176\u5167\u5bb9\u8207init.sh\u76f8\u540c\u4e26\u6703\u52a0\u9032crontab\u3002<\/li><li>\u5c07\u65b0\u7684SSH\u6388\u6b0a\u91d1\u9470\u5b89\u88dd\u5230\/root\/.ssh\/authorized_keys\uff1a<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figinit7.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul><li>\u7528<em>iptables<\/em>\u547d\u4ee4<em>iptables -A OUTPUT -p tcp -dport ???? -j DROP<\/em>\u4f86\u5c01\u9396\u5c0d\u5916\u5230\u7aef\u53e33333\u30015555\u30017777\u548c9999\u7684\u6d41\u91cf\u3002<\/li><li>\u6e05\u9664bash\u6b77\u53f2\u8a18\u9304\u3002<\/li><li>\u5982\u679c<em>\/root\/.ssh\/id_rsa.pub<\/em>\u6a94\u6848\u5b58\u5728\uff08\u542b\u6709\u4e4b\u524d\u7522\u751fSSH\u91d1\u9470\u5c0d\u4e2d\u516c\u9470\u7684\u6a94\u6848\uff09\uff0c\u6703\u8a66\u8457\u7528SSH\u900f\u904e<em>ssh -oBatchMode=yes\n-oConnectTimeout=5 -oStrictHostKeyChecking=no<\/em>\u9023\u5230<em>\/root\/.ssh\/known_hosts<\/em>\u5167\u7684\u6240\u6709\u5df2\u77e5\u4e3b\u6a5f\uff08\u64c1\u6709\u4e4b\u524d\u5b58\u53d6\u904e\u7684\u4f3a\u670d\u5668\u516c\u9470\uff09\u3002\u5b83\u6703\u8b93\u6bcf\u500b\u6210\u529f\u9023\u4e0a\u7684\u57f7\u884c\u5be6\u4f8b\u4e0b\u8f09\u4e26\u57f7\u884c<em>https:\/\/&lt;server&gt;\/&lt;path&gt;\/is.sh<\/em>\u3002<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figinit10.png\" alt=\"\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ol><li>\u5728\u53d7\u611f\u67d3\u96fb\u8166\u4e0b\u8f09\u4e26\u57f7\u884c<em>https:\/\/&lt;server&gt;\/&lt;path&gt;\/is.sh<\/em>\u3002<\/li><\/ol>\n\n\n\n<p><strong><em>Is.sh<\/em><\/strong><\/p>\n\n\n\n<p>\u7528\u4f86\u57f7\u884c\u4e0b\u5217\u5de5\u4f5c\u7684\u5b89\u88dd\u8173\u672c\uff1a<\/p>\n\n\n\n<ol><li>\u7d42\u6b62\u4e0b\u5217\u57f7\u884c\u4e2d\u7684\u7a0b\u5e8f\uff1a<ol><li><a href=\"https:\/\/www.npmjs.com\/package\/redisscan\"><em>redisscan<\/em><\/a>\uff08\u905e\u6b78\u6383\u63cfRedis 2.8\u9375\u7a7a\u9593\uff08keyspace\uff09\u7684\u7a0b\u5e8f\uff09<\/li><\/ol><ol><li><em>ebscan<\/em>\uff08\u4f7f\u7528<em>masscan<\/em>\u5de5\u5177\u7684\u6383\u63cf\u7a0b\u5e8f\uff09<\/li><\/ol><ol><li><a href=\"https:\/\/redis.io\/topics\/rediscli\"><em>redis-cli<\/em><\/a>\uff08Redis\u7684\u547d\u4ee4\u5217\u4ecb\u9762\uff0c\u53ef\u4ee5\u767c\u9001\u547d\u4ee4\u5230Redis\u4e26\u5f9e\u7d42\u7aef\u6a5f\u76f4\u63a5\u8b80\u53d6\u4f3a\u670d\u5668\u7684\u56de\u8986\uff09<\/li><\/ol><ol><li><em>barad_agent<\/em>\uff08\u96f2\u7aef\u76f8\u95dc\u7684\u670d\u52d9\uff09<\/li><\/ol><ol><li><em>masscan<\/em>\uff08\u5927\u898f\u6a21IP\u7aef\u53e3\u6383\u63cf\u5668\uff09<\/li><\/ol><ol><li><em>.sr0<\/em><\/li><\/ol><ol><li><em>clay<\/em><\/li><\/ol><ol><li><em>udevs<\/em><\/li><\/ol><ol><li><em>.sshd<\/em>\uff08\u53ef\u4ee5\u63a5\u6536\u9023\u7dda\u7684OpenSSH\u4f3a\u670d\u5668\u7a0b\u5e8f\uff09<\/li><\/ol><ol><li><em>xig<\/em><\/li><\/ol><\/li><li>\u900f\u904eapt-get\u6216yum\u5957\u4ef6\u7ba1\u7406\u7a0b\u5f0f\u5b89\u88dd\u6240\u9700\u7684\u8edf\u9ad4\uff0c\u5305\u62ec\u4e86<em>redis-tools<\/em>\u3001<em>iptables<\/em>\u3001<em>wget<\/em>\u3001<em>curl<\/em>\u548c<em>unhide<\/em>\u3002<\/li><li>\u7d42\u6b62\u96b1\u85cf\u7684\u7a0b\u5e8f\u3002<\/li><li>\u4e0b\u8f09\u4e26\u5b89\u88dd<a href=\"https:\/\/github.com\/robertdavidgraham\/masscan\"><em>masscan<\/em><\/a>\u548c<a href=\"https:\/\/manpages.ubuntu.com\/manpages\/bionic\/man1\/pnscan.1.html\"><em>pnscan<\/em><\/a>\u3002<\/li><li>\u4e0b\u8f09\u4e26\u57f7\u884c<em>rs.sh<\/em>\u3002<\/li><\/ol>\n\n\n\n<p><strong><em>Rs.sh<\/em><\/strong><\/p>\n\n\n\n<p>\u9019\u500b\u5ba2\u88fd\u5316\u60e1\u610f\u8173\u672c\u7528\u4f86\u6383\u63cfRedis\u57f7\u884c\u5be6\u4f8b\u4e26\u57f7\u884c\u4e0b\u5217\u52d5\u4f5c\u3002Redis\u57f7\u884c\u5be6\u4f8b\u4f7f\u7528\u7aef\u53e36379\u3002\u5169\u500b\u516c\u958b\u53ef\u53d6\u5f97\u7684\u6383\u63cf\u5668\u88ab\u7528\u4f86\u9032\u884cRedis\u6383\u63cf\u5de5\u4f5c\u3002<\/p>\n\n\n\n<ol><li>\u7528iptables\u547d\u4ee4\u5c01\u9396\u6240\u6709\u50b3\u5165\u5230\u7aef\u53e36379\u7684\u6d41\u91cf\uff0c\u53ea\u5141\u8a31\u4f86\u81ea\u672c\u6a5f\u7684\u6d41\u91cf\u3002<\/li><li>\u5efa\u7acb\u4e00\u500b\u5305\u542b\u4ee5\u4e0b\u5167\u5bb9\u7684.dat\u6a94\u3002\u9019\u65b9\u6cd5\u5728\u60c5\u5883\u4e00\u4ecb\u7d39\u904e\u3002<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figrs2.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<ul><li>\u7528<em>pnscan<\/em>\u6383\u63cf\u7aef\u53e36379\u3002<em>pnscan<\/em>\u6703\u9001\u51fa\u5b57\u5143<em>*1\\r\\n$4\\r\\ninfo\\r\\n<\/em>\u4e26\u7b49\u5f85\u88ab\u6383\u63cf\u96fb\u8166\u56de\u61c9<em>os:Linux<\/em>\u3002<\/li><li>\u7528<em>masscan<\/em>\u6383\u63cf\u7aef\u53e36379\u3002\u4f7f\u7528<a href=\"https:\/\/github.com\/robertdavidgraham\/masscan\/blob\/master\/doc\/masscan.8.markdown\">\u5206\u4eab\u7684<\/a>\u53c3\u6578\u9032\u884c\u6383\u63cf\uff0c\u96a8\u6a5f\u5f9e22,000\u7d44IP\u5730\u5740\u7bc4\u570d\u4e2d\u9078\u64c7\u3002<\/li><li>\u7528<em>masscan<\/em>\u6383\u63cf\u7aef\u53e36379\u3002\u9019\u6b21\u6703\u7528\u79c1\u6709IP\u5730\u5740\u4ee5\u53ca\u963f\u91cc\u96f2\u3001Chinanet\u4e0a\u6d77\u548c\u4e2d\u570b\u806f\u901a\u6240\u7528\u7684IP\u5730\u5740\u7bc4\u570d\u3002<\/li><li>\u7528<em>masscan<\/em>\u6383\u63cf\u7aef\u53e36379\uff0c\u5f9e\u73fe\u884c\u7db2\u8def\u4ecb\u9762\u53d6\u5f97\u5df2\u77e5IP\u5730\u5740\uff08\u900f\u904e<em>ip a<\/em>\u547d\u4ee4\uff09\u3002<\/li><li>\u5c0d\u6d3b\u8457\u7684Redis\u57f7\u884c\u5be6\u4f8b\uff08\u5f9e\u6b65\u9a5f3\u52306\u7684\u6383\u63cf\u5de5\u4f5c\u627e\u5230\uff09\u57f7\u884c\uff1a<\/li><\/ul>\n\n\n\n<p><em>redis-cli -h\nHOST -p PORT \u2013raw -a PASSWORD \u2013raw &lt;content of .dat&gt;<\/em><\/p>\n\n\n\n<p>\u4f7f\u7528\u7684\u5f31\u5bc6\u78bc\u5217\u8868\u5305\u62ec\uff1a<\/p>\n\n\n\n<ul><li>\u7a7a\u5bc6\u78bc<\/li><li>redis<\/li><li>root<\/li><li>oracle<\/li><li>password<\/li><li>p@aaw0rd<\/li><li>abc123<\/li><li>abc123!<\/li><li>123456<\/li><li>admin<\/li><\/ul>\n\n\n\n<p>\u6210\u529f\u9023\u4e0a\u65b0\u627e\u5230Redis\u57f7\u884c\u5be6\u4f8b\u5f8c\uff0c\u6703\u7528\u60c5\u5883\u4e00\u57f7\u884cinit.sh\u8173\u672c\uff0c\u4e26\u91cd\u8907\u6574\u500b\u611f\u67d3\u904e\u7a0b\u3002<\/p>\n\n\n\n<p>\u9664\u4e86\u4e0a\u9762\u6240\u5206\u6790\u7684\u8173\u672c\u5916\uff0c\u8a72\u60e1\u610f\u8edf\u9ad4\u9084\u4f7f\u7528\u4e86\u4e00\u4e9b\u4e8c\u9032\u4f4d\u6a94\u3002<\/p>\n\n\n\n<p><em>Watchdog<\/em>\u7a0b\u5e8f\u662f\u500b\u7528Golang\u958b\u767c\u7684\u6a94\u6848\uff0c\u4e3b\u8981\u7528\u4f86\u555f\u52d5\u56db\u500bwatchdog\u57f7\u884c\u7dd2\uff1a<\/p>\n\n\n\n<ul><li><em>main_dog_protect_cron_thread<\/em><\/li><\/ul>\n\n\n\n<p>\u6aa2\u67e5cron\u5167\u7684\u6301\u7e8c\u6027\u6a5f\u5236\u4e26\u5728\u5fc5\u8981\u6642\u52a0\u5165\u6301\u7e8c\u6027\u6a5f\u5236\u3002<\/p>\n\n\n\n<ul><li><em>main_dog_protect_process_thread<\/em><\/li><\/ul>\n\n\n\n<p>\u6aa2\u67e5\u6240\u9700\u7a0b\u5e8f\u662f\u5426\u5728\u57f7\u884c\u4e2d\uff0c\u5982\u679c\u6c92\u6709\u5247\u52a0\u4ee5\u555f\u52d5\u3002<\/p>\n\n\n\n<ul><li><em>main_dog_update_thread<\/em><\/li><\/ul>\n\n\n\n<p>\u5982\u679c\u6709\u65b0\u7248\u672c\u53ef\u7528\uff0c\u66f4\u65b0<em>miner<\/em>\u3001<em>config<\/em>\u3001<em>scanner<\/em>\u548c<em>watchdog<\/em>\u7b49\u4e8c\u9032\u4f4d\u6a94\u3002<\/p>\n\n\n\n<ul><li><em>main_dog_protect_cc_thread<\/em><\/li><\/ul>\n\n\n\n<p>\u6aa2\u67e5\u547d\u4ee4\u548c\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\u662f\u5426\u6d3b\u8457\u3002\u5982\u679c\u6c92\u6709\uff0c\u5b83\u6703\u900f\u904e\u4ee5\u592a\u574a\u5340\u584a\u93c8\u700f\u89bd\u5668\u5c0b\u627e\u4e00\u500b\u5beb\u6b7b\u5728\u7a0b\u5f0f\u5167\u7684\u5730\u5740\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figrs7.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u9019\u5340\u584a\u93c8\u8cc7\u6599\u63a5\u8457\u6703\u8f49\u63db\u6210\u65b0\u7684C&amp;C\u4f3a\u670d\u5668\u5730\u5740\uff0c\u9019\u662f\u500b\u975e\u5e38\u6709\u7528\u7684\u529f\u80fd\uff0c\u5c24\u5176\u662f\u5728\u653b\u64ca\u8005\u5931\u53bb\u5c0d\u73fe\u884cC&amp;C\u4f3a\u670d\u5668\u7684\u63a7\u5236\u6b0a\u6642\u3002\u53d6\u5f97\u65b0C&amp;C\u5730\u5740\u5f8c\uff0c\u57f7\u884c\u7dd2\u6703\u6aa2\u67e5\u4f3a\u670d\u5668\u662f\u5426\u6d3b\u8457\u3002\u5982\u679c\u662f\uff0c\u57f7\u884c\u7dd2\u6703\u5728\u7db2\u5740\u8def\u5f91\u5f8c\u52a0\u4e0a\u5beb\u6b7b\u7684\u5b57\u4e32\uff0c\u4e26\u4e0b\u8f09<em>init.ps<\/em>\u6216<em>init.sh<\/em>\u521d\u59cb\u5316\u8173\u672c\uff0c\u7136\u5f8c\u6574\u500b\u611f\u67d3\u904e\u7a0b\u6703\u5f9e\u982d\u958b\u59cb\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figrs7-2.png\" alt=\"\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u622a\u81f3\u672c\u6587\u767c\u8868\u6642\uff0c\u6c92\u6709\u8207\u5beb\u6b7b\u5728\u7a0b\u5f0f\u5167\u7684\u4ee5\u592a\u574a\u5730\u5740\u76f8\u95dc\u7684\u4ea4\u6613\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/figrs7-3.png\" alt=\"A screenshot of a social media post\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><em>scanner<\/em>\u662f\u7528Golang\u958b\u767c\u7684\u57f7\u884c\u6a94\uff0c\u5305\u542b\u4e86\u4e00\u7d44\u91dd\u5c0d\u5404\u7a2e\u7dda\u4e0a\u670d\u52d9\u548c\u88dd\u7f6e\u7684\u6f0f\u6d1e\u653b\u64ca\u78bc\u3002<\/p>\n\n\n\n<p><em>main_scan<\/em>\u6703\u547c\u53eb\u4e0b\u5217\u6383\u63cf\u65b9\u6cd5\uff1a<\/p>\n\n\n\n<ul><li><em>scan_exp_Cctv_exploit<\/em><\/li><li><em>scan_exp_Redis_exploit<\/em><\/li><li><em>scan_exp_Drupal_exploit<\/em><\/li><li><em>scan_exp_Hadoop_exploit<\/em><\/li><li><em>scan_exp_Spring_exploit<\/em><\/li><li><em>scan_exp_Thinkphp_exploit<\/em><\/li><li><em>scan_exp_Weblogic_exploit<\/em><\/li><li><em>scan_exp_Sqlserver_exploit<\/em><\/li><li><em>scan_exp_Elasticsearch_exploit<\/em><\/li><\/ul>\n\n\n\n<p>\u963f\u91cc\u96f2\u5b89\u5168\u5c0d\u6383\u63cf\u6a21\u7d44\u9032\u884c\u4e86<a href=\"https:\/\/www.alibabacloud.com\/blog\/protonminer-gains-momentum-via-expanded-attack-surface_594535\">\u5206\u6790<\/a>\uff0c\u5217\u51fa\u4e86\u5e7e\u4e4e\u8207\u4e0a\u9762\u5217\u8868\u4e00\u6a23\u7684\u6f0f\u6d1e\u653b\u64ca\u78bc\uff0c\u53e6\u5916\u9084\u589e\u52a0\u4e86\u4e00\u500b\u65b0\u7684CCTV\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5e8f\u3002<\/p>\n\n\n\n<p>\u8981\u6ce8\u610f\u7684\u662f\uff0c\u6848\u4f8b\u4e00\u9084\u6709\u4e00\u500b\u7528PowerShell\u4f86\u91dd\u5c0dWindows\u7684\u7248\u672c\uff1b\u5229\u7528\u5de5\u4f5c\u6392\u7a0b\u5668\u505a\u5230\u6301\u7e8c\u6027\u6a5f\u5236\uff0c\u4f7f\u7528<em>netsh<\/em>\u548c<em>net user<\/em>\u4f86\u5c07\u5099\u4efd\u689d\u76ee\u52a0\u5165\u7cfb\u7d71\u3002<\/p>\n\n\n\n<p><strong>\u6848\u4f8b\u4e8c\uff1aKinsing<\/strong><strong>\u60e1\u610f\u8edf\u9ad4<\/strong><\/p>\n\n\n\n<p>Kinsing\u60e1\u610f\u8edf\u9ad4\u652f\u63f4\u591a\u7a2e\u547d\u4ee4\u548c\u529f\u80fd\uff0c\u4e26\u540c\u6642\u5177\u5099\u6383\u63cf\u6709\u6f0f\u6d1e\u96fb\u8166\u548c\u5f8c\u9580\u529f\u80fd\u3002\u51fd\u5f0f<em>main_getTask<\/em>\u6703\u67e5\u8a62<em>&lt;server&gt;\/get\/<\/em>\u4e26\u555f\u7528\u5de5\u4f5c\u57f7\u884c\u3002<\/p>\n\n\n\n<p>\u51fd\u5f0f<em>main_doTask<\/em>\u63a5\u8457\u5be6\u73fe\u4ee5\u4e0b\u547d\u4ee4\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td>\n  <strong>\u547d\u4ee4<\/strong>\n  <\/td><td>\n  <strong>\u529f\u80fd<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>scan<\/em>\n  <\/td><td>\n  TCP\u6383\u63cf\u7a0b\u5f0f\n  <\/td><\/tr><tr><td>\n  <em>update<\/em>\n  <\/td><td>\n  \u4e0b\u8f09\u65b0\u7248\u672cbot\u4e26\u57f7\u884c\n  <\/td><\/tr><tr><td>\n  <em>exec<\/em>\n  <\/td><td>\n  \u5f9e\u547d\u4ee4\u5217\u57f7\u884c\n  <\/td><\/tr><tr><td>\n  <em>masscan<\/em>\n  <\/td><td>\n  \u7528masscan\u4e0b\u8f09\u548c\u6383\u63cf\n  <\/td><\/tr><tr><td>\n  <em>exec_output<\/em>\n  <\/td><td>\n  \u5f9e\u547d\u4ee4\u5217\u57f7\u884c; \u8f38\u51fa\u7528<em>POST<\/em><em>\u9001\u5230<\/em><em>&lt;server&gt;\/o<\/em>\n  <\/td><\/tr><tr><td>\n  <em>Socks<\/em>\n  <\/td><td>\n  Socks\u4ee3\u7406\n  <\/td><\/tr><tr><td>\n  <em>backconnect<\/em>\n  <\/td><td>\n  \u7528TCP\u9023\u63a5\u53e6\u4e00\u53f0\u6a5f\u5668\n  <\/td><\/tr><tr><td>\n  <em>request<\/em>\n  <\/td><td>\n  \u9032\u884cHTTP request\n  <\/td><\/tr><tr><td>\n  <em>tcp<\/em>\n  <\/td><td>\n  \u9032\u884cTCP request\n  <\/td><\/tr><tr><td>\n  <em>download_and_exec<\/em>\n  <\/td><td>\n  \u4e0b\u8f09\u548c\u57f7\u884c\n  <\/td><\/tr><tr><td>\n  <em>redis_brute<\/em>\n  <\/td><td>\n  \u66b4\u529b\u7834\u89e3Redis\u57f7\u884c\u5be6\u4f8b\n  <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u8207C&amp;C\u4f3a\u670d\u5668\u7684\u901a\u8a0a\u7528\u5beb\u6b7b\u7684RC4\u5bc6\u78bc\u52a0\u5bc6\uff0c\u800c\u7db2\u5740\u8def\u5f91\u5247\u53d6\u6c7a\u65bc\u5176\u767c\u9001\u8acb\u6c42\u7684\u985e\u578b\uff1a<\/p>\n\n\n\n<ul><li><em>\/get<\/em> = \u53d6\u5f97\u4efb\u52d9<\/li><li><em>\/h<\/em> = \u5065\u5eb7<\/li><li><em>\/getT<\/em> = \u53d6\u5f97\u76ee\u6a19<\/li><li><em>\/l<\/em> = \u65e5\u8a8c<\/li><li><em>\/o<\/em> = \u57f7\u884c\u8f38\u51fa<\/li><li><em>\/r<\/em> = \u4efb\u52d9\u7d50\u679c<\/li><li><em>\/s<\/em> = \u767c\u9001socks<\/li><li><em>\/mg<\/em> = \u53d6\u5f97\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u7684\u7a0b\u5e8fID\uff08PID\uff09\uff0c\u5982{\u201cPid\u201d:110}<\/li><li><em>\/ms <\/em>= \u767c\u9001\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u7684PID<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/fig8-1.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><figcaption> \u57168. \u89e3\u5bc6\u6240\u6536\u5230\u5c0d\/get\u8def\u5f91\u7684\u56de\u61c9 <\/figcaption><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>\u51fd\u5f0f<em>main_minerRunningCheck<\/em>\u8207<em>main_getMinerPid<\/em>\u3001<em>main_isMine<\/em>rRunning\u548c<em>main_minRun<\/em>\u6703\u4f9d\u5e8f\u57f7\u884c\uff0c\u6703\u5148\u7d42\u6b62\u57f7\u884c\u4e2d\u7684\u7a0b\u5e8f<em>kdevtmpfsi<\/em>\uff0c\u7136\u5f8c\u690d\u5165\u4e26\u57f7\u884c\u6316\u7926\u7a0b\u5f0f\u3002\u9019\u60e1\u610f\u8edf\u9ad4\u6703\u5b89\u88ddXMRig\u60e1\u610f\u8edf\u9ad4\u4e26\u547d\u540d\u70ba<em>kdevtmpfsi<\/em>\u3002<\/p>\n\n\n\n<p>\u51fd\u5f0f<em>main_healthChecker<\/em>\u6703\u5b9a\u671f\u5c07<em>GET<\/em>\u8acb\u6c42\u767c\u9001\u5230<em>&lt;server&gt;\/h<\/em>\u4f86\u6aa2\u67e5C&amp;C\u4f3a\u670d\u5668\u662f\u5426\u5b58\u5728\u3002\u5982\u679c\u4e00\u5207\u6b63\u5e38\u5247\u6703\u7528RC4\u52a0\u5bc6\u56de\u61c9\u8fd4\u56de<em>OK<\/em>\u3002<\/p>\n\n\n\n<p>\u51fd\u5f0f<em>main_resultSender<\/em>\u6703\u8a66\u8457\u7528<em>POST<\/em>\u5c07\u4efb\u52d9\u5b8c\u6210\u7d50\u679c\u9001\u5230<em>&lt;server&gt;\/r<\/em>\u3002\u901a\u8a0a\u4e5f\u662f\u7d93\u904eRC4\u52a0\u5bc6\u3002<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u7d50\u8ad6\u548c\u5b89\u5168\u5efa\u8b70<\/strong><\/h3>\n\n\n\n<p>\u61c9\u8a72\u8981\u63a1\u53d6\u9069\u7576\u7684\u5b89\u5168\u9632\u8b77\u63aa\u65bd\uff0c\u7279\u5225\u662f\u5728DevOps\u7684\u74b0\u5883\u88e1\u3002\u6c92\u6709\u4fdd\u8b77\u597dRedis\u57f7\u884c\u5be6\u4f8b\u53ef\u80fd\u6703\u5c0e\u81f4RCE\u653b\u64ca\uff0c\u9019\u662f\u99ed\u5ba2\u6703\u7a4d\u6975\u5730\u641c\u5c0b\u548c\u5229\u7528\u7684\u653b\u64ca\u624b\u6cd5\u3002\u6211\u5011\u5728\u672c\u6587\u88e1\u63a2\u8a0e\u4e86\u5982\u4f55\u5229\u7528\u66b4\u9732\u7684Redis\u57f7\u884c\u5be6\u4f8b\u4f86\u9032\u884c\u865b\u64ec\u8ca8\u5e63\u6316\u7926\uff0c\u9019\u662f\u500b\u76f8\u5c0d\u5bb9\u6613\u88ab\u767c\u73fe\u7684\u7a0b\u5e8f\uff0c\u56e0\u70ba\u53d7\u611f\u67d3\u88dd\u7f6e\u4f7f\u7528\u4e86\u5927\u91cf\u8cc7\u6e90\u3002\u4f46\u66b4\u9732\u7684Redis\u57f7\u884c\u5be6\u4f8b\u4e26\u4e0d\u53ea\u6703\u5e36\u4f86\u9019\u6a23\u7684\u640d\u5bb3\uff0c\u56e0\u70ba\u53ef\u4ee5\u57f7\u884c\u7a0b\u5f0f\u78bc\u662f\u653b\u64ca\u8005\u6240\u8ffd\u6c42\u7684\u4e8b\u60c5\u3002\u4e00\u65e6RCE\u653b\u64ca\u6210\u70ba\u53ef\u80fd\uff0c\u99ed\u5ba2\u5c31\u53ef\u4ee5\u5728\u6b64\u57fa\u790e\u4e0a\u9032\u884c\u66f4\u52a0\u96b1\u853d\u548c\u66f4\u5177\u91dd\u5c0d\u6027\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u5e95\u4e0b\u662f\u4e00\u4e9b\u63d0\u4f9b\u7d66\u958b\u767c\u4eba\u54e1\u4fdd\u8b77\u74b0\u5883\u7684\u5b89\u5168\u5efa\u8b70\uff1a<\/p>\n\n\n\n<ul><li>\u5728\u57f7\u884c\u4f3a\u670d\u5668\u7aef\u8edf\u9ad4\u6642\uff0c\u78ba\u4fdd\u4e0d\u662f\u4f7f\u7528root\u3002\u5373\u4f7f\u662f\u57f7\u884c\u4e5f\u5fc5\u9808\u9075\u5faa\u6700\u4f73\u5be6\u8e10\u4e26\u63a1\u7528\u6700\u5c0f\u6b0a\u9650\u539f\u5247\u3002<\/li><li>\u5c07\u8edf\u9ad4\u4fdd\u6301\u5728\u6700\u65b0\u7248\u672c\u4e26\u4f7f\u7528\u5f37\u5bc6\u78bc\u3002\u5207\u52ff\u5728\u672a\u63a1\u53d6\u9069\u7576\u5b89\u5168\u63aa\u65bd\u6642\u5c31\u66b4\u9732\u5230\u7db2\u8def\u4e0a\u3002<\/li><li>\u5982\u679c\u4f60\u525b\u597d\u5728\u6aa2\u67e5Redis\u65e5\u8a8c\uff0c\u53ef\u4ee5\u771f\u5be6\u5730\u770b\u5230\u6b63\u5728\u9032\u884c\u7684\u653b\u64ca\u3002\u5728\u4e0b\u9762\u7684\u87a2\u5e55\u622a\u5716\u88e1\uff0c\u8acb\u6ce8\u610f\u4f86\u81ea\u4e3b\u4f3a\u670d\u5668\u7684\u5b8c\u6574\u91cd\u65b0\u540c\u6b65\u8acb\u6c42\u3002\u526f\u672c\u5f9e\u4e3b\u4f3a\u670d\u5668\u63a5\u6536\u5230\u5927\u7d0455kB\uff0c\u6070\u597d\u662f\u60e1\u610fRedis\u6a21\u7d44\u7684\u5927\u5c0f\u3002<\/li><\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2020\/04\/conclusion.png\" alt=\"A screen shot of a computer\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u8da8\u52e2\u79d1\u6280\u7684\u96f2\u7aef\u5b89\u5168\u89e3\u6c7a\u65b9\u6848<\/strong><\/h3>\n\n\n\n<ul><li>\u8da8\u52e2\u79d1\u6280Hybrid Cloud\nSecurity\u70ba\u7d44\u7e54\u7c21\u5316\u4e86\u5b89\u5168\u9632\u8b77\uff0c\u8b93\u7d44\u7e54\u5728\u79fb\u8f49\u5230\u96f2\u7aef\u6216\u63a1\u7528DevOps\u6642\u53ef\u4ee5\u5c08\u6ce8\u65bc\u5b89\u5168\u6027\u548c\u5408\u898f\u6027\u3002\u5b83\u63d0\u4f9b\u4e86\u96f2\u7aef\u5b89\u5168\u6240\u9700\u5177\u5099\u5ee3\u5ea6\u3001\u6df1\u5ea6\u548c\u5275\u65b0\u7684\u591a\u5408\u4e00\u89e3\u6c7a\u65b9\u6848\uff0c\u900f\u904e\u55ae\u4e00\u4e3b\u63a7\u53f0\u7372\u5f97\u5c0d\u4e3b\u8981\u96f2\u7aef\u74b0\u5883\uff08\u5982<a href=\"https:\/\/www.trendmicro.com\/aws\/\">Amazon Web Services\uff08AWS\uff09<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/azure\/\">Microsoft Azure<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/en_us\/partners\/explore-alliance-partners\/google-cloud.html\">Google\nCloud<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/en_us\/partners\/explore-alliance-partners\/docker.html\">Docker<\/a>\uff09\u7684\u80fd\u898b\u5ea6\u3002<\/li><li><a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-one-conformity.html\">\u8da8\u52e2\u79d1\u6280Cloud One<\/a>\u8edf\u9ad4\u5373\u670d\u52d9\uff08SaaS\uff09\u5e73\u53f0\u70ba\u7d44\u7e54\u63d0\u4f9b\u91dd\u5c0d<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">\u5de5\u4f5c\u8ca0\u8f09<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/user-protection\/sps\/email-and-collaboration\/cloud-app-security.html\">\u61c9\u7528\u7a0b\u5f0f<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/smart-check-image-scanning.html\">\u5bb9\u5668<\/a>\u3001\u7121\u4f3a\u670d\u5668\u74b0\u5883\u3001<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-one-file-storage-security.html\">\u6a94\u6848\u5132\u5b58\u7cfb\u7d71<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-one-network-security.html\">\u7db2\u8def<\/a>\u7684\u5373\u6642\u5b89\u5168\u9632\u8b77\uff0c\u70ba\u7d44\u7e54\u7684\u6df7\u5408\u96f2\u74b0\u5883\u63d0\u4f9b\u55ae\u4e00\u7ba1\u7406\u5e73\u53f0\u3002<\/li><li>Cloud One\u5e73\u53f0\u9084\u5305\u542b\u4e86Cloud One \u2013 Conformity\uff0c\u5b83\u63d0\u4f9b\u4e86\u7d66AWS\nElasticCache\uff08Redis\u7684\u8a18\u61b6\u9ad4\u5167\u8cc7\u6599\u5b58\u653e\u5340\uff09\u7684\u81ea\u52d5\u5316\u63a7\u5236\u3002\u53ef\u4ee5\u78ba\u4fddRedis\u4e0d\u662f\u4f7f\u7528<a href=\"https:\/\/www.cloudconformity.com\/knowledge-base\/aws\/ElastiCache\/default-port.html\">\u9810\u8a2d\u7aef\u53e3<\/a>\uff0c\u4e26\u4e14<a href=\"https:\/\/www.cloudconformity.com\/knowledge-base\/aws\/ElastiCache\/in-transit-and-at-rest-encryption.html\">\u5c0d\u50b3\u8f38\u548c\u975c\u6b62\u6642\u7684\u8cc7\u6599\u90fd\u9032\u884c\u4e86\u52a0\u5bc6<\/a>\u3002<\/li><li>\u5c0d\u65bc\u9700\u8981\u57f7\u884c\u6642\u5de5\u4f5c\u8ca0\u8f09\u548c\u5bb9\u5668\u5b89\u5168\u9632\u8b77\u6216\u5bb9\u5668\u6620\u50cf\u5b89\u5168\u9632\u8b77\u5373\u8edf\u9ad4\u7684\u7d44\u7e54\uff0c<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-migration-security.html\">Deep\nSecurity<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/smart-check-image-scanning.html\">Deep\nSecurity Smart Check<\/a>\u89e3\u6c7a\u65b9\u6848\u53ef\u4ee5\u5728\u9810\u90e8\u7f72\u671f\u9593\u548c\u57f7\u884c\u6642\u6383\u63cf\u5bb9\u5668\u6620\u50cf\u3002<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/hybrid-cloud\/cloud-migration-security.html\">\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u548cVulnerability Protection HYPERLINK\n&#8220;https:\/\/www.trendmicro.tw\/tw\/enterprise\/product-security\/vulnerability-protection\/&#8221;\u6f0f\u6d1e\u9632\u8b77\u900f\u904e\u4ee5\u4e0b\u898f\u5247\u4f86\u4fdd\u8b77\u4f7f\u7528\u8005\uff1a<\/p>\n\n\n\n<ul><li>1010231 \u2013 Redis Cron Remote\nCode Execution Vulnerability<\/li><li>1009967 \u2013 Redis Unauthenticated\nCode Execution Vulnerability<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/network\/intrusion-prevention\/tipping-point-threat-protection-system.html\">\u8da8\u52e2\u79d1\u6280TippingPoint<\/a>\u900f\u904e\u4ee5\u4e0b\u898f\u5247\u4f86\u4fdd\u8b77\u5ba2\u6236\uff1a<\/p>\n\n\n\n<p><\/p>\n\n\n\n<ul><li>37633: TCP: Redis Crontab\nCommand Injection Vulnerability<\/li><\/ul>\n\n\n\n<p><strong>\u5165\u4fb5\u6307\u6a19<\/strong><\/p>\n\n\n\n<style>\n   table {border-collapse:collapse; table-layout:fixed; width:310px;}\n   table td {border:solid 1px ; width:100px; word-wrap:break-word;}\n   <\/style>\n <figure class=\"wp-block-table\"><table  class=\" table table-hover\" ><tbody><tr><td>\n  <strong>\u6a94\u6848<\/strong>\n  <\/td><td>\n  <strong>\u529f\u80fd<\/strong>\n  <\/td><td>\n  <strong>SHA-256<\/strong>\n  <\/td><\/tr><tr><td>\n  <strong>clean.bat<\/strong>\n  <\/td><td>\n  \u589e\u52a0\u4f7f\u7528\u8005\u8173\u672c\n  <\/td><td>\n  19967f6467f05f1ac286eb8b8bf7e251075b7d288fbe9b719b8de0b6330c8787\n  <\/td><\/tr><tr><td>\n  <strong>config.json<\/strong>\n  <\/td><td>\n  \u6316\u7926\u7a0b\u5f0f\u8a2d\u5b9a\u6a94\n  <\/td><td>\n  2c2438019c10352cc6678474072ce57a4191fd6ce54391d4975012f587bec1a0\n  <\/td><\/tr><tr><td>\n  <strong>init.ps1<\/strong>\n  <\/td><td>\n  \u521d\u59cb\u8173\u672c\n  <\/td><td>\n  d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05\n  <\/td><\/tr><tr><td>\n  <strong>init.sh<\/strong>\n  <\/td><td>\n  \u521d\u59cb\u8173\u672c\n  <\/td><td>\n  3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38\n  <\/td><\/tr><tr><td>\n  <strong>is.sh<\/strong>\n  <\/td><td>\n  \u5b89\u88dd\u8173\u672c\n  <\/td><td>\n  6faa026af253c784ef97ffec3a9953055d394061a9a1fbfdcc5b28445b73ffdc\n  <\/td><\/tr><tr><td>\n  <strong>kdevtmpfsi<\/strong>\n  <\/td><td>\n  XMrig\n  <\/td><td>\n  24FDF5B1E1E8086031931F2678D874487316DC1E266581B328D6E34A1FD7748C\n  <\/td><\/tr><tr><td>\n  <strong>kinsingbRiXVrNDJc<\/strong>\n  <\/td><td>\n  Bot\n  <\/td><td>\n  d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b\n  <\/td><\/tr><tr><td>\n  <strong>networkservics<\/strong>\n  <\/td><td>\n  \u6383\u7784\u5668\n  <\/td><td>\n  ea55a206f7047f54a9e97cc3234848dfd3e49d0b5f9569b08545f1ad0e733286\n  <\/td><\/tr><tr><td>\n  <strong>networkservics.exe<\/strong>\n  <\/td><td>\n  \u6383\u7784\u5668\n  <\/td><td>\n  b6fc454e667081c2add1ffd5a54bafb428a82d8d8a3e34c61fc59075118f4afd\n  <\/td><\/tr><tr><td>\n  <strong>red2.so<\/strong>\n  <\/td><td>\n  Redis\u6a21\u7d44\n  <\/td><td>\n  1fd17076800d993609a8110084f9652d06fe50cd3a279ab709c65a044076fe6d\n  <\/td><\/tr><tr><td>\n  <strong>rs.sh<\/strong>\n  <\/td><td>\n  Redis\u6563\u64ad\u7a0b\u5f0f\n  <\/td><td>\n  e2b982f9540304e31ca8d1cdafb253da7d216d1cc939a281a1a95baaa4be9b2d\n  <\/td><\/tr><tr><td>\n  <strong>sysguerd<\/strong>\n  <\/td><td>\n  Watchdog\n  <\/td><td>\n  bceee7d9ace363ef2bfb1494a9784a6377fe14c4c5fefa0c180fcec33a5d1716\n  <\/td><\/tr><tr><td>\n  <strong>sysguerd.exe<\/strong>\n  <\/td><td>\n  Watchdog\n  <\/td><td>\n  37ecccdfc185615d4452b5c77b7313222b14776c3032c156846258c8f63185fe\n  <\/td><\/tr><tr><td>\n  <strong>sysupdata<\/strong>\n  <\/td><td>\n  \u6316\u7926\u7a0b\u5f0f\n  <\/td><td>\n  e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7\n  <\/td><\/tr><tr><td>\n  <strong>sysupdata.exe<\/strong>\n  <\/td><td>\n  \u6316\u7926\u7a0b\u5f0f\n  <\/td><td>\n  559a8ff34cf807e508d32e3a28864c687263587fe4ffdcefe3f462a7072dcc74\n  <\/td><\/tr><tr><td>\n  <strong>updata.ps1<\/strong>\n  <\/td><td>\n  \u66f4\u65b0\n  <\/td><td>\n  d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05\n  <\/td><\/tr><tr><td>\n  <strong>updata.sh<\/strong>\n  <\/td><td>\n  \u66f4\u65b0\n  <\/td><td>\n  3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38\n  <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u591a\u5e73\u53f0\u8815\u87f2C&amp;C\u4f3a\u670d\u5668<\/p>\n\n\n\n<ul><li>https:\/\/178[.]157[.]91.26<\/li><li>https:\/\/45[.]137[.]151.106<\/li><\/ul>\n\n\n\n<p>Kinsing C&amp;C\u4f3a\u670d\u5668<\/p>\n\n\n\n<ul><li>https:\/\/45[.]10[.]88.102<\/li><li>https:\/\/91[.]215[.]169.111<\/li><li>https:\/\/139[.]99[.]50.255<\/li><li>https:\/\/193[.]33[.]87.220<\/li><li>https:\/\/195[.]123[.]220.193<\/li><\/ul>\n\n\n\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining\/\">Exposed\nRedis Instances Abused for Remote Code Execution, Cryptocurrency Mining<\/a> \u4f5c\u8005\uff1aDavid Fiser\u548cJaromir Horejsi\uff08<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/trend-micro\/\">\u8da8\u52e2\u79d1\u6280<\/a>\u5a01\u8105\u7814\u7a76\u4eba\u54e1\uff09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6211\u5011\u6700\u8fd1\u5beb\u4e86\u4e00\u7bc7\u5728\u7db2\u8def\u4e0a\u767c\u73fe8,000\u591a\u500b\u6c92\u6709\u4fdd\u8b77\u597dRedis\u57f7\u884c\u5be6\u4f8b\u7684\u6587\u7ae0\u3002\u5728\u672c\u7bc7\u6587\u7ae0\u88e1\uff0c\u6211\u5011\u6703\u4ecb\u7d39\u9019\u4e9b\u57f7\u884c [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[4513,4],"tags":[4562,2282],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/64156"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64156"}],"version-history":[{"count":5,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/64156\/revisions"}],"predecessor-version":[{"id":64185,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/64156\/revisions\/64185"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}