{"id":2977,"date":"2024-01-19T17:09:37","date_gmt":"2024-01-19T09:09:37","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=2977"},"modified":"2024-01-19T17:09:38","modified_gmt":"2024-01-19T09:09:38","slug":"%e7%be%8e%e5%9c%8bcisa%e5%92%8cfbi%e8%ad%a6%e5%91%8a-%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94androxgh0st%e6%94%bb%e6%93%8alaravel%e5%92%8capache-http%e4%bc%ba%e6%9c%8d%e5%99%a8-%e9%8e%96%e5%ae%9a%e7%ab%8a","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=2977","title":{"rendered":"\u7f8e\u570bCISA\u548cFBI\u8b66\u544a \u60e1\u610f\u8edf\u9ad4AndroxGh0st\u653b\u64caLaravel\u548cApache HTTP\u4f3a\u670d\u5668 \u9396\u5b9a\u7aca\u53d6 AWS\u3001Azure \u548c Office 365 \u6191\u8b49"},"content":{"rendered":"\n

\u7f8e\u570b\u7db2\u8def<\/a>\u5b89\u5168\u8207\u57fa\u790e\u8a2d\u65bd\u5b89\u5168\u5c40 (CISA) \u548c\u806f\u90a6\u8abf\u67e5\u5c40 (FBI)\u8b66\u544a\u7a31<\/a>\uff0c\u90e8\u7f72AndroxGh0st\u60e1\u610f\u8edf\u9ad4\u7684\u653b\u64ca\u8005\u6b63\u5728\u5efa\u7acb<\/a>\u4e00\u500b\u6bad\u5c4d\u7db2\u8def\uff0c\u7528\u65bc\u300c\u5728\u76ee\u6a19\u7db2\u8def\u4e2d\u8b58\u5225\u548c\u5229\u7528\u53d7\u5bb3\u8005\u300d\u3002AndroxGh0st<\/a>\u662f\u4e00\u7a2e\u57fa\u65bc Python \u7684\u60e1\u610f\u8edf\u9ad4\uff0c \u65bc 2022 \u5e74 12 \u6708\u9996\u6b21\u88ab\u8a18\u9304\u3002<\/p>\n\n\n\n

\u6b64\u96f2\u7aef\u653b\u64ca\u5de5\u5177\u80fd\u5920\u6ef2\u900f\u6613\u53d7\u5df2\u77e5\u5b89\u5168\u6f0f\u6d1e\u5f71\u97ff\u7684\u4f3a\u670d\u5668\uff0c\u4ee5\u5b58\u53d6 Laravel \u74b0\u5883\u6a94\u6848\u4e26\u7aca\u53d6 Amazon Web Services (AWS)\u3001Microsoft Office 365\u3001SendGrid \u548c Twilio \u7b49\u77e5\u540d\u61c9\u7528\u7a0b\u5f0f\u7684\u6191\u8b49\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

CISA \u548c FBI \u6307\u51fa\uff0c\u8a72\u5a01\u8105\u9084\u6feb\u7528\u7c21\u55ae\u90f5\u4ef6\u50b3\u8f38\u5354\u5b9a (SMTP) \u9032\u884c\u6383\u63cf\u3001\u5229\u7528\u88ab\u76dc\u6191\u8b49\u548c API \u4ee5\u53ca Web shell \u90e8\u7f72\u3002\u6839\u64da\u8a72\u901a\u5831\uff0cAndroxgh0st \u64cd\u4f5c\u80cc\u5f8c\u7684\u7db2\u8def\u72af\u7f6a\u5206\u5b50\u4e5f\u88ab\u767c\u73fe\u4f7f\u7528\u8173\u672c\u6383\u63cf\u7279\u5b9a\u6f0f\u6d1e\u7684\u7db2\u7ad9\uff0c\u5176\u4e2d\u5305\u62ecCVE-2017-9841\uff0c\u9019\u662f\u4e00\u500b PHPUnit \u6f0f\u6d1e\uff0c\u5c0e\u81f4\u900f\u904e HTTP POST \u8acb\u6c42\u57f7\u884c PHP \u7a0b\u5f0f\u78bc\u3002\u9019\u4e9b\u653b\u64ca\u7684\u76ee\u6a19\u662f\u5c07 \/vendor \u8cc7\u6599\u593e\u66b4\u9732\u5728\u7db2\u8def\u4e0a\u7684\u7db2\u7ad9\u3002\u8b66\u5831\u7a31:\u300c\u60e1\u610f\u884c\u70ba\u8005\u4f7f\u7528 Androxgh0st \u5c07\u60e1\u610f\u6a94\u6848\u4e0b\u8f09\u5230\u8a17\u7ba1\u7db2\u7ad9\u7684\u7cfb\u7d71\u3002\u5a01\u8105\u53c3\u8207\u8005\u9084\u80fd\u5920\u8a2d\u5b9a\u53ef\u900f\u904e URI \u5b58\u53d6\u7684\u865b\u5047\uff08\u975e\u6cd5\uff09\u9801\u9762\uff0c\u4ee5\u63d0\u4f9b\u5c0d\u7db2\u7ad9\u7684\u5f8c\u9580\u5b58\u53d6\u3002\u9019\u4f7f\u5f97\u5a01\u8105\u884c\u70ba\u8005\u80fd\u5920\u70ba\u5176\u64cd\u4f5c\u4e0b\u8f09\u984d\u5916\u7684\u60e1\u610f\u6a94\u6848\u4e26\u5b58\u53d6\u8cc7\u6599\u5eab\u3002\u300d\u3002<\/p>\n\n\n\n

\u8a72\u901a\u5831\u7a31\uff0cAndroxgh0st \u6bad\u5c4d\u7db2\u8def\u4f7f\u7528 Laravel \u6846\u67b6\u6383\u63cf\u7db2\u7ad9\uff0c\u5c0b\u627e\u5305\u542b\u9644\u52a0\u670d\u52d9\u6191\u8b49\u7684\u516c\u958b\u5728\u6839\u76ee\u9304\u7684.env\u6a94\u6848\u3002\u7136\u5f8c\u60e1\u767c\u51fa\u8acb\u6c42\u4ee5\u6aa2\u7d22\u5132\u5b58\u5728\u9019\u4e9b\u6587\u4ef6\u4e2d\u7684\u654f\u611f\u8cc7\u8a0a\u3002<\/p>\n\n\n\n

\u300cAndroxgh0st \u60e1\u610f\u8edf\u9ad4\u9084\u53ef\u4ee5\u5b58\u53d6\u7db2\u7ad9\u4e0a Laravel \u61c9\u7528\u7a0b\u5f0f\u7684\u61c9\u7528\u7a0b\u5f0f\u91d1\u9470\u3002\u5982\u679c\u5a01\u8105\u8005\u6210\u529f\u8b58\u5225 Laravel \u61c9\u7528\u7a0b\u5f0f\u91d1\u9470\uff0c\u4ed6\u5011\u5c07\u5617\u8a66\u4f7f\u7528\u8a72\u91d1\u9470\u52a0\u5bc6 PHP \u7a0b\u5f0f\u78bc\u4f86\u9032\u884c\u5229\u7528\u3002\u201d<\/p>\n\n\n\n

\u4f5c\u70ba\u6b64\u6d3b\u52d5\u7684\u4e00\u90e8\u5206\uff0c\u5a01\u8105\u884c\u70ba\u8005\u5229\u7528 CVE-2018-15133\uff0c\u9019\u662f\u4e00\u7a2e\u4e0d\u53d7\u4fe1\u4efb\u8cc7\u6599\u7684\u53cd\u5e8f\u5217\u5316\uff0c\u5141\u8a31\u4ed6\u5011\u5c07\u6a94\u6848\u4e0a\u50b3\u5230\u6613\u53d7\u653b\u64ca\u7684\u7db2\u7ad9\uff0cCISA\u9031\u4e8c(1\/16)\u5c07\u8a72\u5b89\u5168\u6f0f\u6d1e\u6dfb\u52a0\u5230\u5176\u5df2\u77e5\u906d\u6feb\u7528\u4e4b\u6f0f\u6d1e\u6e05\u55ae(Known Exploited Vulnerabilities (KEV) catalog<\/a>)\u4e2d\u3002<\/p>\n\n\n\n

\u64cd\u4f5cAndroxgh0st\u7684\u653b\u64ca\u8005\u4e5f\u91dd\u5c0dCVE-2021-41773\uff0c\u9019\u662f Apache HTTP Server \u7248\u672c 2.4.49 \u548c 2.4.50 \u4e2d\u7684\u8def\u5f91\u904d\u6b77\uff0c\u5c0e\u81f4\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u3002\u5982\u679c\u653b\u64ca\u8005\u4f7f\u7528\u4e0a\u8ff0\u65b9\u6cd5\u7372\u5f97\u4efb\u4f55\u670d\u52d9\u7684\u6191\u8b49\uff0c\u4ed6\u5011\u53ef\u80fd\u6703\u4f7f\u7528\u9019\u4e9b\u6191\u8b49\u5b58\u53d6\u654f\u611f\u8cc7\u6599\u6216\u4f7f\u7528\u9019\u4e9b\u670d\u52d9\u9032\u884c\u5176\u4ed6\u60e1\u610f\u64cd\u4f5c\u3002<\/p>\n\n\n\n

\u4e0d\u5230\u4e00\u9031\u524d\uff0cSentinelOne \u63ed\u9732\u4e86\u4e00\u7a2e\u540d\u70baFBot<\/a>\u7684\u76f8\u95dc\u4f46\u7368\u7279\u7684\u5de5\u5177\uff0c\u653b\u64ca\u8005\u6b63\u5728\u5229\u7528\u8a72\u5de5\u5177\u4f86\u7834\u58de Web \u4f3a\u670d\u5668\u3001\u96f2\u7aef\u670d\u52d9\u3001\u5167\u5bb9\u7ba1\u7406\u7cfb\u7d71 (CMS) \u548c SaaS \u5e73\u53f0\u3002\u8868\u793a\uff1a\u201c\u96f2\u7aef\u5a01\u8105\u683c\u5c40\u5c07\u7e7c\u7e8c\u501f\u7528\u5176\u4ed6\u5de5\u5177\u7684\u7a0b\u5f0f\u78bc\uff0c\u4e26\u5c07\u5b83\u5011\u6574\u5408\u5230\u4e00\u500b\u6574\u9ad4\u751f\u614b\u7cfb\u7d71\u4e2d\uff0c\u9019\u5c31\u662f\u6211\u5011\u770b\u5230\u7684 AlienFox \u548c Legion \u5206\u5225\u8207 AndroxGh0st \u548c FBot \u6240\u505a\u7684\u4e8b\u60c5\u3002<\/p>\n\n\n\n

\u201c\u96a8\u8457\u653b\u64ca\u8005\u627e\u5230\u5229\u7528\u96f2\u7aef\u670d\u52d9\u7372\u5229\u7684\u65b0\u65b9\u6cd5\uff0c\u6211\u5011\u9810\u8a08\u6703\u770b\u5230\u91dd\u5c0d\u9019\u4e9b\u670d\u52d9\u7684\u5b9a\u5236\u5de5\u5177\u7684\u51fa\u73fe\uff0c\u5c31\u50cf\u9019\u4e9b\u5de5\u5177\u5c08\u6ce8\u65bc\u5229\u7528\u90f5\u4ef6\u670d\u52d9\u9032\u884c\u5783\u573e\u90f5\u4ef6\u653b\u64ca\u4e00\u6a23\u3002NETSCOUT \u4e5f\u767c\u51fa\u8b66\u5831<\/a>\uff0c\u8868\u793a\u81ea 2023 \u5e74 11 \u6708\u4e2d\u65ec\u4ee5\u4f86\u6bad\u5c4d\u7db2\u8def\u6383\u63cf\u6d3b\u52d5\u5927\u5e45\u589e\u52a0\uff0c\u4e26\u65bc 2024 \u5e74 1 \u6708 5 \u65e5\u9054\u5230\u8fd1 130 \u842c\u500b\u4e0d\u540c\u8a2d\u5099\u7684\u5cf0\u503c\u3002\u5927\u591a\u6578\u4f86\u6e90 IP \u4f4d\u5740\u8207\u7f8e\u570b\u3001\u4e2d\u570b\u76f8\u95dc\u3001\u8d8a\u5357\u3001\u53f0\u7063\u3001\u4fc4\u7f85\u65af\u3002<\/p>\n\n\n\n

\u9019\u4e9b\u6a5f\u69cb\u767c\u5e03\u4e86\u8207 Androxgh0st \u60e1\u610f\u8edf\u9ad4\u64cd\u4f5c\u76f8\u95dc\u7684\u5165\u4fb5\u6307\u6a19(IoCs)\u4ee5\u53ca\u5efa\u8b70\u7684\u7de9\u89e3\u63aa\u65bd\uff0c\u6566\u4fc3\u7d44\u7e54\u76e1\u5feb\u61c9\u7528\u5b83\u5011\u3002\u9664\u4e86\u66f4\u65b0\u4f5c\u696d\u7cfb\u7d71\u3001\u8edf\u9ad4\u548c\u97cc\u9ad4\u4e4b\u5916\uff0c\u4e5f\u8981\u78ba\u4fdd\u6240\u6709URI\u9810\u8a2d\u914d\u7f6e\u70ba\u62d2\u7d55\u6240\u6709\u8acb\u6c42\uff0c\u4e26\u4e14\u6240\u6709Laravel\u61c9\u7528\u4e0d\u61c9\u8655\u65bc\u9664\u932f\u6216\u662f\u6e2c\u8a66\u6a21\u5f0f\u3002<\/p>\n\n\n\n

Androxgh0st \u60e1\u610f\u8edf\u9ad4\u7684\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19IoCs:<\/p>\n\n\n\n

hxxps:\/\/mc.rockylinux[.]si\/seoforce\/triggers\/files\/evil.txt 59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4 <\/p>\n\n\n\n

hxxps:\/\/chainventures.co[.]uk\/.well-known\/aas<\/p>\n\n\n\n

dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6  hxxp:\/\/download.asyncfox[.]xyz\/download\/xmrig.x86_64 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 <\/p>\n\n\n\n

hxxps:\/\/pastebin[.]com\/raw\/zw0gAmpC ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72  hxxp:\/\/raw.githubusercontent[.]com\/0x5a455553\/MARIJUANA\/master\/MARIJUANA.php<\/p>\n\n\n\n

\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u8207\u57fa\u790e\u8a2d\u65bd\u5b89\u5168\u5c40 (CISA) \u548c\u806f\u90a6\u8abf\u67e5\u5c40 (FBI)\u8b66\u544a\u7a31\uff0c\u90e8\u7f72AndroxGh0st\u60e1\u610f\u8edf\u9ad4 READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-2977","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2977"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2977\/revisions"}],"predecessor-version":[{"id":2979,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2977\/revisions\/2979"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}