Symptoms
- very high CPU usage, sometimes only on 1 core, sometimes on all
- Fan spin! (Physical hardware only, of course.)
- Mysterious process named salt-minions is CPU intensive, stemming from /tmp/salt-minions or /usr/bin/
- Additional binary in /var/tmp/ or /usr/bin named salt-store or salt-storer
- Firewalls disabled
- Most applications crashing or taken offline
How to treat for the malware
There are some mutated versions, e.g. v1~5.
Stop Salt services. e.g. salt-master, salt-minion, salt-api, etc.
Here you are a shell script. (Original code: https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh)
Run to your machine.# remove for root crontab -l | sed "/$i/d" | crontab - # check other users crontabs for f in $(ls /var/spool/cron/crontabs/*); do sed -i "/$i/d" $f done # remove ssh public key added by v5 sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys for i in $(ls /home/*/.ssh/authorized_keys); do sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i done # newer versions seem to set themselves immutable chattr -i /tmp/salt-store chattr -i /var/tmp/salt-store chattr -i /tmp/salt-minions chattr -i /usr/bin/salt-store # remove all the trash rm /tmp/salt-minions rm /tmp/salt-store rm /var/tmp/salt-store rm /usr/bin/salt-store rm /etc/selinux/config rm -rf /tmp/.ICE* rm -rf /var/tmp/.ICE* rm /root/.wget-hsts # create apparmor profiles to prevent execution echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store apparmor_parser -r -W /etc/apparmor.d/salt-store echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions apparmor_parser -r -W /etc/apparmor.d/salt-minions # reenable nmi watchdog sysctl kernel.nmi_watchdog=1 echo '1' >/proc/sys/kernel/nmi_watchdog sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf # disable hugepages sysctl -w vm.nr_hugepages=0 # enable apparmor systemctl enable apparmor systemctl start apparmor # kill processes and reenabler kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}') ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9 killall -9 salt-minions killall -9 salt-store # fix syslog touch /var/log/syslog service rsyslog restart
Update SaltStack to patch version(2019.2.4)
$ yum check-update salt (omit) $ yum update salt (install all dependencies) $ # yum list salt Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.kakao.com * epel: hk.mirrors.thegigabit.com * extras: mirror.kakao.com * updates: mirror.kakao.com Installed Packages salt.noarch 2019.2.4-1.el7 @salt-py3-2019.2
References
https://github.com/saltstack/salt/issues/57057
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh
0 Comments