Symptoms
- very high CPU usage, sometimes only on 1 core, sometimes on all
- Fan spin! (Physical hardware only, of course.)
- Mysterious process named salt-minions is CPU intensive, stemming from /tmp/salt-minions or /usr/bin/
- Additional binary in /var/tmp/ or /usr/bin named salt-store or salt-storer
- Firewalls disabled
- Most applications crashing or taken offline
How to treat for the malware
There are some mutated versions, e.g. v1~5.
Stop Salt services. e.g. salt-master, salt-minion, salt-api, etc.
Here you are a shell script. (Original code: https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh)
Run to your machine.# remove for root crontab -l | sed "/$i/d" | crontab - # check other users crontabs for f in $(ls /var/spool/cron/crontabs/*); do sed -i "/$i/d" $f done # remove ssh public key added by v5 sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys for i in $(ls /home/*/.ssh/authorized_keys); do sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i done # newer versions seem to set themselves immutable chattr -i /tmp/salt-store chattr -i /var/tmp/salt-store chattr -i /tmp/salt-minions chattr -i /usr/bin/salt-store # remove all the trash rm /tmp/salt-minions rm /tmp/salt-store rm /var/tmp/salt-store rm /usr/bin/salt-store rm /etc/selinux/config rm -rf /tmp/.ICE* rm -rf /var/tmp/.ICE* rm /root/.wget-hsts # create apparmor profiles to prevent execution echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store apparmor_parser -r -W /etc/apparmor.d/salt-store echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions apparmor_parser -r -W /etc/apparmor.d/salt-minions # reenable nmi watchdog sysctl kernel.nmi_watchdog=1 echo '1' >/proc/sys/kernel/nmi_watchdog sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf # disable hugepages sysctl -w vm.nr_hugepages=0 # enable apparmor systemctl enable apparmor systemctl start apparmor # kill processes and reenabler kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}') ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9 kill -9 $(pgrep salt-minions) kill -9 $(pgrep salt-store) # fix syslog touch /var/log/syslog service rsyslog restart
Update SaltStack to patch version(2019.2.4)
$ sudo yum check-update salt (omit) salt.noarch 2019.2.4-1.el7 salt-py3-2019.2 $ sudo yum list salt (omit) Installed Packages salt.noarch 2019.2.2-1.el7 @salt-py3-2019.2 Available Packages salt.noarch 2019.2.4-1.el7 salt-py3-2019.2 $ sudo yum update salt (install all dependencies) ==================================================================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================================================================== Updating: salt noarch 2019.2.4-1.el7 salt-py3-2019.2 9.4 M Updating for dependencies: salt-api noarch 2019.2.4-1.el7 salt-py3-2019.2 19 k salt-cloud noarch 2019.2.4-1.el7 salt-py3-2019.2 22 k salt-master noarch 2019.2.4-1.el7 salt-py3-2019.2 2.9 M salt-minion noarch 2019.2.4-1.el7 salt-py3-2019.2 38 k salt-ssh noarch 2019.2.4-1.el7 salt-py3-2019.2 20 k salt-syndic noarch 2019.2.4-1.el7 salt-py3-2019.2 19 k Transaction Summary ==================================================================================================================================================================================================== $ sudo yum list salt (omit) Installed Packages salt.noarch 2019.2.4-1.el7 @salt-py3-2019.2
References
https://github.com/saltstack/salt/issues/57057
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh
0 Comments